Friday, March 31, 2023
HomeIndiaBhima Koregaon suspect's laptop was hacked to plant evidence, US firm claims....

Bhima Koregaon suspect’s laptop was hacked to plant evidence, US firm claims. NIA rejects it

According to a Washington Post report, digital forensics firm Arsenal Consulting found activist Rona Wilson's laptop was hacked and 10 incriminating letters planted. NIA calls it 'distortion of facts'.

Text Size:

New Delhi: Key evidence against Rona Wilson, an accused in the Bhima Koregaon case that is being investigated by the NIA, was planted on a laptop seized by police, a report by Arsenal Consulting, a Massachusetts-based digital forensics firm, has claimed.

According to the firm’s forensic assessment, first reported by The Washington Post Wednesday, an attacker used malware to infiltrate a laptop belonging to Wilson and deposited at least 10 incriminating letters on it. 

Malware — short for malicious software — refers to any among a bouquet of software used by cyber criminals to damage a system or gain unauthorised access to it. 

The NIA had provided the defence team with forensic images of the digital devices seized from Wilson, which were then sent by the latter to the US firm for examination.

Reached for comment, NIA spokesperson Jaya Roy dismissed the Arsenal report as a “distortion of facts”. 

On the basis of the Arsenal report, which claims Wilson’s computer was compromised for nearly two years between 2016 and 2018, the activist has filed a petition in the Bombay High Court, urging judges to dismiss the case against him.

“A petition has been filed in the Bombay High Court to quash these proceedings. This forensics report has been attached for reference. It is enough to clear the suspicion about Wilson’s involvement,” Wilson’s lawyer Mihir Desai said. 

Desai said the documents are part of the evidence cited by the NIA to build their case against Wilson, as well as others accused in the case.

“We got the main documents that are evidence in the case examined and have found this,” he said, referring to emails, among other things. “We hope the court takes note of it. The matter should be up for hearing in a few days.”

In its report, accessed by ThePrint, the US firm has described the alleged malware attack on Wilson’s computer as one of the “most serious cases involving evidence tampering that Arsenal has ever encountered”. The National Investigation Agency (NIA), however, dismissed the findings. 

“The forensics reports that are cited in the charge sheet filed in the court are from an accredited lab, accepted by the Indian courts. In this case, it was done by the Regional Forensic Science Laboratory, Pune. According to their report no such malware was found. Rest all is distortion of facts,” NIA spokesperson Jaya Roy said.

In a statement issued Wednesday evening, the NIA sought to raise many questions about the Arsenal findings. Referring to letters the report claims were planted on Wilson’s computer, the NIA said “the context and incidents mentioned are very much corroborated in the charge sheet by other oral, documentary & technical evidence”.  

Also Read: 2 years, 3 charge sheets & 16 arrests — Why Bhima Koregaon accused are still in jail

‘Incriminating documents delivered to hidden folders’ 

The Bhima Koregaon case centres on a gathering in Pune, Maharashtra, on New Year’s Eve 2018 that sought to mark 200 years of a battle between the Peshwas and a British army comprising Dalits that was won by the latter. In the light of violence that erupted the next day, people who participated in the event have been accused of making provocative speeches.

The investigation in the matter was first handled by Pune Police before being taken over by the NIA. The investigators have since alleged a larger plot at play to wage a war against the nation. 

Wilson is one of 16 people under arrest in the case. Others include lawyer Sudha Bharadwaj, tribal rights activist and priest Stan Swamy, and activist Varavara Rao.

According to the NIA, incriminating letters have been recovered from electronic devices of the Bhima Koregaon accused. In its charge sheet, the NIA has cited a document allegedly seized from Wilson that mentions the “purpose of formation of anti-fascist front” on the direction of the outlawed CPI Maoist.

Arsenal claims in its report that Wilson’s computer was compromised for over 22 months.

“The attacker responsible for compromising Wilson’s computer had extensive resources (including time) and it is obvious that their primary goals were surveillance and incriminating document delivery,” the report claims.

It also claims that Arsenal connected the same attacker to significant malware infrastructure that has allegedly been deployed over the course of approximately four years to not only attack Wilson’s computer but also those of his co-defendants in the Bhima Koregaon case and defendants in other “high-profile Indian cases”. 

The Arsenal report alleges that incriminating documents found in Wilson’s computer were delivered to a hidden folder through malware.

“The incriminating documents were delivered to a hidden folder on Mr Wilson’s computer by NetWire (a malware) and not by other means,” the report claims.

Wilson’s computer, the report claims, was compromised on 13 June 2016, after a series of “suspicious emails” by someone purportedly using Varavara Rao’s email account.

“During the course of email conversation, the person using Varavara Rao’s email account made multiple attempts to get Mr Wilson to open a particular document. By 6:18 pm, Mr Wislon replied that he had successfully opened the document. Opening the document (a decoy within an RAR archive file named ‘another victory.rar’ was part of a chain of events which led to the installation of the NetWire remote access trojan (‘RAT’) on Mr Wilson’s computer,” the report claims. 

RAR is a data compression application, while RAT is a form of malware used to gain access to someone’s computer, usually installed by getting the target user to click on a link or download something, like an email attachment.

The report claims there is “no evidence which would suggest that the top ten most important documents used in the prosecution against Mr Wilson were ever interacted with in any legitimate way on Mr Wilson’s computer”. 

“More particularly, there is no evidence which would suggest any of the top ten documents, or hidden folders they were contained in, were ever opened,” the report further claims.

“Object identifiers are normally assigned to documents when they are either created or first opened. In this case, none of the top ten documents have object identifiers.”

NIA rejects report

In a statement issued Wednesday evening, the NIA said the Pune Police conducted a search at Wilson’s Delhi house on 17 April 2018 and seized “incriminating material including hard disk, CDs, laptop, mobile phones, memory cards”. The digital devices, it added, were sent to the “Regional FSL Pune for further examination”. 

Following the analysis, the Regional FSL Pune “provided a forensic report including image, clone copy of the electronic devices and also a report that did not indicate any instance of tampering with the digital devices”, it said.

After the charge sheets were filed, the NIA “provided the defence with the forensic images of digital devices along with final reports, which were then sent by them to the US firm for examination”.

The NIA also seemed to question the Arsenal finding that Wilson’s computer had been compromised since 13 June 2016, or a year and a half before the incident at Bhima Koregaon.  

“It is pointed out here that, as per the Arsenal Consulting report, the device of Rona Wilson was compromised for the period of 22 months, prior to his arrest while the very case was registered on 8 January 2018, which is six months prior to his arrest, arising out of an incident on 1 January 2018 which is hard to comprehend,” the NIA said.  

Also Read: Historians’ silence on Bhima Koregaon allowed BJP to brand it as ‘urban Naxalism’



Subscribe to our channels on YouTube & Telegram

Support Our Journalism

India needs fair, non-hyphenated and questioning journalism, packed with on-ground reporting. ThePrint – with exceptional reporters, columnists and editors – is doing just that.

Sustaining this needs support from wonderful readers like you.

Whether you live in India or overseas, you can take a paid subscription by clicking here.

Support Our Journalism


  1. what is the point of rejecting something and keeping many many people in jail. Have it verified from an acceptable source neither side can influence and proceed. Unfortunately the NIA does not have a great reputation for being impartial

  2. Its clear for everyone except journalists that the church encourages Maoist insurgency to establish base amongst tribal area to prevent government programmes from reaching tribals and then brainwashing them to convert.

    This angle is never spoken by journalists as visas to western countries as well as USA are controlled by the church also church ensure jobs and SCHOLARSHIP to prestigious European and US institution as well. Journalists who are pliable and make anti HINDU statements are given benefits even jobs to their family members.

    This elaborate reward schemes for journalist ensure church activities in tribal areas are never mentioned or investigated.

  3. Yeah right. An “american” company did some analysis and the “washington post” reported it and we are supposed to “believe” it. We are not that gullible.

  4. Knew it from the day one. These crooks can to any length to defame, to abuse, to malign their political opponents to justify their own high handedness to silence the voices of reason and sanity.

  5. It is not impossible though.
    But it goes “Extraordinary claims need extraordinary evidences.”

Comments are closed.

Most Popular