A US forensic firm has found clear evidence that hackers planted documents on the activist’s laptop. The 84-year-old Jesuit priest died in custody in July 2021, after being repeatedly denied bail. This is now the fourth Bhima Koregaon case where there is proof of hacking—and they all appear to be connected to the same perpetrator.
Editor’s note: Our previous two Big Stories offer lots more context on Stan Swamy and the Bhima Koregaon case.
Remind me about Stan Swamy…
About Stan Swamy: Father Stanislaus Lourduswamy entered the priesthood in 1957—and worked for the most of his life as an advocate for tribal rights in Jharkhand. Here’s the gist of his case:
- He was arrested in connection to the Bhima Koregaon case (explained below) in 2018—along with 15 other prominent activists and intellectuals.
- Swamy was repeatedly denied bail—despite his age and underlying health problems, including a heart condition and Parkinson’s disease.
- Prison authorities even denied him a sipper and straw—which he needed to drink water since his hands shook.
- By the end, he had lost hearing in both ears, fallen multiple times and was in chronic pain.
- Swamy was finally moved to a private hospital in May, 2021, after becoming infected with Covid. The cause of death: pulmonary infection, Parkinson's disease and post-Covid complications.
The Bhima Koregaon case: Here’s what you need to know about this infamous case:
- Bhima Koregaon is a small village in the district of Pune, and it holds great significance for Dalits—hosting an annual event called Elgar Parishad that celebrates Dalit history.
- On January 1, 2018, the event was marked by clashes with a local Hindutva group—and one person was killed.
- Soon after, a person who claimed he attended the Elgar Parishad filed a police complaint—claiming he had witnessed “inflammatory speeches inciting hatred amongst society” and “inflammatory books” being sold.
- The initial FIR filed in Pune only named six persons. Over the coming months, the Pune police launched a full-scale investigation across multiple cities including raids on the homes of activists—and expanded its scope to include “other destructive activities.”
- Many of those named in the continually revised FIR were not even at the event.
- And it now included added charges under the extremely strict anti-terrorism law, Unlawful Activities (Prevention) Act (UAPA).
- All of this was based on “evidence” uncovered by the Pune police in the course of their investigation.
- In the end, 16 people were arrested for hatching “a nationwide plot against the Indian state” with the financial assistance from a banned Maoist party.
The key suspects: included a number of well-respected activists and intellectuals—such as poet Varavara Rao, lawyer Sudha Bharadwaj along with activists Arun Fereira, Gautam Navlakha and Vernon Gonsalves. Also arrested: Rona Wilson—an activist with the Committee for Release of Political Prisoners—and, of course, Stan Swamy.
Where we are now: Four years later, the case has still not come to trial. Stan Swamy passed away in 2021. Anand Teltumbde, Sudha Bhardwaj and Varavara Rao have been granted bail—while Gautam Navlakha has been shifted to house arrest, But 11 other activists are still behind bars without a trial.
Ok, tell me about this hacking…
The first sign of tampering: In 2021, Arsenal Consulting—a Massachusetts-based digital forensics firm—looked at an electronic copy of Rona Wilson’s laptop at the request of his lawyers. Their investigation showed that Wilson’s laptop was hacked back in 2016, and accessed multiple times over 22 months.
During that period, 52 files were planted on Wilson’s computer. These files included 10 documents that were uncovered by the Pune police when they took his laptop—the most explosive was a letter to a Maoist militant referring to a plot to assassinate PM Modi. It said:
We are thinking along the lines of another Rajiv Gandhi-type incident. It sounds suicidal and there is a good chance that we might fail, but we feel that the party PB/CC must deliberate over our proposal. Targeting his road-shows could be an effective strategy.
This “digital evidence” was then used over the coming months and years to arrest all the others.
Next up, Surendra Gadling: Arsenal released another report—this time focusing on the laptop of the human rights lawyer. It found that the device was infected with NetWire—a widely available malware product—for nearly two years before his arrest in 2018. NetWire can “upload and download files from a target’s computer, log keystrokes and access emails and passwords.”
More importantly, it showed that the same hackers were simultaneously targeting Gadling and Wilson:
The report details how the same methodology was used in the attacks on the computers belonging to Gadling and Wilson. In both cases, the attacker deployed an identical piece of malware to communicate with the same server and initially targeted victims via email. One afternoon in July 2017, Arsenal said, the attacker was active on the two computers within a period of 20 minutes. During that time, the same document — a purported account of the banned Maoist group’s funding — was deposited on both devices.
A damning link to the Pune police: In June this year, another US security firm SentinelOne uncovered digital evidence connecting the hackers to the Pune police. They looked at the email accounts of three activists: Rona Wilson, Varavara Rao and Hany Babu. The hacker had added a new recovery email and phone number—to allow him to easily regain control of the accounts if they changed their passwords.
Guess what? The recovery email contained the full name of a Pune police officer investigating the Bhima Koregaon case. And multiple databases confirmed that the recovery phone number is linked to that same email:
[Researchers] further found that the WhatsApp profile photo for the recovery phone number added to the hacked accounts displays a selfie photo of the police official—a man who appears to be the same officer at police press conferences and even in one news photograph taken at the arrest of Varvara Rao.
Just as damning: The new recovery email was added soon after Wilson received a phishing email—which allowed hackers to control his laptop. And his email account was then used to target the other accused with similar phishing emails.
And that’s what happened to Stan Swamy?
Yes. Arsenal has now released a new report on Stan Swamy’s laptop—which reaffirms the damning pattern of hacking. Except in his case, the hackers had access to his device for five years! In comparison, they controlled Wilson’s computer for only 22 months. Here’s what we know about the targeting of Swamy:
- The laptop was first compromised on October 19, 2014—and remained in the control of hackers until it was seized by Pune police on June 12, 2019.
- During that period, the hacker had full access and control over the computer—and dropped dozens of files into a hidden folder without Swamy’s knowledge.
- The hacker first planted documents in July 2017—and continued to do so for two years. The documents were never opened and Swamy never interacted with them.
- The hacker also copied more than 24,000 files and folders from Swamy’s computer.
Most damning: is this bit about timing:
On the night of June 11, 2019, hours before Swamy’s computer was seized by the police, the hacker performed an extensive “cleanup” of their activities, including getting rid of malware and surveillance data and creating distractions by copying a large number of files into folders used maliciously before the cleanup.
Point to note: The hacker used the exact same malware—NetWire—as with the other suspects in the case. Since they also used the same command and control servers and same NetWire configurations, Arsenal is convinced all these attacks were conducted by the same person.
Quote to note: A security expert—who has handled several high-profile cases—says: “I haven’t seen this amount of evidence being planted before. It’s unbelievable.”
The bottomline: To date, the Indian courts have not reviewed any of the evidence of hacking—even though the government's case is entirely built on documents seized from these laptops. The defence lawyers’ petition to the Bombay High Court is stuck in limbo—and is still waiting to be heard.
Washington Post has the best reporting on the Stan Swamy report—coverage in the Indian media (here and here) has been pitiful in contrast. Wired has the details on the connection to the Pune police. This Washington Post report has more on the attack on Surendra Gadling. This earlier Big Story has everything you need to know about the Bhima Koregaon case—and the hacking of Rona Wilson’s computer. We also profiled Stan Swamy when he passed away last year.