BellTroX & Dark Basin: The Delhi Hack-for-Hire Shop Exposed

BellTroX Dark Basin Delhi hack for hire operation cover

A Quiet Office, A Loud Client List

Most spy stories start in a basement or a Moscow apartment or a sealed room inside a three letter agency. This one starts in a perfectly normal looking office in Saidulajab, south Delhi. Whitewashed walls. A modest reception. A few rooms full of LCD monitors and the smell of chai from the corner stall outside. The company on the brass plate is called BellTroX InfoTech Services, and on paper it does corporate intelligence, due diligence and background checks. The kind of thing a lot of small Indian outsourcing firms list as their service catalogue.

Off paper, for at least seven years, BellTroX was running one of the largest "hack-for-hire" operations the security industry had ever seen. From that small Delhi office, an estimated 10,000 plus email accounts belonging to politicians, government officials, journalists, advocacy groups, hedge funds, law firms and corporate executives across six continents were quietly targeted with custom spear phishing. The shop never sold itself as a hacking outfit. The contracts came in through Western private investigators and corporate intelligence firms who needed inboxes opened and didn't want to know how.

In June 2020 the operation was unmasked by Citizen Lab at the University of Toronto, who'd been tracking the cluster for years under the codename Dark Basin. Reuters, NBC News and the New York Times followed within hours. This is the case study of how a small Indian outsourcing company quietly became the world's busiest mercenary phishing service, who hired them, who paid the price, and what eventually broke the operation open.

Meet BellTroX And Sumit Gupta

BellTroX InfoTech Services was registered as a private company in India in 2013, with its head office in New Delhi. Its owner and director, Sumit Gupta, is in his mid forties. Public records show him as a slightly built man with a friendly LinkedIn profile, listing his areas of expertise as "ethical hacking, OSINT, due diligence, corporate intelligence". The site advertised forensic services, financial investigations and "open source intelligence". The fee structure for the actual hacking, per Reuters reporting, ran roughly $70 to $80 per target, sometimes more for high value executives. Bulk discounts were available.

What separated BellTroX from a dozen similar shops in Delhi and Bengaluru is that Sumit Gupta had history. In 2015, US prosecutors had already named him in a New York indictment connected to a private investigator hacking scheme. He was named as a co conspirator who'd helped open inboxes for American PIs. The charges against him in the US went unresolved because he stayed in India. He went back to work the next day. BellTroX kept running.

For the next five years, that office on the south Delhi street kept its head down, kept its lights on, and kept building one of the most active phishing pipelines on the planet.

Inside The Phishing Factory

Dark Basin global target map conceptual render

The tradecraft was unglamorous and devastatingly effective. No zero days. No custom malware. Almost everything BellTroX shipped was just very well dressed phishing at industrial volume.

Spear phishing emails tailored to the target. Fake Google account warnings. Fake Outlook security notices. Fake document share links from a colleague. The lures were often based on prior OSINT to make them feel real.
Custom URL shorteners that BellTroX operated themselves, used to bounce victims into credential harvesting pages. Citizen Lab reportedly identified over 28,000 unique URLs generated by Dark Basin shorteners, hitting tens of thousands of accounts.
Look-alike domains impersonating Google, Yahoo, Microsoft, LinkedIn and corporate logins. Slight typos, swapped TLDs, unicode tricks. The standard 2010s phishing toolkit, executed cleanly.
Credential harvesting at scale. Once a victim entered a password, BellTroX could log into the real mailbox, sometimes for weeks, exfiltrating anything of interest. Some victims were targeted dozens of times across years until they slipped once.
Output handed off as documents. Clients didn't get raw access. They got curated PDFs and zip files. Plausible deniability for the buyer was the whole product.

The volume is what made it special. Most APT groups send a few hundred targeted emails a year. BellTroX appears to have run tens of thousands per year, across hundreds of campaigns, in at least 13 languages, for a rotating cast of paying clients. It was less spy agency and more BPO. A call centre, but for breaking into your inbox.

Who They Spied On (And Who Paid For It)

Citizen Lab's report, "Dark Basin: Uncovering a Massive Hack-for-Hire Operation", names categories. Reuters' follow up reporting named the people. Together they tell a remarkably uniform story. BellTroX did not hunt random civilians. The targets were almost always somebody's adversary in a lawsuit, a campaign, a deal or an investigation.

Climate activists and NGOs. Greenpeace, the Rockefeller Family Fund, the Conservation Law Foundation and other organisations active in the #ExxonKnew climate accountability campaign were repeatedly phished in 2016 and 2017. Independent investigators later linked some of that activity to entities adjacent to ExxonMobil's litigation strategy, though Exxon denied any direct knowledge.
Short sellers and hedge funds. Western hedge fund analysts who had publicly bet against specific companies were repeatedly phished, frequently around the timing of earnings calls or legal disclosures. Some targets were on the bull side of the same trades. Both sides were being hacked, often within the same campaign.
Government officials. Citizen Lab confirmed targeting of senior officials in North America, Europe, the Middle East and Asia. The official Indian government denied any knowledge or connection.
Journalists and lawyers. Investigative journalists, white-collar defence lawyers and class action attorneys, especially those involved in high-stakes commercial litigation, made up a substantial chunk of victims.
Politicians and activists. Including individuals tied to elections, transparency campaigns and anti corruption work in multiple countries.

The customers, on the other end, were almost never the principals themselves. They were private investigators and corporate intelligence firms in the US, the UK, Israel and Switzerland, hired by law firms, hedge funds, corporate clients and sometimes governments. Those PIs subcontracted the actual hacking to BellTroX. The principals could honestly say they never authorised any hack. The PIs could honestly say they only hired "research services". And BellTroX could honestly say they were just an Indian IT shop fulfilling tickets. Plausible deniability, neatly distributed across three time zones.

June 2020: Citizen Lab Pulls The Curtain

Citizen Lab Dark Basin investigation conceptual render

Citizen Lab, the digital rights research group at the University of Toronto's Munk School, had been pulling at the same thread since around 2017. A handful of climate activists had handed them suspicious phishing emails. Two URL shorteners caught the researchers' eye. Patient pivoting across infrastructure, timing, language artefacts in the lure documents and even payslip metadata leaked by BellTroX's own infrastructure eventually traced the cluster back to a single small office in south Delhi.

On 9 June 2020, Citizen Lab published its report. The same day, Reuters dropped a parallel investigative feature naming Sumit Gupta and BellTroX. NBC News, the New York Times, Wired and the Wall Street Journal carried the story by the following morning. The US Department of Justice quietly confirmed an ongoing investigation. The Indian Computer Emergency Response Team opened its own inquiry into BellTroX.

BellTroX's website went dark within hours. Sumit Gupta's LinkedIn profile briefly disappeared and then quietly resurfaced with sections trimmed. The small Delhi office stayed shut for a while.

What Happened Next, And To Whom

Six years after the original 2015 US co-conspirator naming, and despite global press, the response was uneven.

Sumit Gupta and BellTroX. As of writing, Sumit Gupta has not been extradited from India to the United States. He has denied any wrongdoing in public statements, characterising BellTroX as a legitimate due diligence outfit and saying any hacking attributed to it must have been done without his knowledge. India has no extradition treaty obligation that easily compels his transfer to the US, and the 2015 indictment never became an active warrant against him personally in a way that resulted in arrest.
Aviram Azari. An Israeli private investigator and one of the most prolific known buyers of BellTroX style services. Azari was arrested in New York in September 2019, several months before the Dark Basin report dropped. He pleaded guilty in 2022 to conspiracy to commit computer hacking, wire fraud and aggravated identity theft. In January 2024, a US federal court sentenced him to 80 months in prison, roughly six years and eight months, plus around $4.8M in restitution. His clients reportedly included executives at large Western firms.
Major email providers (Google, Microsoft, Yahoo) cleaned up thousands of BellTroX-linked phishing pages and notified verified victims. Some victims are still finding old phishing emails in their archives years later.
CERT-In opened an investigation in India in 2020. As of the most recent public reporting, no Indian criminal charges have been brought against Sumit Gupta or BellTroX.
Civil suits. Several US-based litigants have pursued civil action over the targeting, including cases that ultimately surfaced subpoenas naming BellTroX and its alleged clients. Some of those cases settled quietly. Others are ongoing.

The clearest punchline is Azari. The contractor went to prison. The shop that did the actual hacking did not. That asymmetry is exactly why the hack-for-hire industry continues to thrive in jurisdictions where extradition is hard and where domestic law does not treat it as a priority.

What This Actually Teaches Us

A few things from the BellTroX run that I keep coming back to whenever I advise high risk individuals.

You don't need zero days when phishing still works. Seven years, tens of thousands of targets, almost no exotic tradecraft. Just patient, well written, well timed credential phishing. The cheap attack is the durable attack.
The buyer is rarely the attacker. The economic chain has three layers: principal, intelligence firm, technical operator. By the time you trace the breach, the principal has plausible deniability written into a contract. Threat modelling needs to assume this layered structure.
If you have ever been in a lawsuit, you are in the target pool. The most common predictor of being phished by a hack-for-hire shop is not your fame or your wealth. It is being on the other side of a high stakes commercial dispute. Lawyers, witnesses, activists, short sellers, opposing counsel.
FIDO2 and hardware keys flatten almost the entire BellTroX playbook. Credential phishing stops at WebAuthn. Everyone in a high risk role should be on hardware keys. Period.
Jurisdictional gaps are policy choices. Sumit Gupta did not avoid US prosecution because he was clever. He avoided it because he stayed inside a jurisdiction the US has no easy lever in. That is not an accident. That is how the industry was always going to organise itself.

The Quiet Bit

The most uncomfortable thing about Dark Basin isn't the technology. It is that for seven years a small office of paid technicians in Delhi sat in the inboxes of people fighting climate cases, defending whistleblowers, suing Fortune 500s and reporting on corruption. Real people, doing real work, sometimes lost cases and reputations because their email was being read in real time by a stranger they had never heard of, paid by somebody they could not name, in a country that would not extradite. Cyber security is not abstract. It is a power transfer.

References & Further Reading

Sources I cross checked while writing this. Worth reading if you want the long form versions.

Citizen Lab (June 2020), Dark Basin: Uncovering a Massive Hack-for-Hire Operation the primary investigation report.
Reuters (June 2020), Obscure Indian cyber firm spied on politicians, investors worldwide the parallel investigative feature naming Sumit Gupta and BellTroX.
The New York Times (June 2020), Inside a Mercenary Hacking Operation mainstream coverage of the Citizen Lab report.
US Department of Justice (Jan 2024), Private investigator sentenced to 80 months for international hacking and identity theft scheme the Aviram Azari sentencing announcement.
Reuters Special Report (Nov 2022), The hack-for-hire industry exposed wider context on Indian and Israeli mercenary hacking firms.
NBC News (June 2020), Massive "hack-for-hire" operation targeted thousands around the world additional reporting on the Dark Basin disclosure.
Wikipedia, BellTroX InfoTech Services rolling summary of the company, indictments and aftermath.

BellTroXThe Delhi Hack-for-Hire Shop That Phished The World