Why Delhi Police find it difficult to crack cases involving bomb threat emails to schools, other institutions

On Monday, over 20 schools in Delhi received bomb threats again, prompting authorities to shut them down, send students back home, and put the police and administration on high alert. An officer stated that nothing suspicious was found in any of the schools, and the threat was later declared a hoax.

When it all started

Bomb threats to schools via emails or messages are not new. In 2022, a private school in Sadiq Nagar received such a threat, and in 2023, similar threats were sent to different schools on three separate occasions. In all these cases, the police discovered that school students were behind the emails. They were later caught and given counselling.

The students said they mainly sent such bomb threats to avoid examinations, get a day off, or simply as a prank.

The main issue, however, began last year in May when over 200 schools and other institutions received bomb threat emails. Since the emails were sent in bulk, the agencies rushed to register a First Information Report (FIR) under sections pertaining to conspiracy and other relevant sections of the Indian Penal Code (IPC). A specialised unit of the Special Cell’s Counter-Intelligence (CI) was tasked with conducting the probe.

The email threats continued in June, August, October, and November, triggering concern in several schools, colleges, hospitals, airlines, and several other government institutions. The police decided to club all these cases under the initial FIR registered by the CI unit.

Use of encrypted connections

A senior police officer said that the cases that remain to be solved involve emails sent via a VPN (Virtual Private Network) proxy server – an encrypted connection over the Internet which helps the sender hide their identity.

Last December, the police had zeroed in on a student who had emailed a bomb threat to his school to avoid an examination. The student had simply used an email ID without VPN, making it easier for the police to track him. The child was counselled and allowed to go.

In July this year, an investigation allegedly revealed that a 12-year-old boy had sent fake threats to two educational institutions — Delhi University’s St Stephen’s College and St Thomas School in Dwarka. He was briefly detained and released after counselling.

During the counselling session, the Class 8 student of a private school revealed that he wanted schools to be shut down and had randomly added the email IDs of the institutions. In this case too, the boy had not used a VPN, an officer said.

The officer said that when the servers are based abroad, they seek assistance from central agencies to collect details. “Over the past few months, in most cases, the domains used in emails were traced to European countries. However, accessing the IP (Internet Protocol) addresses or other sender details is nearly impossible, as they are encrypted and masked using VPN or proxy servers,” he added.

The officer added, “If we try to understand VPN as a layman…when we are talking to each other, it is direct connectivity, but if we are connected through a VPN, we communicate via multiple domain servers.”

‘Multiple layers of obfuscation’

Cyber expert Shashank Shekhar, who is the co-founder of the thinktank FCRF, tracing the location of a person using a VPN is inherently challenging because VPNs are designed to mask the user’s real IP address by “routing their traffic through multiple servers across different countries.”

“Advanced VPN services also implement features like multi-hop routing and no-log policies, which further obscure digital footprints. When threat actors send emails using such anonymised networks—often coupled with encrypted email services or compromised accounts—it significantly limits the ability of law enforcement to pinpoint the true origin,” Shekhar said.

“In recent cases involving threat emails sent to schools in Delhi, the attackers have leveraged such techniques, creating multiple layers of obfuscation that delay or derail attribution efforts, especially when international cooperation is required to access logs or trace traffic,” he added.

Shekhar said most of these VPN service providers are headquartered outside India and often refuse to share user data or logs with Indian law enforcement agencies, citing privacy policies or foreign jurisdiction, and pointed out that it is imperative to establish regulatory frameworks mandating data sharing and log retention by such providers to assist probe agencies.