 |
|
The Delhi Police are currently grappling with a persistent and escalating problem: a series of bomb threat emails targeting schools and other educational institutions within the National Capital Territory. This situation has become a significant drain on police resources, a source of considerable anxiety for parents, students, and school administrators, and a complex technical challenge for law enforcement. Last year alone, Delhi experienced 25 such cases, and the current year has already seen five separate incidents where bomb threat emails have been disseminated to schools. Alarmingly, the success rate in solving these cases remains extremely low. Out of the numerous cases reported last year, only a handful were successfully resolved, and only one case has been solved so far this year. This lack of progress underscores the inherent difficulties in tracing the perpetrators behind these cyber threats, particularly when they employ sophisticated methods to conceal their identities. On a recent Monday, a coordinated wave of bomb threats targeted over 20 schools in Delhi simultaneously. This widespread threat prompted immediate and decisive action from school authorities, who were compelled to shut down operations, evacuate students, and send them home. The police and administrative agencies were placed on high alert, initiating a comprehensive search of the affected schools. Fortunately, after thorough investigations, it was determined that no actual explosives were present, and the threats were ultimately classified as hoaxes. However, the disruption caused by these threats is substantial, impacting educational schedules, requiring the deployment of emergency personnel, and contributing to a general atmosphere of fear and uncertainty. The history of bomb threats targeting educational institutions in Delhi is not a recent phenomenon. As far back as 2022, a private school located in Sadiq Nagar was the recipient of such a threat. In 2023, similar threats were disseminated to various schools on three separate occasions. In these earlier instances, the police were able to identify the perpetrators as students within the school system. These students confessed to sending the bomb threats for a variety of reasons, including a desire to avoid examinations, to secure a day off from school, or simply as a misguided prank. These cases, while still serious, were relatively straightforward to resolve because the students did not employ sophisticated methods to conceal their identities. The major turning point in this pattern of bomb threats occurred in May of last year, when over 200 schools and other institutions received bomb threat emails simultaneously. This mass dissemination of threats triggered a large-scale response from law enforcement and intelligence agencies. A First Information Report (FIR) was registered under sections of the Indian Penal Code (IPC) pertaining to conspiracy and other relevant offenses. A specialized unit within the Special Cell’s Counter-Intelligence (CI) division was assigned the task of conducting a comprehensive investigation into these threats. The email threats continued to plague Delhi throughout the year, with incidents reported in June, August, October, and November. These recurring threats extended beyond schools, impacting colleges, hospitals, airlines, and various other government institutions. In response to the growing scale and complexity of the problem, the police decided to consolidate all these cases under the initial FIR registered by the CI unit, streamlining the investigation and allowing for a more coordinated approach.
A significant challenge in solving these cases lies in the use of encrypted connections and proxy servers. According to a senior police officer, the cases that remain unsolved predominantly involve emails that were sent via a VPN (Virtual Private Network) proxy server. A VPN creates an encrypted connection over the Internet, effectively masking the sender’s true IP address and making it significantly more difficult to trace the origin of the email. This method of anonymization provides a layer of protection for the sender, allowing them to operate with a greater degree of impunity. In contrast, cases where the sender did not use a VPN have proven to be much easier to resolve. For example, last December, the police successfully identified a student who had emailed a bomb threat to his school in order to avoid an examination. In this instance, the student had simply used an email ID without any VPN protection, making it relatively simple for the police to track him down. The student was subsequently counselled and released. Similarly, in July of this year, an investigation revealed that a 12-year-old boy had sent fake threats to two educational institutions: Delhi University’s St Stephen’s College and St Thomas School in Dwarka. The boy was briefly detained and released after receiving counselling. During the counselling session, the Class 8 student admitted that he had sent the threats because he wanted schools to be shut down and had randomly selected the email IDs of the institutions. Again, in this case, the boy had not used a VPN, making it easier for the police to identify and apprehend him. When the servers used to send these threatening emails are based in foreign countries, the Delhi Police must seek assistance from central agencies to obtain the necessary details for their investigation. This process can be time-consuming and may not always be successful, depending on the cooperation of foreign authorities and the privacy laws in those jurisdictions. According to the officer, in most recent cases, the domains used in the emails have been traced to European countries. However, accessing the IP (Internet Protocol) addresses or other sender details is often nearly impossible, as they are encrypted and masked using VPN or proxy servers. The officer explained that a VPN can be understood as creating an indirect communication channel. Instead of a direct connection between two parties, the communication is routed through multiple domain servers, obscuring the original source of the message.
Cybersecurity experts emphasize the inherent difficulty in tracing the location of individuals who use VPNs. Shashank Shekhar, co-founder of the think tank FCRF, explains that VPNs are specifically designed to mask the user’s real IP address by routing their traffic through multiple servers located in different countries. This multi-layered approach makes it exceedingly difficult to pinpoint the true origin of the communication. Furthermore, advanced VPN services often implement features such as multi-hop routing and no-log policies, which further obscure digital footprints. Multi-hop routing involves routing traffic through multiple VPN servers in different locations, adding an extra layer of anonymization. No-log policies mean that the VPN service provider does not keep records of user activity, making it impossible to trace the user’s online activity even if the authorities gain access to the VPN server. When threat actors send emails using such anonymized networks, often coupled with encrypted email services or compromised accounts, it significantly limits the ability of law enforcement to pinpoint the true origin of the message. In the recent cases involving threat emails sent to schools in Delhi, the attackers have leveraged such techniques, creating multiple layers of obfuscation that delay or derail attribution efforts, especially when international cooperation is required to access logs or trace traffic. A critical issue is that many of these VPN service providers are headquartered outside India and often refuse to share user data or logs with Indian law enforcement agencies, citing privacy policies or foreign jurisdiction. This lack of cooperation presents a significant obstacle to investigations and makes it difficult to hold perpetrators accountable for their actions. Shekhar argues that it is imperative to establish regulatory frameworks mandating data sharing and log retention by such providers to assist probe agencies. Such frameworks would require VPN service providers to comply with lawful requests from Indian authorities for user data in cases involving serious crimes, while also ensuring that privacy concerns are adequately addressed. The ongoing challenge of bomb threat emails to schools in Delhi highlights the growing need for enhanced cybersecurity measures, international cooperation, and updated legal frameworks to combat cybercrime effectively.