Hoax bomb threat: 25 emails sent to 400 schools since last April, only few cases solved

Subsequently, security agencies identified the sender’s email address as sawariim@mail.ru. ‘Sawarim’ is an Arabic word frequently used by the terrorist organisation Islamic State in its propaganda videos. This connection pointed to a potentially deeper conspiracy.

The Delhi Police’s counter intelligence unit, which is a part of the Special Cell, an anti-terror unit, registered an FIR and set up a dedicated team of cyber experts to access the details of the senders.

During the probe, it was found that the service provider (mail.ru) – used to send hoax bomb threats – was based in Moscow, said a source in the police.

With the help of Interpol, the police wrote to the National Central Bureau in Moscow, seeking details of the person who had created the threat email. However, the probe hit a roadblock. Police discovered that the sender had used a VPN (Virtual Private Network) or proxy server – an encrypted connection over the Internet – to hide his identity.

The email sent in May was one of the 25 such threats received by over 400 schools in Delhi since April 30, 2024. In some of these emails, the sender also mentioned critical installations such as hospitals, airports, and airline companies. Police sources said around 50 of these 400 schools have received such emails multiple times.

Few cases solved

One reason why police have been able to solve some of these cases is due to the mistakes made by juveniles, who had allegedly sent the emails, said sources.

Last December, the Delhi Police had traced a student for sending a bomb threat email to his school, as he wanted to avoid an examination. The student had not used any VPN. He had used an email ID, making it easier for the police to track him. The child was counselled and allowed to go.

In the South district, apart from solving one case in which the police traced a 16-year-old boy in January this year for allegedly sending emails to 400 schools using VPNs, the police have not been able to make much progress in the other cases. The police were able to trace the boy when, in one instance, the VPN he was using failed to connect, said sources.

Special Commissioner of Police Madhup Tiwari had then said, “We are sure that he was behind the emails sent to 250 schools on May 1. But with regard to the emails sent on February 8, we can’t say… as we are awaiting digital evidence. He has so far sent mail to more than 400 schools.”

The police had earlier recovered a laptop and two mobile phones from the 16-year-old. These devices were sent for forensic examination, which gave “conclusive and irrefutable digital evidence” directly linking him to the threat emails, police had said.

A senior police officer said that in around half-a-dozen cases, students had sent the emails either as a prank or to shut down their schools to avoid exams.

The probe

Soon after such emails are declared a hoax, the local police, along with the district cyber teams, begin their probe. Subsequently, specialised units such as the Special Cell, Crime Branch, CI, and IFSO take over. “In the first three to four days, the police and district cyber teams try to trace the sender’s IP address. If necessary, an FIR is registered before the case is handed over to our specialised units,” said a source.

“We also seek assistance from central agencies to obtain server details when the servers are based abroad. Over the past few months, in most cases, the domains used in emails were traced to European countries. However, accessing the IP addresses or other sender details is nearly impossible, as they are encrypted and masked using VPN or proxy servers,” the source added.

Cyber expert speak

According to cyber expert Sunny Nehra, founder of Secure Your Hacks, while many such cases involve the use of VPNs, most of the times, the VPN companies don’t provide data to the police as the firms are generally based abroad, and have strict policies of not sharing user data with law enforcement agencies.

“Police can crack VPN IPs in reverse if the suspect is based in India. They have to write to ISPs (Internet service providers) to check if a given VPN IP has been reflected in any of their customers’ details as destination IP. Because when a user uses VPN, the user is directly connected to the VPN IP, which in turn is connected to the websites he is surfing. So, the VPN IP becomes a destination IP in his IPDR (Internet Protocol Detail Record) details,” he said.

A police officer said, “If we try to understand the VPN as a layman… in case we are talking to each other, it’s direct connectivity, but if we are connected through a VPN, we communicate via multiple domain servers.”