New Delhi: For months, anonymous bomb threat emails triggered evacuations, searches and panic at schools, courts, metro stations and government offices across several states. Investigators chasing the digital trail say it eventually led them to an unlikely suspect in West Bengal—a Bangladeshi national who allegedly entered India through the ‘donkey route’, built a business trading dormant email accounts and digital credentials, and became a key link in a cross-border network now under scrutiny by multiple police agencies.
Sourav Biswas’ name figures prominently in a recently filed chargesheet in connection with hoax bomb threats reported in Punjab, Delhi, Rajasthan, Haryana, Gujarat and Maharashtra.
According to investigators, Bangladeshi national Biswas sold more than 300 Gmail IDs to a Bangladesh-based individual, Mamunur Rashid, through over 250 USDT (Tether, a digital currency) transactions. Rashid’s name has surfaced in investigations by multiple police agencies, including the Ahmedabad Crime Branch.
Police allege that the email IDs sold by Biswas alias Michael were subsequently passed on to another unidentified individual and were used to facilitate hoax bomb threats across north India.
Biswas was arrested by the Ahmedabad Crime Branch on 1 March from West Bengal’s North 24 Parganas district as part of its investigation into bomb threat emails sent to schools, courts, metro stations and government offices across Delhi, Punjab, Haryana, Maharashtra, Gujarat and Uttar Pradesh. The Crime Branch has since filed a nearly 500-page chargesheet before the Additional Chief Judicial Magistrate at Gheekanta Metropolitan Court in Ahmedabad. The court is yet to take cognisance of the chargesheet.
Sources in the crime branch told ThePrint that investigators are now focusing on tracing Rashid and identifying the user of a virtual phone number allegedly linked to the threatening emails.
After Gujarat Police arrested Biswas, Haryana Police and Punjab Police also took him into custody in connection with similar cases. A senior Punjab Police officer said assistance has been sought from Interpol to trace alleged accomplices operating from Bangladesh and Pakistan.
The border crossing
According to the chargesheet, Biswas is a Bangladeshi national who illegally entered India in 2017 through an agent-assisted “donkey route”.
From a middle-class family in Bangladesh, Biswas studied up to Class XII before leaving for India in search of better economic opportunities. After crossing into West Bengal, he settled near the Indo-Bangladesh border and allegedly procured forged Indian identity documents. His family continues to reside in Bangladesh, the chargesheet states.
Bangladeshi national Biswas initially partnered with a friend to run a cyber cafe in North 24 Parganas, where they assisted students with government examination-related services. The business operated for around three-four years before Biswas left to start his own digital marketing venture.
Police said Biswas later launched a website that sold digital services and online accounts. Investigators believe this business eventually evolved into a marketplace dealing in compromised digital credentials.
He married a fellow Bangladeshi national in January 2026, barely two months before his arrest.
A business built on digital identities
According to investigators, Bangladeshi national Biswas operated through an online platform called expetseller.com, referred to by users as F5GitServices.
A senior police officer, citing the chargesheet, said the platform sold a range of digital products, including Gmail accounts, Google Voice numbers, Cash App and bank accounts, VPN and proxy services, social media accounts on Facebook, Instagram, WhatsApp and Telegram, virtual phone numbers, and remote desktop access tools.
Prices ranged from $10 to $50 for most services. Individual email accounts were typically sold for $5 to $15, although some were available for as little as $1.
All transactions were conducted through cryptocurrency.
“All payments were made through cryptocurrency, mainly USDT, which made it difficult to trace the financial trail,” the officer said, citing the chargesheet.
Investigators allege that Biswas primarily targeted dormant or abandoned email accounts, including credentials exposed in older database leaks. Many of these accounts originally carried IP histories linked to the United States and other countries.
Another officer said Biswas sourced such credentials through Telegram, Facebook and WhatsApp groups dedicated to trading compromised accounts.
Once access was obtained, investigators allege, Biswas changed passwords, usernames and recovery email addresses, replacing them with credentials controlled by him or his associates.
This allowed him to retain control of the accounts even after selling them.
To conceal his activities, he allegedly used VPNs, proxy servers and virtual phone numbers that made account activity appear to originate from outside India.
“A lot of people and companies buy email IDs. Sometimes they do it for Google reviews, other times to run their business and social media channels. These dead, dormant IDs become useful,” an officer associated with the investigation said.
The demand arrives
Police said the marketplace had been operating for about three-four years and had built a substantial customer base.
According to investigators, it was through one of these online groups that Biswas came into contact with Mamunur Rashid.
“Through the buying and selling of IDs, he met Rashid in one of these groups. Rashid told him he would require email IDs, and the payment would be made by USDT. Biswas knew this would be a great opportunity to earn. So, he provided Rashid with an Excel sheet. No further questions were asked. Biswas told the police that he was aware the IDs were being used to send hoax bomb threats via email,” the police officer said.
Citing the chargesheet, officers said Biswas’s primary motive appeared to be financial gain. He maintained active Telegram, Facebook and WhatsApp groups, where both Indian and foreign buyers traded digital credentials.
Following the crypto trail
Investigators say the breakthrough came when Ahmedabad Police decided to test the marketplace themselves.
Posing as buyers on Telegram and Biswas’ website, officers purchased 10-15 email accounts on 23 February.
“When we analysed those accounts, we found the same recovery email pattern that resulted in some of the bomb threats,” the investigating officer said.
“This helped establish a link between the accounts being sold and the threatening emails under investigation.”
The digital trail eventually led investigators to a Gmail account linked to the Gopalnagar area of North 24 Parganas. With assistance from West Bengal Police, Biswas was arrested on 1 March.
Police searched his residence and seized three CPUs, five hard disks, three mobile phones and an internet router.
“Forensics examined that the device contained nearly 300 Gmail IDs, along with passwords and recovery email data, as well as several Hotmail accounts. Some of these email IDs had been used to send bomb threats to several states,” the officer said.
Investigators say they traced 250 USDT payments received by Biswas in exchange for the email accounts sold to Rashid.
“We traced Rashid through his financial transactions. Further transactions revealed that Rashid sold these IDs to a foreign national. That person used a virtual number, which we are tracing as part of further investigation,” the officer said.
A widening interstate investigation
While Gujarat Police made the first breakthrough, Punjab Police, which took Biswas into custody on 9 May, has expanded the probe internationally with Interpol’s assistance.
According to investigators, Biswas is wanted in cases registered in Gujarat, Rajasthan, Maharashtra, Delhi, Haryana and Punjab.
A Punjab Police officer involved in the investigation said approximately 300 Gmail accounts were procured from unidentified sources and subsequently resold by Biswas.
“Of these, 219 Gmail accounts were sold to this Bangladesh-based individual through WhatsApp, with payments routed through USDT cryptocurrency transactions,” she said.
“Many of these Gmail accounts were later shared with an unidentified individual in Pakistan involved in sending bomb threat emails and carrying out other unlawful cyber activities,” she said.
She said further arrests could help uncover a larger interstate and cross-border cyber network allegedly involved in spreading panic through anonymous digital platforms. According to Punjab Police, Bangladeshi national Biswas is the first arrest in a racket that triggered fear across multiple states.
“The motive behind the threatening Gmails was to create panic, disrupt public peace and pose a threat to national security,” she said.
Ahmedabad Crime Branch investigators have described the operation as a form of “cyber warfare”.
“Assistance has also been sought from Interpol to trace alleged accomplices linked to Biswas and operating from Bangladesh and Pakistan. Biswas has also been named by Gujarat Police in a similar case involving threatening emails,” she added.
Several schools in Amritsar received threatening emails that triggered panic, prompting searches by anti-sabotage squads and local police. Similar threats were reported by schools in Gurugram earlier this year, leading to inspections by bomb disposal squads, dog squads and fire services.
The chargesheet relies heavily on technical evidence found on Biswas’s devices, including chat histories, email threads and Excel sheets documenting account transactions. School principals, teachers and officials from targeted institutions have been listed as witnesses.
Biswas has been charged under Sections 351(3) (threat to cause death or grievous hurt), 351(4) (criminal intimidation through anonymous communication), 353(1)(b) (public mischief) and 61(2) (criminal conspiracy) of the Bharatiya Nyaya Sanhita, along with provisions of the Information Technology Act, including Section 66F(2) relating to cyber terrorism.
(Edited by Viny Mishra)
Also read: Bangladeshi nationals are joining terrorist ranks. Bigger problem is the culture of denial