Appin (company)

Last updated

Appin
Company type Private
Industry Computer security
Founded2003
Founder
  • Rajat Khare
  • Anuj Khare
FateDissolved [1]
Headquarters
New Delhi
,
India
Services
Website Official website

Appin was an Indian cyber espionage company founded in 2003 by brothers Rajat and Anuj Khare. It initially started as a cybersecurity training firm, but by 2010, the company had begun providing hacking services for governments and corporate clients. According to investigative reports by Reuters, Appin operated what the news agency described as a "hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe." [2] The company created the model that is still used by the Indian hack-for-hire industry. [3] [1] [4]

Contents

Appin's operations drew scrutiny from law enforcement and security researchers globally. Between 2012 and 2016, the company became the subject of criminal investigations in multiple countries including the United States, Switzerland, Norway, and the Dominican Republic. Security researchers publicly linked Appin to extensive cyberespionage campaigns, with Google's threat intelligence team reporting that hackers linked to Appin targeted tens of thousands of email accounts. [5]

Following increased scrutiny, Appin scaled back its online presence and eventually dissolved. Co-founder Rajat Khare has been the subject of legal actions and media investigations. According to Reporters Without Borders, Khare and entities associated with Appin have filed lawsuits against at least 15 media outlets in multiple countries that reported on the company's hacking activities, with RSF describing this as "an offensive on an unprecedented global scale to keep both himself and his company's tactics out of the spotlight." [6] Multiple criminal investigations in several countries were eventually closed without charges being filed. Former Appin employees have founded other hack-for-hire firms that continue to operate. [1]

History

In December 2003, Rajat Khare along with high school friends conceived Appin to offer technology training workshops to university students. By 2005, now joined by Anuj, an entrepreneur and former motivational speaker, the company had an office in western New Delhi. Appin began as a digital security consultancy that provided cybersecurity classes to help Indian organisations defend themselves online. This drew the attention of Indian government officials, who were navigating internet-era intelligence challenges and seeking ways to hack into computers and emails. [2]

Shortly thereafter, Appin established a subsidiary called Appin Software Security also known as the Appin Security Group to conduct surveillance activities for the Indian government. Employees signed non-disclosure agreements and were shipped to military-controlled facilities, where they worked away from their colleagues in the wider company.Their targets included Pakistan, China, and Khalistani separatists from India's Punjab state. [2]

By 2009, the company's clients had included the Research and Analysis Wing (RAW), the Intelligence Bureau, the Indian Armed Forces, the Ministry of Home Affairs, and the Central Bureau of Investigation (CBI). Appin claimed their solutions were used by government intelligence agencies to monitor hostile individuals, marketed software for analysing call metadata, and explored importing Israeli cell phone interception devices. For the fiscal year ending in 2009, the company earned nearly $1 million in revenue and a profit of about $170,000, with a projected tenfold increase in revenue over the next 36 months. [2]

The company also made extra money by discreetly reselling material it had hacked for one Indian agency to another. This practice was eventually uncovered, prompting several Indian intelligence agencies to terminate their contracts with Appin. According to Reuters, following the loss of government contracts, Appin shifted its focus to private sector clients. [2]

In 2010, Rajat Khare sent bulk emails to private intelligence firms across Europe offering hacking-for-hire services. [4] Around 2011, the mercenaries began operating a digital dashboard dubbed "My Commando" for spy services, resembling an e-commerce platform with a menu of hacking options. Customers logged in to request Appin to hack emails, computers, or phones, track the operation's progress like a delivery, and later download the stolen data. [2] More than 70 global clients hired Appin to hack hundreds of targets through "My Commando." [7] [4]

Among the system's early users were Israeli private detectives Aviram Halevi and Tamir Mor, who accessed it in late 2011. That year, Mor ordered hacks on more than 40 targets, including Malaysian politician Mohamed Azmin Ali, Russian oligarch Boris Berezovsky, and his lawyers. [2] Berezovsky was found dead in 2013. [8] Around the same time, another user hired Appin to hack 30 targets, including a Rwandan dissident and the wife of another wealthy Russian going through a divorce. [7] The targets also included Kristi Rogers—the wife of Representative Mike Rogers, who was the Chairman of the U.S. House Intelligence Committee at the time. Less well-known individuals, such as a landscape architect in New Jersey and a Native American tribal member, were also targeted using the system. Other victims of Appin included human rights activists, such as those associated with the Oslo Freedom Forum, along with governmental and private organizations. [7] [4] [1] [9]

Starting on 5 January 2012, a cyberattack targeted Peter Hargitay, a Zurich-based FIFA insider and consultant for Australia's 2022 World Cup bid. Hargitay and his son hired an expert who traced the hack to a server linked to Rajat Khare. The attack was part of an extensive hacking operation targeting numerous individuals in what SRF Investigativ described as a global smear campaign. This was linked to Qatar's espionage operations related to securing the 2022 FIFA World Cup hosting rights. [2] [10] [11] [12] Hack-for-hire companies founded by Appin alumni were also implicated in the campaign. [13]

Also in 2012, a German private investigator paid Appin $3,000 to hack an email during an inheritance feud involving a wealthy businessman. [3] That same year, an Indian cybersecurity consultant traced an attempted hack on a client to Appin and discovered compromising material on its servers. [14] In the Dominican Republic, authorities raided a local newspaper publisher in 2012 and formally accused him of collaborating with Khare to hack emails and extract information from the nation's elite for his digital newspaper. The publisher later admitted that in 2011, he paid Appin between $5,000 and $10,000 a month to spy on over 200 prominent Dominicans including [Leonel Fernández]], then president of the Dominican Republic. [2]

In 2012, after analysing a hack and leak targeting a Native American tribal member, the FBI linked multiple cases to a single perpetrator. Collaborating with Swiss authorities, the FBI identified the perpetrator as Appin and shared that they had human intelligence through a confidential source. [7]

In February 2013, the Chicago Mercantile Exchange filed a complaint with the World Intellectual Property Organization regarding a phishing attack that used a suspicious domain to steal investment information. [15] [16] In March of that year, after Telenor filed a criminal case with Norwegian police Kripos over a hack stealing 66,000 emails from its leadership and legal advisor, the infosec community obtained evidence that allowed them to access Appin's unsecured servers and link the group to several high-profile cyberattacks that had been directed at more than a dozen countries. [1] [17] [18] [19] [20] Norman Shark publicly linked the Telenor hack to Appin. [21] [22] [2]

Appin's operations began attracting attention worldwide, [10] and by 2013, they had become well known among security researchers, who referred to them using various monikers to describe their pattern of activity, including Operation Hangover by Shadowserver Foundation and Norman Shark, [23] [21] [24] Monsoon by Forcepoint, [25] and Viceroy Tiger by CrowdStrike. [26] [27] [28] From 2013 onward, Google spent a decade monitoring Appin-linked hackers who targeted tens of thousands of email accounts on its platform. [5] [29] Due to the unusually high volume worked by the hackers, Google had to expand its systems and procedures to keep up with them. Security researchers have been cautious in their public statements linking Appin to the hacking and phishing incidents to avoid legal trouble; however, privately, they remain confident in the connection. [2]

Since 2012, Appin and its CEO Rajat Khare have been the subject of criminal investigations in multiple countries. Swiss authorities linked Appin and Rajat Khare to a criminal complaint filed by the Hargitays for intrusion into their systems, while Norwegian investigators connected Appin to the Telenor hack. These multinational investigations were carried out over several years but were eventually closed without charges being filed. [2] In 2016, the person who had hired a private detective to access the email of her fellow Native American tribal member pleaded guilty in federal court. Later, in mid-2020, that detective confessed in an affidavit that he had hired Appin to carry out the email heist. Similarly, Aviram Halevi, who hired Appin to hack at least three dozen people in 2011, admitted to employing them to steal emails from a Korean businessman. [3] In 2021, the State Bank of India filed a criminal complaint with the Central Bureau of Investigation, Appin's former client, accusing Rajat Khare and others of embezzling ₹8.06 billion ($97 million) from loans to Educomp, where Khare was a director. [2]

Controversies

Appin and co-founder Rajat Khare have filed lawsuits and sent legal demands to news organisations in multiple countries, including France, Luxembourg, Switzerland, the United Kingdom, and India, seeking removal of references in articles to the company and Khare. [30] [31] [32] [6]

On 2 November 2022, Swiss media outlet SRF Investigativ published an investigative piece about Qatar's elaborate and extensive espionage operation to secure the 2022 FIFA World Cup hosting rights. The operation, which was dubbed Project Merciless, involved hacking emails and phones of FIFA officials and critics of Qatar's World Cup bid who had raised criticism with regard to corruption and human rights. It also targeted their friends and family members to run smear campaigns and influence FIFA policy. [10] [11] [13] [12] In November 2022, a lower court in Geneva ordered the publication to provisionally remove Rajat Khare's name and photo from the article. When contacted by RSF, Khare's Swiss lawyer, Nicolas Capt, stated that Khare has taken civil and criminal action in Switzerland and other countries to protect his honour. [6]

On 1 June 2023, The New Yorker published an article titled, "A Confession Exposes India's Secret Hacking Industry." The article primarily focused on firms founded by Appin alumni, such as BellTroX Infotech Services and CyberRoot Risk Advisory, which have targeted climate activists, investors, lawsuit defendants, and organisations on a global scale and still remain operational. Appin first sued the U.S. magazine in India, and later, Rajat Khare filed a lawsuit against it in Switzerland. The New Yorker refused to take down their article, stating that they fully stand behind the piece, which is an accurate and fair account of a matter of legitimate public interest. They further stated that they will continue to defend the right to publish important reporting without fear or favour. [4] [6]

On 16 November 2023, Reuters published an article about the company and its cofounder Rajat Khare titled, "How an Indian Startup Hacked the World." Drawing on hundreds of interviews and thousands of vetted documents, Reuters found that Appin "grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe." The report was based on Appin's activities for nearly two decades, including company records, law enforcement files, and input from former employees, clients, and security professionals. The raw material spanning 2005 to 2022 was authenticated by Reuters and further verified by U.S. cybersecurity firm SentinelOne. [2] [6]

Appin sued Reuters, claiming the news agency had engaged in a "defamatory campaign." [33] [34] It obtained an injunction from a Delhi court and, on 4 December 2023, Reuters temporarily removed its article. Reuters said that it stood by its reporting. [35] [34] [36] An archived version of the Reuters article hosted on the Wayback Machine was likewise removed following demands from lawyers representing Appin co-founder Rajat Khare. [37] Appin further sent demands to Meta Platforms, LinkedIn and Naukri.com to block accounts associated with the authors of the Reuters story. [32]

In February 2024, Wired reported that lawyers for Appin and a related entity called the Association for Appin Training Centers have filed lawsuits and made legal threats against more than a dozen news organisation. Appin sent emails demanding news site Techdirt and the organisation MuckRock which hosted some of the information Reuters relied on. The two sites denied that the injunction was binding on them. [38] [31] [39] Other sites, such as the Lawfare blog, removed material based on the Reuters article. [34] [38] The Electronic Frontier Foundation (EFF) announced that they responded on behalf of Techdirt and MuckRock to legal threats made by Appin Training Centers. One of the arguments the EFF made in their letter to Appin is that the Indian court's order is unenforceable in U.S. courts because it conflicts with the First Amendment and Section 230 of the Communications Decency Act (47 U.S.C. § 230), as reinforced by the SPEECH Act (28 U.S.C. § 4102). The EFF also urged recipients of Indian gag orders to carefully evaluate their legitimacy. [40] [31] [39]

The Reuters article was restored in October 2024, after the Delhi court rescinded its injunction on 3 October 2024, noting "the plaintiff has not been able to show any prima facie case to make interference in the process of journalism". [41] The article is back online at its original location. [7]

On 21 November 2024, Reporters Without Borders (RSF) reported that works from at least 15 different media outlets had been modified or withdrawn as a result of a strategic lawsuit against public participation or a legal notice from Rajat Khare or Appin Training Centers, while posts praising Khare on self-published sites flooded the internet. Additionally, an Intelligence Online article [12] was the subject of what Reporters Without Borders described as an "abusive DMCA takedown request". [6] [42]

Legacy

Following Norman Shark's public attribution of the Telenor hack to Appin, [21] the company faced increasing scrutiny, and the group began scaling back its online presence. [2] Around that time, former Appin employees branched out, founding similar hack-for-hire firms. [1]

Two such companies—BellTroX InfoTech Services led by Sumit Gupta and CyberRoot Risk Advisory [43] [44] —started collaborating with Appin, sharing staff and computer infrastructure for their hacking operations. [3]

Their activities were identified using a database of over 80,000 phishing emails sent to 13,000 targets from 2013 to 2020. [2] This database was vetted by six expert groups, with each group independently confirming recognized hacking activity. [3] Further analysis by Mandiant, LinkedIn, Google, [5] and court records revealed that the hacking was carried out by three Appin-linked companies with an intermingling of resources among them. [3] This network of mercenaries charged clients anywhere from a few thousand to millions of dollars, [43] while paying workers just $370 per month. [2]

The hackers targeted attorneys and their clients—including companies, advocacy groups, media organisations, and business executives. According to Shane Huntley of Google's threat intelligence team, these attacks had "real potential to undermine the legal process." Media reports have linked Appin alumnus Sumit Gupta to criminal cases, former Israeli policeman Aviram Azari, [45] [46] [47] Dark Basin, [48] and the wider network of Indian hackers. [3] [49] [4] [50] [51] Appin Technology rebranded multiple times before adopting the name Sunkissed Organic Farms in 2017. Its subsidiaries also underwent rebranding. In 2015, Appin Software Security—which billed private eyes for the hacking work—became Adaptive Control Security Global Corporate (ACSG). [2]

Rajat Khare resigned as director of Appin Technology in 2016 and resides in Switzerland. [2] After the Swiss criminal investigation into his hacking of the Hargitays was closed, in the fall of 2020, Khare purchased a villa in Switzerland for 13.5 million Swiss francs from the daughter of a Ukrainian oligarch. According to SRF Investigativ, "he now presents himself as a renowned start-up investor." [10] In September 2023, The Economic Times reported that Rajat and Shweta Khare had purchased a plot in Delhi for ₹760 million (about $9.1 million). Together, they run Boundary Holding, a Luxembourg-based venture capital firm. [52]

Rajat Khare's family controls companies founded under the Appin name, as well as the renamed Indian firms, including ACSG, which describes itself as a "critical infrastructure protection company that caters to government clients." [2]

See also

References

  1. 1 2 3 4 5 6 Wild, Franz (11 May 2022). "Inside the global hack-for-hire industry". Bureau of Investigative Journalism. Retrieved 20 November 2023.
  2. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 Satter, Raphael; Siddiqui, Zeba; Bing, Chris (16 November 2023). "How an Indian startup hacked the world". Reuters. Retrieved 31 December 2024.
  3. 1 2 3 4 5 6 7 Satter, Raphael; Bing, Christopher (30 June 2022). "How mercenary hackers sway litigation battles". Reuters. Retrieved 31 December 2024.
  4. 1 2 3 4 5 6 Kirkpatrick, David (1 June 2023). "A Confession Exposes India's Secret Hacking Industry". The New Yorker . Retrieved 20 November 2023.
  5. 1 2 3 Huntley, Shane (30 July 2022). "Countering hack-for-hire groups". Google. Retrieved 4 January 2025.
  6. 1 2 3 4 5 6 "RSF investigation: the Indian cyber-security giant silencing media outlets worldwide". Reporters Without Borders. 21 November 2024. Retrieved 31 December 2024.
  7. 1 2 3 4 5 Satter, Raphael (16 November 2023). "How an Indian startup hacked the world". Reuters . Archived from the original on 17 November 2023. Retrieved 20 November 2023.
  8. Melville, Toby (28 March 2014). "UK coroner records open verdict on death of Russian oligarch Berezovsky". Reuters. Retrieved 3 February 2024.
  9. Tom Hegel (16 November 2023). Elephant Hunting: Inside an Indian Hack-For-Hire Group (Report). SentinelLabs. Archived from the original on 17 November 2023.
  10. 1 2 3 4 Eiholzer, Leo; Schmid, Andreas (2 November 2022). "'Project Merciless': how Qatar spied on the world of football in Switzerland". Swiss investigative program Rundschau (swissinfo.ch). Retrieved 4 January 2025.
  11. 1 2 Suderman, Alan (23 November 2021). "World Cup host Qatar used ex-CIA officer to spy on FIFA". Associated Press. Retrieved 9 January 2025.
  12. 1 2 3 "Former Indian cyber privateer Rajat Khare is helping Qatar keep the football World Cup safe". Intelligence Online. 20 October 2022. Retrieved 31 December 2024.
  13. 1 2 Wild, Franz; Siddons, Ed; Lock, Simon; Calvert, Jonathan; Arbuthnott, George (5 November 2022). "How Qatar hacked the World Cup". Bureau of Investigative Journalism. Retrieved 6 February 2025.
  14. Mookhey, K.K. (2013). "Malware Analysis Report" (PDF). Network Intelligence. Retrieved 5 January 2025.
  15. Jackson, Kelly (20 May 2013). "'Commercialized' Cyberespionage Attacks Out Of India Targeting U.S., Pakistan, China, And Others". Dark Reading. Retrieved 1 January 2025.
  16. Fowler, Geoffrey A.; Valentino-DeVries, Jennifer (23 June 2013). "Spate of Cyberattacks Points to Inside India". The Wall Street Journal. Retrieved 1 January 2025.
  17. Muncaster, Phil (21 May 2013). "'India attacked Norwegian telco to get at Pakistan, China' - report". The Register. Retrieved 2 January 2025.
  18. Jackson, Kelly (18 July 2013). "'Hangover' Persists, More Mac Malware Found". Dark Reading. Retrieved 1 January 2025.
  19. Vijayan, Jai (16 November 2023). "Shadowy Hack-for-Hire Group Behind Sprawling Web of Global Cyberattacks". Dark Reading. Archived from the original on 7 December 2023.
  20. Johansen, Per Anders (17 March 2013). "Spionerte på Telenor-sjefer, tømte all e-post og datafiler". Aftenposten (in Norwegian). Archived from the original on 20 March 2013.
  21. 1 2 3 Fagerland, Snorre; Kråkvik, Morten; Camp, Jonathan (2013). "Operation Hangover: Unveiling an Indian Cyberattack Infrastructure" (PDF). Norman ASA. Archived from the original (PDF) on 12 June 2013. Retrieved 18 December 2023.
  22. "Norwegian company names Indian firm for global cyber offensive?". The Times of India. 23 May 2013. Archived from the original on 24 May 2013. Retrieved 10 January 2025.
  23. Fagerland, Snorre (20 May 2013). "The Hangover Report". Norman ASA. Archived from the original on 26 October 2013. Retrieved 18 December 2023.
  24. "Operation Hangover: Unveiling an Indian Cyberattack Infrastructure" (PDF). Seebug, part of 360 Netlab. Archived from the original (PDF) on 21 January 2022. Retrieved 18 December 2023.
  25. Settle, Andy; Griffin, Nicholas; Toro, Abel. "Monsoon – Analysis of an Apt Campaign Espionage and Data Loss Under the Cover of Current Affairs" (PDF). Forcepoint. Retrieved 1 January 2025.
  26. Santos, Doel; Hinchliffe, Alex (3 July 2020). "Threat Assessment: Hangover Threat Group". Palo Alto Networks. Retrieved 1 January 2025.
  27. Hinchliffe, Alex; Falcone, Robert (11 May 2020). "Updated BackConfig Malware Targeting Government and Military Organizations in South Asia". Palo Alto Networks. Retrieved 1 January 2025.
  28. Boutin, Jean-Ian (16 May 2013). "Targeted information stealing attacks in South Asia use email, signed binaries". WeLiveSecurity. Retrieved 3 January 2025.
  29. Vijayan, Jai (1 July 2022). "Google: Hack-for-Hire Groups Present a Potent Threat". Dark Reading. Retrieved 6 January 2025.
  30. Ingram, Mathew (18 January 2024). "A leak-hosting site looks to thaw the chill of censorship". Columbia Journalism Review. Retrieved 12 February 2024.
  31. 1 2 3 Greenberg, Andy (1 February 2024). "A Startup Allegedly Hacked the World. Then Came the Censorship—and Now the Backlash". Wired.
  32. 1 2 "Global censorship campaign raises alarms". Freedom of the Press. 18 January 2024. Retrieved 12 February 2024.
  33. Omar, Rashid (7 December 2023). "Forced to Pull Story on Indian Firm's Alleged Global Hacking Operation, Reuters to Fight Court Order". The Wire. Archived from the original on 8 December 2023.
  34. 1 2 3 Uren, Tom (24 November 2023). "The Hack-for-Hire Industry: Death by a Thousand Cuts + When Theft Doesn't Work... Troll". Lawfare. Retrieved 10 February 2024.
  35. Masnick, Mike (7 December 2023). "Indian Court Orders Reuters To Take Down Investigative Report Regarding A 'Hack-For-Hire' Company". Techdirt.
  36. Cox, Joseph (6 December 2023). "Reuters Takes Down Blockbuster Hacker-for-Hire Investigation After Indian Court Order". 404 Media. Retrieved 18 December 2023.
  37. Schaffer, Michael (19 January 2024). "How a Judge in India Prevented Americans From Seeing a Blockbuster Report". POLITICO. Retrieved 12 February 2024.
  38. 1 2 Masnick, Mike (1 February 2024). "Sorry Appin, We're Not Taking Down Our Article About Your Attempts To Silence Reporters". Techdirt. Retrieved 10 February 2024.
  39. 1 2 "The Association of Appin Training Centers is waging a global censorship campaign to stop you from reading these documents". MuckRock. 1 February 2024. Retrieved 10 February 2024.
  40. Galperin, Cooper Quintin and Eva (8 February 2024). "EFF Helps News Organizations Push Back Against Legal Bullying from Cyber Mercenary Group". Electronic Frontier Foundation. Retrieved 30 December 2024.
  41. "Reuters exposé of hack-for-hire world is back online after Indian court ruling". Reuters. 26 October 2024. Retrieved 19 December 2024.
  42. "La réputation d'un "roi de la tech" indien au cœur d'un curieux bras de fer". Gotham City (in French). 7 December 2022. Retrieved 31 December 2024.
  43. 1 2 Satter, Raphael; Bing, Christopher (30 June 2022). "SPECIAL REPORT-His emails were stolen; now he's exposing the hack-and-leak industry". Reuters. Retrieved 29 January 2025.
  44. Dvilyanski, Mike; Franklin, Margarita; David, Agranovich (16 May 2013). "Threat Report on the Surveillance-for-Hire Industry" (PDF). Meta. Retrieved 10 January 2025.
  45. Bing, Christopher (20 April 2022). "Israeli charged in global hacker-for-hire scheme pleads guilty". Reuters. Retrieved 12 January 2025.
  46. Reddick, James (17 November 2023). "Israeli private eye gets 80-month sentence for global hack-for-hire scheme". The Record. Retrieved 12 January 2025.
  47. "India, Israel, United States BellTrox affair scares corporate intelligence world". Intelligence Online. 24 June 2020. Retrieved 27 January 2025.
  48. Scott-Railton, John; Hulcoop, Adam; Abdul Razzak, Bahr; Marczak, Bill; Anstis, Siena; Deibert, Ron (9 June 2020). "Dark Basin - Uncovering a Massive Hack-For-Hire Operation". Citizen Lab. Retrieved 27 January 2025.
  49. Stubbs, Jack; Satter, Raphael; Bing, Christopher (27 June 2020). "Exclusive: Obscure Indian cyber firm spied on politicians, investors worldwide". Reuters. Retrieved 25 January 2025.
  50. Turton, William (9 June 2020). "U.S. Investigating Hacker Ring Paid to Target Corporate Critics". Bloomberg. Retrieved 25 January 2025.
  51. Marchiando, Amy (9 June 2020). "Professional Hackers for Hire carried out large-scale credential spearphishing campaigns since at least 2013". NortonLifeLock. Archived from the original on 29 June 2022.
  52. Haidar, Faizan (5 September 2023). "Boundary Holding's top executives buy land in Delhi for Rs 76 crore". The Economic Times. Retrieved 10 January 2025.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.