/indidna

New Delhi:

Chuck Randall’s real estate deal was derailed by a well-timed leak of his private emails, causing upheaval in the Shinnecock Nation’s reservation. The leak detailed secret negotiations between Randall, his tribal government allies, and outside investors, leading to an uproar within the tribe. The scandal barely attracted attention beyond the reservation, but it was part of a larger cyber-mercenary operation orchestrated by New Delhi-based information technology firm, Appin. The Indian company engaged in industrial-scale hacking, stealing data from political leaders, international executives, and others across the world.

Unauthorized access to computer systems is a crime worldwide, including in India. Yet at least 17 pitch documents prepared for prospective business partners and reviewed by Reuters advertised Appin’s prowess in activities such as “cyber spying,” “email monitoring,” “cyber warfare,” and “social engineering,” security lingo for manipulating people into revealing sensitive information. In one 2010 presentation, the company explicitly bragged about hacking businessmen on behalf of corporate clients.

Run by a pair of brothers, Rajat and Anuj Khare, the company began as a small Indian educational startup. It went on to train a generation of spies for hire that are still in business today. Several cyber defense training organizations in India carry the Appin name, the legacy of an old franchise model, but there’s no suggestion that those firms are involved in hacking.

Appin stole data from political leaders, international executives, sports figures, and more. Rajat Khare’s U.S. representative, the law firm Clare Locke, rejected any association between its client and the cyber-mercenary business. It said Khare “has never operated or supported, and certainly did not create, any illegal ‘hack for hire’ industry in India or anywhere else.”

Appin gathered material from ex-employees, clients, and security professionals who’ve studied the company, spanning 2005 until earlier this year. Reuters verified the authenticity of the Appin communications with 15 people, including private investigators who commissioned hacks and ex-Appin hackers themselves. The news agency also asked U.S. cybersecurity firm SentinelOne to review the material for signs that it had been digitally altered. The firm said it found none.

Though Khare’s lawyers say Appin “focused on teaching cybersecurity and cyber-defense,” company communications seen by Reuters detailed the creation of an arsenal of hacking tools, including malicious code and websites. Over the last decade, hackers linked to Appin targeted tens of thousands of email accounts on its service alone, according to Shane Huntley, who leads the California company’s cyber threat intelligence team.

The original Appin has largely disappeared from public view, but its impact is still felt today. Copycat firms led by Appin alumni continue to target thousands, according to court records and cybersecurity industry reporting.

Private eyes have been hiring hackers for their work, and Appin’s innovation was turning the cloak-and-dagger market into something more like an e-commerce platform for spy services. The mercenaries marketed a digital dashboard with a menu of options for breaking into inboxes, including sending fake, booby-trapped job opportunities, bogus bribe offers, and risque messages with subject lines like “My Sister’s Hot Friend.” Customers would log in to a discreet site – once dubbed “My Commando” – and ask Appin to break into emails, computers, or phones. Users could follow the spies’ progress as if they were tracking a delivery, eventually receiving instructions to download their victim’s data from digital dead drops, according to logs of the system reviewed by Reuters.

The logs showed that Jochi Gómez was one of 70 clients, mostly private investigators, from the United States, Britain, Switzerland, and beyond who sought Appin’s help in hacking hundreds of targets. Some of these marks were high-society figures, including a top New York art dealer and a French diamond heiress, according to the logs. Several detectives used the service frequently, among them Israeli private eye Aviram Halevi, who tasked the spies with going after at least three dozen people via the system.

Another big user of My Commando was Israeli private detective Tamir Mor, who used the service around the same time to order hacks on more than 40 targets, the logs show. Among them were the late Russian oligarch Boris Berezovsky and Malaysian politician Mohamed Azmin Ali.

Operations like Jim H’s or Santarpia’s were aimed at only three or four email accounts at a time. But Appin had greater capabilities. Gómez ordered break-in attempts aimed at the email accounts of more than 200 high-profile Dominicans, the logs show. Among them was an account belonging to then-President Leonel Fernández, a frequent target of Gómez’s reporting.

Approaching Infinity

Rajat Khare was a 20-year-old computer science major when he and his friends came up with the idea for Appin over chicken pizza at a Domino’s in New Delhi. It was December 2003. Khare had joined his high school buddies to catch up and bemoan the state of India’s universities, which they thought weren’t preparing students for the professional world. When one suggested organizing technology training workshops to supplement undergraduates’ education, people present at the meal said Khare jumped on the idea.

After the Domino’s meeting, Khare and his friends came up with the name Appin – short for “Approaching Infinity” – and launched their first classes on computer programming. India’s IT outsourcing boom had created voracious demand for tech talent. Appin franchises would soon sprout across India, offering not just programming lessons, but also courses on robotics and cybersecurity, nicknamed “ethical hacking.”

The company’s cybersecurity classes proved especially popular. By 2007, Appin opened a digital security consultancy, drawing the attention of Indian government officials who were still feeling their way through intelligence work in the internet age. To help the officials break into computers and emails, Appin set up a team of hackers out of a subsidiary called Appin Software Security Pvt. Ltd., also known as the Appin Security Group, according to a former executive, company communications, an ex-senior Indian intelligence figure, and promotional documents seen by Reuters.

Appin’s spying was a secret within the company. Some early Appin employees signed nondisclosure agreements before being sent to military-controlled safe houses where they worked out of sight from their colleagues, according to another former executive familiar with the matter and three hackers who spent time in the safe houses.

One of the hackers recalled being only 22 years old when he broke into the inboxes of Khalistani separatists – Sikh militants fighting to carve an independent homeland out of India’s Punjab province – and delivering the trove to his handlers.

Appin’s primary targets included Pakistan, with the hackers creating fake dating websites designed to ensnare Pakistani military officers, two insiders said. Another mission, Operation Rainbow, involved penetrating Chinese military computers and stealing information about missiles and radar. Those early operations led to more contracts, with Appin working with India’s external intelligence service, RAW, and the Intelligence Bureau, the country’s domestic spy agency, as well as serving India’s military, its Ministry of Home Affairs, and the Central Bureau of Investigation.

Lost Leads, Lasting Pain

Investigations into Appin by multiple countries ended after several years without conclusive outcomes. The investigations led to a few convictions, including that of a Shinnecock tribal official and of a private investigator. While the company’s original presence has largely faded, Appin’s legacy is still felt today with copycat firms led by Appin alumni continuing to conduct similar operations. These firms are routinely involved in hacking and cyberespionage activities, and have been named in U.S. lawsuits.

In his last known interview, Gupta claimed he was not personally involved in cyberespionage. But he did acknowledge the outsized role that his former employer played in shaping the industry.

“Appin is the godfather for all the hackers,” he said.

(This story has not been edited by NDTV staff and is auto-generated from a syndicated feed.)