Appin (company)

Last updated

Appin
Company type Private
Industry Computer security
FoundedDecember 2003 (2003-12)
Founder
FateRenamed (Sunkissed Organic Farms, 2017)
Headquarters
New Delhi
,
India
Key people
  • Anuj Khare (co-director)
Services
Number of employees
650 (2013)
Subsidiaries Appin Software Security (later Adaptive Control Security Global Corporate)
Website appintechnology.com (archived)

Appin was an Indian cyber espionage company, later renamed Sunkissed Organic Farms, that provided hacking services to governments, private investigators, and corporate clients. Founded in 2003 by Rajat Khare and associates as a technology training startup, the company had shifted to mercenary hacking by 2010, operating a digital platform through which more than 70 clients commissioned hacks against hundreds of targets worldwide. [1]

Contents

According to investigative reports by Reuters, Appin was a "hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe." [1] The company is credited with creating the operational model still used by India's cyber-mercenary industry. [2] [3] [4]

Khare, through his U.S. law firm Clare Locke, has denied any involvement in hacking, stating he "has never operated or supported, and certainly did not create, any illegal 'hack for hire' industry" and that under his tenure Appin specialised in training students in cybersecurity, "never in illicit hacking." [1] His lawyers have described media reports tying Khare to hacking as "false" or "fundamentally flawed" and have said he left Appin in part because rogue actors were misusing the company's brand. [1] [5]

Between 2012 and 2016, Appin became the subject of criminal investigations in several countries, though these were eventually closed without charges. Google's threat intelligence team tracked Appin-linked hackers targeting tens of thousands of email accounts. [6] Following increased scrutiny, Appin scaled back its online presence and was subsequently renamed multiple times, ultimately becoming Sunkissed Organic Farms in 2017, while former employees went on to found other hack-for-hire firms that continue to operate. [3] Co-founder Rajat Khare, who resides in Switzerland, has been the subject of ongoing legal actions and media investigations. According to Reporters Without Borders, Khare and entities associated with Appin have filed lawsuits against at least 15 media outlets in multiple countries, which RSF described as "an offensive on an unprecedented global scale" to suppress reporting on the company's activities. [7]

History

Founding and government work

In December 2003, Rajat Khare, along with high school friends, conceived Appin to offer technology training workshops to university students. By 2005, Rajat Khare had been joined by his brother Anuj Khare, an entrepreneur and former motivational speaker, and the company had an office in western New Delhi. Their franchise offered courses in programming, robotics, and cybersecurity. By 2007, Appin had opened a digital security consultancy helping Indian organisations defend themselves online. This drew the attention of Indian government officials, who were navigating internet-era intelligence challenges and seeking ways to hack into computers and emails. [1] [3]

Shortly thereafter, Appin established a subsidiary called Appin Software Security also known as the Appin Security Group to conduct surveillance activities for the Indian government. Employees signed non-disclosure agreements and were assigned to military-controlled facilities, where they worked away from their colleagues in the wider company. Their targets included Pakistan, China, and Khalistan movement separatists from India's Punjab state. [1] [8]

By 2009, the company's clients had included the Research and Analysis Wing (RAW), the Intelligence Bureau, the Indian Armed Forces, the Ministry of Home Affairs, and the Central Bureau of Investigation (CBI). [1] [4] Appin claimed their solutions were used by government intelligence agencies to monitor hostile individuals, marketed software for analysing call metadata, and explored importing Israeli cell phone interception devices. For the fiscal year ending in 2009, the company earned nearly $1 million in revenue and a profit of about $170,000, with a projected tenfold increase in revenue over the next 36 months. [1]

The company also generated additional revenue by covertly reselling material it had hacked for one Indian agency to another. This practice was eventually uncovered, prompting several Indian intelligence agencies to terminate their contracts with Appin. According to Reuters, following the loss of government contracts, Appin shifted its focus to private sector clients. [1]

Private sector operations

In 2010, Rajat Khare sent bulk emails to private intelligence firms across Europe offering hacking-for-hire services. [4] Around 2011, the mercenaries began operating a digital dashboard dubbed "My Commando" for spy services, resembling an e-commerce platform with a menu of hacking options. Customers logged in to request Appin to hack emails, computers, or phones, monitor the operation's progress, and later download the stolen data. [1] [8] More than 70 global clients hired Appin to hack hundreds of targets through "My Commando." [1] [4]

Among the system's early users were Israeli private detectives Aviram Halevi and Tamir Mor, who accessed it in late 2011. That year, Mor ordered hacks on more than 40 targets, including Malaysian politician Mohamed Azmin Ali, Russian oligarch Boris Berezovsky (d. 2013), and his lawyers. [1] Around the same time, another user hired Appin to hack 30 targets, including a Rwandan dissident and the wife of another wealthy Russian going through a divorce. [1]

The targets also included Kristi Rogers—the wife of Representative Mike Rogers, who was the Chairman of the U.S. House Intelligence Committee at the time. Less well-known individuals, such as a landscape architect in New Jersey and a Native American tribal member, were also targeted using the system. Other victims of Appin included human rights activists, such as those associated with the Oslo Freedom Forum, along with governmental and private organisations. [1] [4] [3] [8]

In January 2012, a series of spear-phishing emails targeted Peter Hargitay, a Zurich-based FIFA insider and former adviser to FIFA President Sepp Blatter, who had been consulting for Australia's 2022 FIFA World Cup bid. [9] [1] Hargitay and his son Stevie detected the intrusion, and an expert they hired traced the attack to a server near Zurich airport whose billing records listed Rajat Khare as the client. [1] The Hargitays filed a criminal complaint with Swiss authorities. [1] [9]

According to a 2022 investigation by SRF Investigativ, the attack was part of an extensive espionage campaign in which Qatar sought to protect its 2022 World Cup hosting rights by hacking the emails and phones of FIFA officials and critics of its bid, and running smear campaigns to influence FIFA policy. [9] [10] Qatar had hired Global Risk Advisors, a firm founded by former CIA operative Kevin Chalker, which subcontracted the Hargitay hack to Appin. [9] [11] [12] The broader campaign, dubbed "Project Merciless," spanned five continents over several years. [9] [11] Hack-for-hire companies founded by Appin alumni were also later implicated in the campaign. [10]

Also in 2012, a German private investigator paid Appin $3,000 to hack an email during an inheritance feud involving a wealthy businessman. [2] In the Dominican Republic, authorities raided a local newspaper publisher in 2012 and formally accused him of collaborating with Khare to hack emails and extract information from the nation's elite for his digital newspaper. The publisher later admitted that in 2011, he paid Appin between $5,000 and $10,000 a month to spy on over 200 prominent Dominicans including Leonel Fernández, then president of the Dominican Republic. [1]

Investigations and attribution

In 2012, after analysing a hack and leak targeting a Native American tribal member, the FBI linked multiple cases to a single perpetrator. Collaborating with Swiss authorities, the FBI identified the perpetrator as Appin and shared that they had human intelligence through a confidential source. [1]

In early 2013, Norwegian telecommunications company Telenor discovered that hackers had stolen as many as 66,000 emails from its chief executive, two personal assistants, and a senior lawyer in what the company described as industrial espionage; Norwegian police traced the attack to IP addresses in New Delhi. [1] Appin's operations began attracting attention worldwide, [9] and by 2013, they had become well known among security researchers, who referred to them using various monikers to describe their pattern of activity, including Operation Hangover by Shadowserver Foundation and Norman Shark, [13] [14] [15] Monsoon by Forcepoint, [16] and Viceroy Tiger by CrowdStrike. [17] [18] [19] These reports documented campaigns in which spear-phishing emails with exploit-laden documents were used to deploy custom malware (keyloggers, document uploaders, and credential-harvesting tools) across more than 600 command-and-control domains, using only previously known exploits rather than zero-days. [14] [19]

In 2023, SentinelOne's analysis of verified internal Appin records confirmed that the company owned and controlled the attack infrastructure and had developed malware in-house, such as a keylogger deployed against Pakistani government targets as early as 2009, while also procuring exploits from freelancers and commercial vendors. [8]

From 2013 onward, Google spent a decade monitoring Appin-linked hackers who targeted tens of thousands of email accounts on its platform. [6] Due to the unusually high volume of activity by the hackers, Google had to expand its systems and procedures to keep up with them. Security researchers have been cautious in their public statements linking Appin to the hacking and phishing incidents to avoid legal trouble; however, privately, they remain confident in the connection. [1] In 2013, an Appin spokesperson told the Wall Street Journal that the company "denies it had any role in any of the attacks" and said that someone, possibly a former employee, had been using its name. [20] The spokesperson separately called the Norman Shark report "a marketing gimmick" and said Appin was "in no manner connected or involved with the activities" described in it. [21]

Since 2012, Appin and its co-founder Rajat Khare have been the subject of criminal investigations in multiple countries. Swiss authorities linked Appin and Rajat Khare to a criminal complaint filed by the Hargitays for intrusion into their systems, while Norwegian investigators connected Appin to the Telenor hack. These multinational investigations were carried out over several years but were eventually closed without charges being filed. [1] [9]

In 2016, the woman who had hired a private detective to access the email of her fellow Native American tribal member pleaded guilty in federal court. Later, in mid-2020, that detective confessed in an affidavit that he had hired Appin to carry out the email heist. Similarly, Aviram Halevi, who hired Appin to hack at least three dozen people in 2011, [1] admitted to employing them to steal emails from a Korean businessman. [2] In 2021, the State Bank of India filed a criminal complaint with the Central Bureau of Investigation, Appin's former client, accusing Rajat Khare and others of embezzling ₹8.06 billion ($97 million) from loans to Educomp, where Khare was a director. Khare's lawyers said he had been "cleared" by Educomp's management but did not provide evidence; as of November 2023, Reuters could not determine the status of the case. [1]

Appin and co-founder Rajat Khare have filed lawsuits and sent legal demands to news organisations in multiple countries, including France, Luxembourg, Switzerland, the United Kingdom, and India, seeking removal of references in articles to the company and Khare. [22] [5] [23] [7]

In November 2022, a lower court in Geneva ordered SRF Investigativ to provisionally remove Rajat Khare's name and photo from its investigative report on the Project Merciless espionage operation. When contacted by RSF, Khare's Swiss lawyer, Nicolas Capt, stated that Khare has taken "legitimate legal action — civil and criminal — to protect his honour, which has been damaged by false accusations." [7]

On 1 June 2023, The New Yorker published an article titled "A Confession Exposes India's Secret Hacking Industry." The article primarily focused on firms founded by Appin alumni, such as BellTroX Infotech Services and CyberRoot Risk Advisory, which have targeted climate activists, investors, lawsuit defendants, and organisations on a global scale and still remain operational. Appin first sued the U.S. magazine in India, and later, Rajat Khare filed a lawsuit against it in Switzerland. The New Yorker refused to take down their article, stating that they fully stand behind the piece, which is an accurate and fair account of a matter of legitimate public interest. They further stated that they will continue to defend the right to publish important reporting without fear or favour. [4] [7]

On 16 November 2023, Reuters published an article about the company and its co-founder Rajat Khare titled, "How an Indian Startup Hacked the World." Drawing on hundreds of interviews and thousands of vetted documents, Reuters found that Appin "grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe." The report was based on Appin's activities for nearly two decades, including company records, law enforcement files, and input from former employees, clients, and security professionals. The raw material spanning 2005 to 2022 was authenticated by Reuters and further verified by U.S. cybersecurity firm SentinelOne. [1] [7]

Appin sued Reuters, claiming the news agency had engaged in a "defamatory campaign." [24] [25] It obtained an injunction from a Delhi court and, on 4 December 2023, Reuters temporarily removed its article. Reuters said that it stood by its reporting. [26] [25] [27]

An archived version of the Reuters article hosted on the Wayback Machine was likewise removed following demands from lawyers representing Appin co-founder Rajat Khare. [28] Appin further sent demands to Meta Platforms, LinkedIn and Naukri.com to block accounts associated with the authors of the Reuters story. [23]

On the same day as the Delhi court injunction, the Indian Ministry of Home Affairs revoked the Overseas Citizenship of India (OCI) card of Raphael Satter, one of the Reuters journalists who reported the story, stating he had been "practising journalism without proper permission" and "maliciously creating adverse and biased opinion against Indian institutions in the international arena". [29] Satter said he had received threats from individuals associated with Appin during his reporting, one of whom alluded to potential "diplomatic action" unless he abandoned his investigation. [29] In March 2025, Satter petitioned the Delhi High Court to challenge the revocation. [29] During a November 2025 hearing, the court criticised the Ministry of Home Affairs for its documentation, with the judge stating that MHA officers had "completely distorted" the paperwork supporting the cancellation. [30]

In February 2024, Wired reported that lawyers for Appin and a related entity called the "Association for Appin Training Centers" have filed lawsuits and made legal threats against more than a dozen news organisations. Appin sent emails demanding that news site Techdirt and the organisation MuckRock, which hosted some of the information Reuters relied on, take down their content. The two sites denied that the injunction was binding on them. [31] [5] [32] Other sites, such as the Lawfare blog, removed material based on the Reuters article. [25] [31]

The Electronic Frontier Foundation (EFF) responded on behalf of Techdirt and MuckRock, arguing that the Indian court's order is unenforceable in U.S. courts because it conflicts with the First Amendment and Section 230 of the Communications Decency Act, as reinforced by the SPEECH Act. The EFF also urged recipients of Indian gag orders to carefully evaluate their legitimacy. [33] [5] [32]

Also in February 2024, the American podcast Behind the Bastards dedicated two episodes to Rajat Khare, omitting his name from the episode titles; the episodes were removed from podcast platforms within a week after a letter threatening legal action, according to RSF. [7]

The Reuters article was restored in October 2024, after the Delhi court rescinded its injunction on 3 October 2024, noting "the plaintiff has not been able to show any prima facie case to make interference in the process of journalism". [34] The article is back online at its original location. [1]

On 21 November 2024, Reporters Without Borders (RSF) reported that works from at least 15 different media outlets had been modified or withdrawn as a result of a strategic lawsuit against public participation or a legal notice from Rajat Khare or Appin Training Centers. RSF also found that numerous posts praising Khare appeared on platforms such as Medium, authored by accounts with generic names and AI-generated profile photos that commented on one another's content, in what RSF described as an attempt to "flood the Internet" and "drown out the troublesome investigations". Additionally, an Intelligence Online article [12] was the subject of what RSF described as an "abusive DMCA takedown request". [7] [35]

Legacy

Alumni firms

Following Norman Shark's public attribution of the Telenor hack to Appin, [14] the company faced increasing scrutiny, and the group began scaling back its online presence. [1] Around that time, former Appin employees branched out, founding similar hack-for-hire firms. [3]

Two such companies—BellTroX Infotech Services, led by Sumit Gupta, and CyberRoot Risk Advisory [36] —started collaborating with Appin, sharing staff and computer infrastructure for their hacking operations. [2]

Their activities were identified using a database of over 80,000 phishing emails sent to 13,000 targets from 2013 to 2020. [1] This database was vetted by six expert groups, with each group independently confirming recognised hacking activity. [2] Further analysis by Mandiant, LinkedIn, Google, [6] and court records revealed that the hacking was carried out by three Appin-linked companies with an intermingling of resources among them. [2] This network of mercenaries charged clients anywhere from a few thousand to millions of dollars, [36] while paying workers just $370 per month. [1]

The hackers targeted attorneys and their clients, including companies, advocacy groups, media organisations, and business executives. According to Shane Huntley of Google's threat intelligence team, these attacks had "real potential to undermine the legal process." [2] Media reports have linked Appin alumnus Sumit Gupta to Aviram Azari, a former Israeli policeman who was sentenced to 80 months in prison for his role in a global hack-for-hire scheme, [2] [37] [38] the Dark Basin campaign, and the wider network of Indian hack-for-hire operators. [2] [4] In a 2020 interview with Reuters, Gupta denied wrongdoing, acknowledging that he provided technical support to private detectives but claiming he was not personally involved in cyberespionage. [36] [1] By 2023, attempts to reach him were unsuccessful. [1]

Rebrandings and aftermath

Appin Technology rebranded multiple times before adopting the name Sunkissed Organic Farms in 2017. Its subsidiaries also underwent rebranding. In 2015, Appin Software Security, which billed private eyes for the hacking work, became Adaptive Control Security Global Corporate (ACSG). [1]

Rajat Khare resigned as director of Appin Technology in 2016 and moved to Switzerland, where, according to SRF Investigativ, "he now presents himself as a renowned start-up investor." [1] [9] Together with his wife Shweta, Khare runs Boundary Holding, a Luxembourg-based venture capital firm. [39] His family controls companies founded under the Appin name, as well as the renamed Indian firms, including ACSG, which describes itself as a "critical infrastructure protection company that caters to government clients." [1]

See also

References

  1. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 Satter, Raphael; Siddiqui, Zeba; Bing, Chris (16 November 2023). "How an Indian startup hacked the world". Reuters. Retrieved 31 December 2024.
  2. 1 2 3 4 5 6 7 8 9 Satter, Raphael; Bing, Christopher (30 June 2022). "How mercenary hackers sway litigation battles". Reuters. Retrieved 31 December 2024.
  3. 1 2 3 4 5 Wild, Franz (11 May 2022). "Inside the global hack-for-hire industry". Bureau of Investigative Journalism. Retrieved 20 November 2023.
  4. 1 2 3 4 5 6 7 Kirkpatrick, David (1 June 2023). "A Confession Exposes India's Secret Hacking Industry". The New Yorker . Retrieved 20 November 2023.
  5. 1 2 3 4 Greenberg, Andy (1 February 2024). "A Startup Allegedly Hacked the World. Then Came the Censorship—and Now the Backlash". Wired.
  6. 1 2 3 Huntley, Shane (30 July 2022). "Countering hack-for-hire groups". Google. Retrieved 4 January 2025.
  7. 1 2 3 4 5 6 7 "RSF investigation: the Indian cyber-security giant silencing media outlets worldwide". Reporters Without Borders. 21 November 2024. Retrieved 31 December 2024.
  8. 1 2 3 4 Hegel, Tom (16 November 2023). Elephant Hunting: Inside an Indian Hack-For-Hire Group (Report). SentinelLabs. Archived from the original on 17 November 2023.
  9. 1 2 3 4 5 6 7 8 Eiholzer, Leo; Schmid, Andreas (2 November 2022). "'Project Merciless': how Qatar spied on the world of football in Switzerland". Swiss investigative program Rundschau (swissinfo.ch). Retrieved 4 January 2025.
  10. 1 2 Wild, Franz; Siddons, Ed; Lock, Simon; Calvert, Jonathan; Arbuthnott, George (5 November 2022). "How Qatar hacked the World Cup". Bureau of Investigative Journalism. Retrieved 6 February 2025.
  11. 1 2 Suderman, Alan (23 November 2021). "World Cup host Qatar used ex-CIA officer to spy on FIFA". Associated Press. Retrieved 9 January 2025.
  12. 1 2 "Former Indian cyber privateer Rajat Khare is helping Qatar keep the football World Cup safe". Intelligence Online. 20 October 2022. Retrieved 31 December 2024.
  13. Fagerland, Snorre (20 May 2013). "The Hangover Report". Norman ASA. Archived from the original on 26 October 2013. Retrieved 18 December 2023.
  14. 1 2 3 Fagerland, Snorre; Kråkvik, Morten; Camp, Jonathan (2013). "Operation Hangover: Unveiling an Indian Cyberattack Infrastructure" (PDF). Norman ASA. Archived from the original (PDF) on 12 June 2013. Retrieved 18 December 2023.
  15. "Operation Hangover: Unveiling an Indian Cyberattack Infrastructure" (PDF). Seebug, part of 360 Netlab. Archived from the original (PDF) on 21 January 2022. Retrieved 18 December 2023.
  16. Settle, Andy; Griffin, Nicholas; Toro, Abel. "Monsoon – Analysis of an Apt Campaign Espionage and Data Loss Under the Cover of Current Affairs" (PDF). Forcepoint. Retrieved 1 January 2025.
  17. Santos, Doel; Hinchliffe, Alex (3 July 2020). "Threat Assessment: Hangover Threat Group". Palo Alto Networks. Retrieved 1 January 2025.
  18. Hinchliffe, Alex; Falcone, Robert (11 May 2020). "Updated BackConfig Malware Targeting Government and Military Organizations in South Asia". Palo Alto Networks. Retrieved 1 January 2025.
  19. 1 2 Boutin, Jean-Ian (16 May 2013). "Targeted information stealing attacks in South Asia use email, signed binaries". WeLiveSecurity. Retrieved 3 January 2025.
  20. Valentino-DeVries, Jennifer (20 May 2013). "Cyberespionage Campaign Traced to India". The Wall Street Journal. Retrieved 4 January 2025.
  21. Higgins, Kelly Jackson (20 May 2013). "'Commercialized' Cyberespionage Attacks Out Of India Targeting U.S., Pakistan, China, And Others". Dark Reading. Retrieved 4 January 2025.
  22. Ingram, Mathew (18 January 2024). "A leak-hosting site looks to thaw the chill of censorship". Columbia Journalism Review. Retrieved 12 February 2024.
  23. 1 2 "Global censorship campaign raises alarms". Freedom of the Press. 18 January 2024. Retrieved 12 February 2024.
  24. Omar, Rashid (7 December 2023). "Forced to Pull Story on Indian Firm's Alleged Global Hacking Operation, Reuters to Fight Court Order". The Wire. Archived from the original on 8 December 2023.
  25. 1 2 3 Uren, Tom (24 November 2023). "The Hack-for-Hire Industry: Death by a Thousand Cuts + When Theft Doesn't Work... Troll". Lawfare. Retrieved 10 February 2024.
  26. Masnick, Mike (7 December 2023). "Indian Court Orders Reuters To Take Down Investigative Report Regarding A 'Hack-For-Hire' Company". Techdirt.
  27. Cox, Joseph (6 December 2023). "Reuters Takes Down Blockbuster Hacker-for-Hire Investigation After Indian Court Order". 404 Media. Retrieved 18 December 2023.
  28. Schaffer, Michael (19 January 2024). "How a Judge in India Prevented Americans From Seeing a Blockbuster Report". POLITICO. Retrieved 12 February 2024.
  29. 1 2 3 "OCI Card Cancelled After Report on Indian Firm's Mercenary Hacking, Journalist Goes to Court". The Wire. 15 March 2025. Retrieved 9 March 2026.
  30. "HC raps MHA for 'distorted' paperwork in Reuters journalist's OCI case". Newslaundry. 27 November 2025. Retrieved 9 March 2026.
  31. 1 2 Masnick, Mike (1 February 2024). "Sorry Appin, We're Not Taking Down Our Article About Your Attempts To Silence Reporters". Techdirt. Retrieved 10 February 2024.
  32. 1 2 "The Association of Appin Training Centers is waging a global censorship campaign to stop you from reading these documents". MuckRock. 1 February 2024. Retrieved 10 February 2024.
  33. Quintin, Cooper; Galperin, Eva (8 February 2024). "EFF Helps News Organizations Push Back Against Legal Bullying from Cyber Mercenary Group". Electronic Frontier Foundation. Retrieved 30 December 2024.
  34. "Reuters exposé of hack-for-hire world is back online after Indian court ruling". Reuters. 26 October 2024. Retrieved 19 December 2024.
  35. "La réputation d'un "roi de la tech" indien au cœur d'un curieux bras de fer". Gotham City (in French). 7 December 2022. Retrieved 31 December 2024.
  36. 1 2 3 Satter, Raphael; Bing, Christopher (30 June 2022). "SPECIAL REPORT-His emails were stolen; now he's exposing the hack-and-leak industry". Reuters. Retrieved 29 January 2025.
  37. Reddick, James (17 November 2023). "Israeli private eye gets 80-month sentence for global hack-for-hire scheme". The Record. Retrieved 12 January 2025.
  38. "India, Israel, United States BellTrox affair scares corporate intelligence world". Intelligence Online. 24 June 2020. Retrieved 27 January 2025.
  39. Haidar, Faizan (5 September 2023). "Boundary Holding's top executives buy land in Delhi for Rs 76 crore". The Economic Times. Retrieved 10 January 2025.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.