We take action against Hack-for-Hire firm Belltrox #SaveOurPrivacy

Based on recent disclosures from Meta-Facebook, we have filed a criminal compliant against Delhi-based hack-for-hire firm Belltrox.

24 December, 2021
4 min read


The surveillance-for-hire industry has been in the eye of the storm in 2021 and it is essential that these entities are held accountable for their illegal actions. Following a new report from Meta (Facebook) on the surveillance activities of an Delhi-based company Belltrox, we have filed a criminal complaint with the Cyber Crime Cell of the Delhi Police asking them to take appropriate action.


In July, the activities of Israel’s NSO Group, especially its spyware Pegasus, became the focus of media and public ire over allegations of hacking and misuse. However, the NSO Group isn’t the only entity engaged in surveillance activities. While Pegasus is a spyware which is sold for use by its clients, there are also entities engaged in the (self-explanatory) surveillance-for-hire activities. These entities targeted people across the world, including journalists and human rights activists.

On December 16, 2021, Meta, which is the parent company of Facebook, issued a press release titled, “Taking Action Against the Surveillance-For-Hire Industry”. This press release was on the basis of and accompanied by a threat report titled, “Threat Report on the Surveillance-for-Hire Industry”. The report was authored by Mike Dvilyanski, Facebook’s Head of Cyber Espionage Investigations, David Agranovich, Facebook’s Director of Threat Disruption, and Nathaniel Gleicher, Facebook’s Head of Security Policy. At the end of a months-long investigation, seven entities were identified as engaging in surveillance-for-hire activities and subsequently removed from Meta’s platforms.

The report classified these activities into three phases that make up a surveillance chain, with each phase informing the next and repeating in cycles:

  1. Reconnaissance: This phase includes silent profiling of targets by collecting information about them from publicly available sources such as blogs, social media, knowledge management platforms like Wikipedia and Wikidata, news media, forums and “dark web” sites. One of the primary ways in which this phase is executed is through the use of fake accounts.
  2. Engagement: In this phase, through the use of social engineering tactics to build trust, the targets are manipulated into sharing confidential information and clicking on malicious links or downloading files. Social engineering is defined as “a manipulation technique that exploits human error to gain private information, access, or valuables” by global cybersecurity company Kaspersky.
  3. Exploitation: Lastly, in the exploitation stage, the goal is to enable device-level surveillance and monitoring of mobile phones or computers. If successful, and depending on the extent of the exploit, the attacker can potentially “access any data on the target’s phone or computer, including passwords, cookies, access tokens, photos, videos, messages, address books, as well as silently activate the microphone, camera, and geo-location tracking”.

One of the entities identified was the Delhi-based M/s Belltrox Infotech Services Private Limited (“Belltrox”). According to a snapshot of its currently inaccessible website on the Wayback Machine, Belltrox is a “global strategy and innovation consulting firm” established in 2013 with its registered office in New Delhi. The Ministry of Corporate Affairs lists a Mr. Sumit Gupta as Belltrox’s director. Gupta, including others, was charged by the United States Department of Justice along with other persons for crimes relating to a conspiracy to access email accounts, Skype Accounts, and computers of targets.  

According to the threat report, Meta has removed about 400 Facebook accounts linked to Belltrox, the vast majority of which were inactive for years.  Belltrox was engaged in all three phases of the surveillance chain. Previously, CitizenLab and Reuters have also disclosed the information about Belltrox’s hacking activities. The techniques adopted by them included phishing attacks and impersonation of persons, which they used to either hack into devices and get access to private data or deceive people into sharing their private data. Relevant facts about Belltrox’s activities from the report are summarised below:

  1. Belltrox was active on Meta’s platforms, i.e. Facebook, from 2013-19. It was inactive from 2019-2021, and then restarted its activity in 2021.
  2. Around 400 Facebook accounts were found linked to Belltrox (and were removed by Meta). A majority of these were inactive for years, and were used for profiling intended targets & collecting information from available online records; establishing contact with targets; gaining access to their confidential information through deception, and; tricking them into clicking on malicious links or files, which would facilitate hacking.
  3. The other technique adopted by Belltrox was to operate multiple fake accounts impersonating persons of public standing — politicians, journalists, activists, etc. — in order to solicit information including email addresses from targets, likely for phishing attacks at a later stage.

Our actions

Immediately after Meta’s press release and report was made available, we released a short statement about the revelations on December 17, 2021. In our statement, we commended the actions of Meta in acting against these entities.

However, to ensure that those who have been targeted by the actions of Belltrox can seek justice, we decided to file a criminal complaint with the Cyber Crime Cell of the Delhi Police. The Delhi Police has been taking strict action against cyber crimes, for which it also set up 15 new cyber crime police stations recently. This action was taken to tackle the den of cyber criminality which has recently emerged in the National Capital, with cyber crime on the rise.

The actions of Belltrox show a nexus of criminality which includes hacking, impersonation and criminal conspiracy. In our criminal complaint, we have asked the Cyber Crime Cell to initiate investigation against Belltrox for the commission of offences under Sections 43, 66, 66B, 66D, 84B, 85 of the Information Technology Act, 2000 read with Sections 34, 109, 120-B, 417, 420, 467 of the Indian Penal Code, 1860.

The sinister acts of the Belltrox are a continuous threat to all persons. Even as its activities might have been curbed on one platform of Facebook, its criminal history makes it clear that it is undeterred even after having been discovered and may also move on to a different platform to continue its illegal  acts.  An immediate and focused investigation is necessary to halt Belltrox in its tracks, arrest the known and other unknown accused conspirators, and fully unearth the nexus and the conspiracy of criminality.  

Important documents

  1. Copy of criminal complaint filed against Belltrox dated December 24, 2021 (link)

Subscribe to our newsletter, and don't miss out on our latest updates.

Similar Posts

Your personal data, their political campaign? Beneficiary politics and the lack of law

As the 2024 elections inch closer, we look into how political parties can access personal data of welfare scheme beneficiaries and other potential voters through indirect and often illicit means, to create voter profiles for targeted campaigning, and what the law has to say about it.

6 min read

Press Release: Civil society organisations express urgent concerns over the integrity of the 2024 general elections to the Lok Sabha

11 civil society organisations wrote to the ECI, highlighting the role of technology in affecting electoral outcomes. The letter includes an urgent appeal to the ECI to uphold the integrity of the upcoming elections and hold political actors and digital platforms accountable to the voters. 

2 min read

IFF Explains: How a vulnerability in a government cloud service could have exposed the sensitive personal data of 2,50,000 Indian citizens

In January 2022, we informed CERT-In about a vulnerability in S3WaaS, a platform developed for hosting government websites, which could expose sensitive personal data of 2,50,000 Indians. The security researcher who identified the vulnerability confirmed its resolution in March 2024.

5 min read

Donate to IFF

Help IFF scale up by making a donation for digital rights. Really, when it comes to free speech online, digital privacy, net neutrality and innovation — we got your back!