A ‘clumsy’ Indian spy left a trail of digital breadcrumbs, US DEA claims it led them to Pannun plot

This is part 2 of the series. Read part 1 here.

New Delhi: The US Drug Enforcement Agency (DEA) claims it has been able to establish alleged ties between a plot to assassinate Sikh separatist Gurpatwant Singh Pannun and former Research and Analysis Wing (R&AW) junior officer Vikash Yadav because errors in tradecraft left a trail of digital pebbles leading to hundreds of pages of documents carelessly stored unencrypted in a private Gmail account, papers released by prosecutors show.

Also among the documents is a personal résumé, which claims—evidently without irony—that Yadav’s professional skills included “discipline”, “clear thinking”, and being “well aware of cyber security”.

The material found in the two accounts, US prosecutors say, “will establish that the true identity of the ‘Amanat’ who [it alleges] worked with [Nikhil] Gupta was Yadav, and that Yadav was an employee of the Government of India”.

According to the DEA’s filings, Yadav contacted alleged drug and arms dealer and money launderer Nikhil Gupta to carry out Pannun’s ‘murder-for-hire’. “Nikhil ji,” began one WhatsApp message discovered by investigators, “This is Vikash. Save my name as Aman.”

A prosecution document records, “Gupta duly saved Yadav as ‘Amanat’, with a phone number ending in 9645”.

Gupta has been incarcerated since his arrest in the Czech Republic in June 2023 and subsequent extradition to the United States in June last year, and his trial is scheduled to begin later this month, according to court filings. Yadav has been dismissed from service, and is being prosecuted on kidnapping and extortion charges in a case unrelated to the Pannun matter. Currently on bail, he is scheduled to appear before a Delhi court later this month.

Advocate R.K. Handoo, who represents Yadav in the Delhi Police case, refused to comment on the specific disclosures made by the US prosecutors, offering only “god bless” in response. ThePrint also attempted to reach Gupta directly, using a prepaid service for prison inmates. He did not respond.

Also Read: US charges ‘CC-1’ Vikash Yadav for orchestrating Pannun murder plot. A timeline

The Gmail ‘gift’ for prosecutors

The DEA’s unexpected discovery of the murder plot’s alleged links to the ex-R&AW agent began with its investigation of a phone number used by Yadav to communicate over WhatsApp with Nikhil Gupta. The phone, with 9645 as its last digits and set up in 2023, had also been used to set up a pseudonymous Gmail account—onlyXXXXXX@gmail.com—supposedly dedicated to the Pannun operation, the DEA has alleged in its filings.

Following a preliminary study of Gupta’s phone by the Federal Bureau of Investigation (FBI) in May 2024 after his arrest in Prague, Google was served with a warrant for information, which it complied with and delivered all data dutifully. The results of that study were delivered to the DEA in October 2024.

According to Google’s findings, the account onlyXXXXXX@gmail.com was linked to a second account—vikas0XXXXX@gmail.com. This account had been active since 2007, and was tied to a phone number ending with the digits 8758. The two accounts accessed the internet from the same internet protocol addresses used by onlyXXXXXX@gmail.com.

The Internet Protocol addresses—103.92.41.180 and 103.92.41.28—used frequently by the two Gmail addresses, belonged to Excitel, a popular fibre-optic internet provider in Delhi NCR. IP addresses are digital identifiers, serving as addresses for devices on a network.

Seemingly, Yadav had, moreover, been less than exacting in his separation of the two e-mail addresses. On several occasions, he sent tax and salary-related correspondence from the Pannun ‘plot’ account, prosecution records further show.

For example, prosecutors say, Yadav used the onlyXXXXXX@gmail.com account, set up to communicate with Gupta, to send a photograph, images of a debit card and his tax returns “to another individual”.

From the second Gmail account vikas0XXXXX@gmail.com, investigators were rapidly able to assemble a picture of Yadav’s relationship with R&AW. The earliest documents stored in the account show he had applied to join the Aviation Research Centre, R&AW’s imagery-intelligence wing, in response to an advertisement in the government publication Employment News in May 2012.

This Gmail account included a copy of a signal sent by Central Reserve Police Force (CRPF) headquarters in June 2012, saying the Cabinet Secretariat was seeking “direct recruitment of senior field officers in the junior executive cadre of R&AW from among those who have been selected by UPSC as Assistant Commandants” in central paramilitary forces.

Yadav obtained a Bachelor of Science degree from Maharshi Dayanand University in Rohtak and went on to obtain postgraduate qualification in Forensics from Panjab University in Chandigarh. In 2007, he passed an examination administered by the Union Public Service Commission, and joined the CRPF in 2008.

Later, the Gmail document shows, Yadav went on to serve as a company commander in CRPF’s 207 Cobra Battalion, the counter-Maoist force.

A former senior national security official told ThePrint that the decision to recruit personnel to R&AW from central police organisations was made by a three-member committee led by the organisation’s chief Sanjeev Tripathi, who held the position from December 2010 to December 2012.

Following his induction by the Cabinet Secretariat, Yadav was assigned to serve as a probationary Senior Field Officer at the Aviation Research Centre’s base in Charbatia near Cuttack—a facility once used to fly image-intelligence operations targeting China over Tibet in partnership with the US.

Less than three years after joining the ARC, however, Yadav went to court after the Cabinet Secretariat held in 2017 that he was ineligible for recruitment in the first place. The dispute was settled in 2022 after the Cabinet Secretariat agreed to induct him and others from CRPF on a permanent basis. This indicates that he did not enjoy the most cordial relationship with his bosses, and even litigated against them.

Security loopholes

Yadav’s alleged decision to use a commercial email service—and that, too, without the protection of privacy applications, like a Virtual Private Network—likely set him up for exposure. A Government of India policy issued in 2013—the same year Yadav had joined the Cabinet Secretariat, R&AW’s parent organisation—prohibited the use of non-government email accounts. Large numbers of officers across services, however, have continued to operate personal email accounts, for reasons of reliability and ease of use.

The lack of security in commercial services like Gmail, though, has long been known.

Former Central Intelligence Agency director David Petraeus was, infamously, forced to resign from his office in 2012 after FBI investigators discovered he was using a pseudonymous Gmail account for an extramarital affair.

The FBI also investigated former US Secretary of State Hillary Clinton after evidence emerged that she had stored classified information on personal email servers. Although the FBI cleared Clinton of wrongdoing, then FBI director James Comey had said she had been “extremely careless in their handling of very sensitive, highly classified information”.

Even though Google says mail on its servers can never be read by its staff, the company routinely scans and hands over stored data to police, in response to legal requests. This distinguishes it from some other services, which claim they simply cannot decrypt communications between users because of the way their encryption system is set up.

For example, Apple has repeatedly said its technology makes it impossible to share decrypted content with law enforcement. Swiss encrypted email provider Proton also claims it has no means to decrypt user content.

The most sensitive information at R&AW is held on so-called air-gapped systems—devices completely cut off from the internet—but these are of little use for field operations in a digital world.

“Lots of intelligence services have specialised digital tools for agents to communicate with their handlers, but we do not,” one senior R&AW official told ThePrint. “There are also those who feel it’s safe to hide amidst the noise, and communicate discreetly with commercial services, but using innocuous language. That needs discretion though, and it seems Yadav was not discreet.”

‘Plot’ via WhatsApp

According to the prosecutors, Yadav contacted Gupta in May 2023 from the phone linked to onlyXXXXXX@gmail.com, and informed him that “there were multiple ‘targets’, including one in New York (the victim) and another in California, and by reference to addresses, at least one target in Nepal or Pakistan”.

The DEA alleges that Gupta, in turn, made contact with an informant for the New York Police Department, who he had been in touch with for several years. Gupta, prosecutors claim, had reached out to the informant “in pursuit of international narcotics trafficking, weapons trafficking, money laundering, and credit card fraud transactions”.

This led to the arrest of Gupta during a trip to Prague in June 2023, and the recovery of three cellphones from his possession. The prosecutors say that on the basis of a warrant, they discovered “hundreds of WhatsApp Messenger communications between Gupta and Yadav”.

WhatsApp says it cannot make deleted messages available to law enforcement, but tools are believed to exist to enable such material to be extracted. Individuals seeking to protect sensitive data, like diplomats and intelligence officials, are therefore advised not to carry their usual devices to locations where hostile entities may have access to them.

In these messages, which span from 6 May 2023 through 29 June 2023, Gupta and Yadav “planned the murder of the victim on a day-to-day basis”, a prosecution document reads.

(Edited by Mannat Chugh)

Also Read: US Justice Dept draws link between PMO & Vikash Yadav, RAW ex-officer accused in Pannun plot