Chandigarh: Shortly after 9 am Tuesday, half a dozen schools and the Fortis Hospital in Mohali received three sets of emails containing identical threats: the premises would be blown up at 1:11 pm.
The emails claimed that Chief Minister Bhagwant Mann who had been admitted to the Mohali Fortis hospital Monday evening would be “poisoned” with polonium. The messages warned that if he survived, he would meet the same fate as former Punjab CM Beant Singh, who was assassinated by a suicide bomber in 1995. The emails alluded to the slain chief minister as “Beanta”.
CM Mann has largely been in the hospital over the past three days after complaining of exhaustion. He left the hospital for a short while Monday to attend a rally in Moga.
The correspondence, which mentioned the Khalistan Referendum and the sacrifices of Sikh militants, was from an outfit that called itself the ‘Khalistan National Army’.
Responding to the crisis, the Mohali police rushed anti-sabotage teams along with bomb disposal squads, to the hospital and schools.
Meanwhile, the state cyber wing conducted an investigation, which has determined that Tuesday’s emails are a part of a series of bomb hoaxes received by schools, civil secretariats, and court complexes across Punjab, Chandigarh, Gujarat, Maharashtra, and Haryana since 12 January.
The content and writing style have been found consistent across the emails.
The investigating team have also traced the threat emails to Dhaka, Bangladesh, and the matter has now been referred to Bharatpol, which is expected to coordinate with the Bangladesh Police to apprehend the accused.
“Meticulous and technical investigation by our team has identified the device as the IP address being used from Dhaka in Bangladesh. We have put out the information on Bharatpol to take the investigation further internationally,” said V. Neeraja, the Special Directorate General of Police of Cyber Security, Punjab, speaking to ThePrint.
Sources in the state cyber wing indicated that the batch of emails received since mid-January differed from the multiple threats received over the past year across nearly a dozen states. While the earlier emails cited Tamil Nadu and the LTTE, the latter made references to Khalistan.
“We have reasons to believe that the two sets of mails are different, and their senders might not be connected, but the modus operandi and technology being used in both these cases are almost similar,” added Neeraja.
Unlike the Tamil Nadu-linked emails, sent using Microsoft’s Outlook and Hotmail, the Khalistani threats were sent via Gmail.
“Since multiple states were receiving similar threats she was in touch with I4C (Indian Cyber Crime Coordination Centre under ministry of Home affairs) and CERT-in (Indian Computer Emergency Response Team under the Ministry of Electronics and Information Technology) for the investigation,” added Neeraja.
Sources in the cyber investigation team told ThePrint that the senders used the dark web through Tor—a masked search engine—to conceal their identity. In addition to the search engine, they employed virtual private networks (VPNs) and cloud network services, rendering their IP addresses untraceable. An Internet Protocol (IP) address is a unique numerical label assigned to each device connected to a computer network.
With Google’s assistance, the IP addresses linked to the threat emails were traced to commercial VPN companies—not open-market internet service providers. These VPN firms are based in the United States, the Netherlands, Austria, Norway, Romania, the Czech Republic, and Switzerland. Sources in the cyber wing explained that these companies trade in VPN nodes, allotting thousands to create an ecosystem of secrecy.
According to the investigating team, the first email—sent on January 12 to the court complex and deputy commissioner’s office in Hoshiarpur at 11:09 am—was routed through a VPN node provided by a Netherlands-based company. IP addresses from threat emails sent to the Fatehgarh Sahib court complex on 14 January were traced to VPNs in Norway.
On 16 January, emails were received at the deputy commissioner’s offices in Hoshiarpur, Nawanshahr, and Muktsar, as well as the Bombay High Court and local courts in Maharashtra. The VPNs used originated from Austria, Norway, the Czech Republic, and Romania.
On 19 January, a Hoshiarpur-based school received an email that multiple schools in Haryana also received via a United States-based VPN. On 23 January, schools in Pathankot received a threat email, and multiple schools in Assam, Delhi NCR, and Gujarat received the emails. But the IP logs in these instances could not made available.
On 29 January, threat emails were sent to multiple Punjab government email IDs in the Chandigarh-based Punjab Civil Secretariat via VPNs originating in the Netherlands, Bangladesh, and the US.
On 11 February, nine private schools in Mohali received emails via a private VPN trader.
The emails received Tuesday were routed through a VPN in Switzerland.
ThePrint has learnt that the content of the emails is not exactly alike but similar. Most of the emails have a Khalistan element in them, with references to slain militants.
According to the information shared by Google, based on the investigating team’s request, the email IDs from which the emails were sent are IDs registered years ago, some dating as far back as November 2013, but which are still in use.
Older accounts are being used because when a new account is opened now, Google asks for a large amount of additional information for identification purposes, explained the investigation team.
The investigating team told ThePrint that despite the sender having used the dark net and VPNs to hide his identity, their team has worked on two to three other methods to detect and identify him. The team identified a common element in all the emails, before identifying the sender’s IP address, and that the device is in Dhaka.
This is an updated version of the report.
(Edited by Madhurita Goswami)
Also Read: Punjab’s war on drugs forgot women addicts. Only 1 govt clinic, endless stigma