One evening in January, a Kanpur-based college student in his early 20s got a phone call from an unknown number. The engineering undergraduate, who did not wish to be identified, had been spending a lot of time on dark web forums. He’d even been searching for “hacking tutorials” on Google. His digital footprint had left behind a trail.
The caller surprisingly knew all about it. The offer was simple: Since you are interested in hacking, do you want to earn some money by hacking companies? It was a recruitment call. And the phone number, while difficult to trace, seemed to be from Florida.
Around the same time, the Kanpur-based hacker’s friend got a call too—because he had an adequate amount of “cred” on the dark web, he said. It was a more specific request: Steal the partner list of home services startup Urban Company (formerly UrbanClap). These lists contain the names and details of service personnel like barbers, repairmen, etc., who are employed by the company to perform jobs via its platforms. The “client” was willing to pay ₹40,000 in bitcoin for the data.
The second hacker refused to take up the offer, but said people like him often get such requests and they don’t even necessarily come via the dark web. Requests sometimes come via WhatsApp, through friends in the security community, or even through encrypted email services like ProtonMail.
It is a peek into the underbelly of an industry which is often described using a broad umbrella term: hack for hire. The targets are varied: corporate employees, politicians, and even ex-lovers sometimes. And what’s on offer is often “low-level” hacking—email passwords, access to social media accounts. With very few avenues to make money as an ethical hacker in India, talented young engineers or upstarts who wish to experiment have been exploring the dark side for a while now. And their numbers are increasing.
A May 2020 Google Threat Analysis Group (TAG) report highlighted an interesting emerging trend: that these “hack for hire” operations are now increasingly being mounted under the aegis of formally registered firms. “Many are based in India,” the report said.
What really blew the lid on this new phenomenon, however, was an exposé by the Canadian internet security watchdog, Citizen Lab, which outed an obscure Delhi-based company called Belltrox Infotech Services Pvt. Ltd last month. First reported by Reuters, Citizen Lab’s investigation reveals a sustained years-long hack for hire operation which targeted senior elected officials, businesses and even journalists, many of them based in jurisdictions outside India.
Security researchers had been trying to pin down the group of hackers operating under the shadow of Belltrox for years. The earliest identified victim goes back to 2017. Before the Delhi-based firm was identified, security researchers even had code words to describe what seemed to be eerily similar hacking attempts: Dark Basin hackers, mercenary armada.
Belltrox may just be the tip of the iceberg though. How does the hack-for-hire industry work exactly? And why has it taken root in India?
Hacking as a service
Hacking-as-a-service (HaaS) has existed on the dark web for years, according to security experts, and, more importantly, they have existed in India for just as long.
In 2010, a Delhi-based hacker Mint spoke to and who did not want to be identified was witnessing the growth of this industry in India. “Hackers for hire have existed since before I entered this industry,” he said. While he explored the dark web, understood how hackers worked and even hacked to learn, he didn’t actually get involved in the activities Belltrox was caught doing. “I could have, I just chose not to,” he said.
“These Dark Basin guys seem to have latched on to one method that’s working for them,” he said. According to him, to build a business like this, a person would first set about creating a list of prospective clients. Companies like Belltrox often send out a series of emails to a pre-created mailing list and hope to get a response. If your list consists of thousands of such emails, chances are that you will get a response, he said.
But that’s the most rudimentary way. Belltrox’s scam happened in the internet’s version of broad daylight. According to a researcher at cyber safety firm NortonLifeLock, which conducted the investigation into Dark Basin, Belltrox set out creating LinkedIn profiles. These profiles were then endorsed by others for certain relevant skills on LinkedIn.
Those endorsements came either from fake profiles or private investigators who were Belltrox’ clients—for skills like surveillance, private investigation, fraud investigation, background checks, etc. “It’s a wide range of things that out of context would seem innocuous, but if you know what’s going on, it’s quite interesting,” the Norton researcher said. “This business is conducted semi-openly,” he added.
Unlike regular LinkedIn profiles, these were created using company names, and researchers found an interesting phrase in many of these advertisements—lawful interception. This got them thinking.
“My understanding of lawful interception is that it can’t be a service to a private citizen,” the researcher said. But based on who was endorsing them, it seemed like they were somehow offering such services to private investigators. A team of Norton researchers dug deeper and found the accounts Belltrox had created had themselves endorsed others for similar services.
According to LinkedIn’s overview page, “When a connection endorses your skills, it contributes to the strength of your profile, and increases the likelihood that you’ll be discovered for opportunities related to the skills you possess.” Belltrox’s page still exists and is one of the top hits if one searches for “lawful interception” on LinkedIn. Mint tried to get in touch with some of the endorsers, but they didn’t respond, unsurprisingly.
In an emailed response, LinkedIn claimed the profile has been “restricted and is pending review”. Meanwhile, Belltrox’s website has disappeared and only two employees show up on a regular LinkedIn search.
According to three hackers (including the Delhi-based hacker mentioned earlier) who spoke to Mint on the condition of anonymity, building a HaaS business requires persistence. The “hustle” starts with “building a rep” on dark web forums; then finding clients; and then persisting till a target is compromised. If one wants foreign clients, building cred is vital. Black hats (those who hack into a computer network with malicious intent) choose to do this on the dark web, or by hiding their tracks in broad daylight.
The primary requirement for the hustle is a sustained presence on forums in the dark or deep web. The deep web refers to websites that aren’t indexed by search engines like Google, while the dark web is the same but can only be accessed through an anonymizing browser like Tor. “We all are on the dark web too, because we need to be in the know of what’s happening there to be a good security researcher,” said Saptarshi Chatterjee, an ethical hacker. India adds a layer of its own to this industry. Jobs come through WhatsApp messages, Telegram, and more. And often, from just regular people or budding startups looking to topple highly-funded competitors. “My request was through someone in IT security. The target was a high-ranking official. The request was to gather information, gain entry into their Facebook and other social media accounts,” said an Indian cyber forensic expert who had also been approached for hack for hire services.
But while individual hackers may at least be able to make their own judgements on what’s legal and where they must draw the line, those working in firms may not even be aware of what they are actually doing. The Norton researcher pointed out that this is likely true for employees of Belltrox too.
“It doesn’t take a hacker to send emails to a list of email addresses,” said the Delhi-based hacker. He said that the same people running tech support scams from India are most probably working in the black hat hacking for hire segment too.
The Indian cyber forensics expert told Mint that the real-estate sector often uses HaaS for their work. “I got information about a hack two years ago, and the modus operandi revealed confidential information of senior political party members, real estate targets, and more,” he said. “Hackers start off with a phishing attack. If the target isn’t compromised, they change course and go for the nearest connection to the target. The aim is to get confidential information and get an edge,” he added.
According to him, many freelancers and part-time hackers from India make money from HaaS businesses. The managing director of a private detective agency told Mint his company receives approximately 150-200 queries per month from people who have had their email accounts, Facebook, etc., hacked. The firm handles a lot of blackmailing cases in the country, and he said there are two kinds of blackmailers—those in which someone is being blackmailed directly and others where someone has obtained information about a person by hacking an email ID.
Drive to dark side
But as dark and shady the HaaS industry may seem, stakeholders say it’s merely an offshoot of the legitimate side of the industry— usually called white hat hacking. Well-known security researchers said that registered cybersecurity firms could—and do—provide such services and it would be extremely difficult to trace it back to them.
Security researchers in India often do not get the same respect in the country as global counterparts, which drives them to the dark side. In 2018, prolific French hacker Robert Baptiste, who goes by the moniker Elliot Alderson on Twitter, reported a security vulnerability in Bharat Sanchar Nigam Ltd’s (BSNL) website. BSNL responded to Alderson and the issue was widely covered by the media, and was eventually fixed. What many didn’t know at the time was that about a year and a half before that, Indian security researcher Sai Krishna Kothapalli had reported the same issue.
For over a month in 2016, Krishna tried to reach BSNL. He sent emails on ids provided on BSNL’s website, then sent messages via Facebook, Twitter and any other way he could, but to no avail.
The lack of respect often drives hackers to take the darker route; money replaces respect. The white hat side of the industry requires the same level of “hustle” as the dark side does. “In 2017, I reported a bug to Twitter and they paid me about ₹3 lakh for it,” said Anand Prakash, founder of AppSecure, a cyber security company. While the pay-out was healthy, Prakash said the information the bug would let a hacker access would have fetched much more if he had sold it on the dark web.
Security researchers like Prakash and Krishna have been toiling in the industry for years and have built a healthy living for themselves. Prakash started in 2013 and has also worked at Flipkart, before starting his own company. Krishna founded Hackrew and focuses on working with governments. India has a huge community of white hat hackers and bug bounty hunters (programmers who get paid for reporting flaws in a software). According to bug bounty and vulnerability coordination platform HackerOne’s annual report, Indian hackers claimed the second-highest share of bug bounties in the world in 2018, behind the US. It’s still second, with the 2020 version of the company’s report saying India took 10% of the total bug bounty payouts in the world. US took the top spot with 19%, while Russia, China and Germany rounded up the top five.
But while the white hat industry is built on bug bounties, certifications, and being a regular at hacker conferences, to be a black hat, all one needs is to be able to prove their skill to prospective clients.
With India’s digital economy showing all signs of healthy growth in the future, it’s clear that many legitimate business opportunities will emerge. The big money payouts, however, will still come from foreign clients paying in dollars—both for the white hats and the black hats.
According to security researcher Karan Saini, hacking an individual’s Facebook or email account in India is a job that could fetch as little as ₹2,000 for someone who is willing to do it. However, there are easy-to-find websites on the dark web that are filled with clients promising $500 (approximately ₹37,000) for the same job. That, in a nutshell, explains the motivations which animate the hack-for-hire hubs which are cropping up in India.