New Delhi-based BellTroX InfoTech Services offered its hacking services to help clients spy on more than 10,000 email accounts over a period of seven years. According to three former employees, outside researchers, and a trail of online evidence the IT firm targeted government officials in Europe, gambling tycoons in the Bahamas, and well-known investors in the United States including private equity giant KKR and short seller Muddy Waters.

Aspects of BellTroX’s hacking spree aimed at American targets are currently under investigation by US law enforcement, five people familiar with the matter told the news source. The US Department of Justice declined to comment.

Muddy Waters founder Carson Block said he was “disappointed, but not surprised, to learn that we were likely targeted for hacking by a client of BellTroX.”

Researchers at internet watchdog group Citizen Lab, who spent more than two years mapping out the infrastructure used by the hackers, released a report saying they had “high confidence” that BellTroX employees were behind the espionage campaign.

Although they receive a fraction of the attention devoted to state-sponsored espionage groups or headline-grabbing heists, “cyber mercenary” services are widely used. A cache of data provides insight into the operation, detailing thousands of malicious messages designed to trick victims into giving up their passwords that were sent by BellTroX between 2013 and 2020. The data was supplied on condition of anonymity by online service providers used by the hackers after Reuters alerted the firms to unusual patterns of activity on their platforms.

Gupta charged in a 2015 hacking case

The data is effectively a digital hit list showing who was targeted and when. On the list: judges in South Africa, politicians in Mexico, lawyers in France and environmental groups in the United States. These dozens of people, among the thousands targeted by BellTroX, did not respond to messages or declined comment.

BellTroX’s owner, Sumit Gupta was charged in a 2015 hacking case in which two US private investigators admitted to paying him to hack the accounts of marketing executives. Gupta was declared a fugitive in 2017, although the US Justice Department declined to comment on the current status of the case or whether an extradition request had been issued.

Horoscopes and pornography

Operating from a small room above a shuttered tea stall in a west Delhi retail complex, BellTroX bombarded its targets with tens of thousands of malicious emails. Some messages would imitate colleagues or relatives; others posed as Facebook login requests or graphic notifications to unsubscribe from pornography websites.

Fahmi Quadir’s New York-based short selling firm Safkhet Capital was among 17 investment companies targeted by BellTroX between 2017 and 2019. She said she noticed a surge in suspicious emails in early 2018, shortly after she launched her fund.

Eventually the hackers upped their game, sending her credible sounding messages that looked like they came from her coworkers, other short sellers or members of her family.

Gupta has denied hacking and said he had never been contacted by law enforcement. He said he had only ever helped private investigators download messages from email inboxes after they provided him with login details.