A US-based cybersecurity company has claimed that the Pune Police hacked electronic devices owned by activists Rona Wilson, Varavara Rao and Hany Babu and planted fake evidence on them, reported Wired magazine in the US.

Wilson, Rao and Babu have been accused of conspiring to spark caste violence in Bhima Koregaon village near Pune in 2018.

“There’s a provable connection between the individuals who arrested these folks [Wilson, Rao and Babu] and the individuals who planted the evidence,” Juan Andres Guerrero-Saade, a security researcher at cybersecurity firm SentinelOne, told Wired.


The Pune Police had arrested 16 persons, including lawyers and activists, in the Bhima Koregaon case.

In February 2021, a United States-based digital forensics company, Arsenal Consulting, had claimed that an attacker had used malware to infiltrate Wilson’s laptop and deposited at least 10 incriminating letters on it. These included a purported letter to a Maoist militant discussing the need for guns and ammunition, and even urging the banned group to assassinate Prime Minister Narendra Modi.

In February this year, SentinelOne had claimed that Wilson had been targeted by two separate groups of hackers before he was arrested in June 2018, according to The Washington Post.


According to SentinelOne, one of the groups that carried out the hacking, called ModifiedElephant, had allegedly planted the documents on Wilson’s device. The other group was identified by the cybersecurity firm as SideWinder, The Washington Post had reported.

In the February report, SentinelOne had not said who carried out the attacks or who ordered them, but it had noted that the activity of ModifiedElephant “aligns sharply with Indian state interests”.

Now, SentinelOne, which is working with a security analyst of an email service provider on the project, has alleged that a Pune Police official, who was closely involved in the Bhima Koregaon case, is connected with the alleged hacking, according to Wired.


The security analyst has asked Wired not to name him or his employer.

The researchers claimed that the email accounts of Wilson, Rao and Babu, which had been compromised in 2018 and 2019, had a recovery email address and phone number. This recovery email had the name of the Pune Police official, according to Wired.

The recovery email address allowed the police official to regain access to the accounts of the accused men if they changed their passwords, the researchers at SentinelOne have claimed.


The researchers also claimed that the hacked accounts were accessed from IP addresses that SentinelOne and Amnesty International had previously identified connected to ModifiedElephant, according to Wired.

Security analyst at the email service provider told Wired that the recovery email linked to the Pune Police was added to the Wilson’s account at the same time in April 2018 when he had received a phishing email.

The analyst told the magazine that the activist’s email account was then used to send phishing emails to other persons accused in the Bhima Koregaon case for at least two months before Wilson was arrested.


He said that his company does not generally inform people whose accounts have been targeted but he was tired of watching such things happen.

“These guys are not going after terrorists,” the analyst told Wired. “They are going after human rights defenders and journalists. And it’s not right.”

John Scott-Railton, a security researcher at the University of Toronto’s Citizen Lab, told Wired that the recovery phone number was linked to an email id ending with pune@ic.in, a suffix for email addresses used by the Pune Police. The link was found after Scott-Railton searched an open source database of Indian mobile phone numbers and emails.


The Citizen Lab’s security researcher, along with others at Amnesty International, had reported in December that Wilson’s phone had been infected with the Pegasus spyware three months before his arrest.

Scott-Railton claimed that the recovery phone number is linked to the recovery email address connected to the hacked accounts of the same police official, Wired reported.

He also claimed that the WhatsApp display picture of the phone number showed the police official, who appears to be the same officer at police press conferences and even in one news photograph taken after Rao was arrested, according to Wired.


Another security researcher, Zeshan Aziz, corroborated the connection between the police official and the accused persons in the Bhima Koregaon case. He told the magazine that the recovery phone number and the email was the same as that found tied with the police official on the leaked database of caller-identification app TrueCaller and job portal iimjobs.com.

The number was also found in archived directories of the police in India, including the Pune Police, according to Aziz.

Guerrero-Saade and another researcher Tom Hegel at SentinelOne have said that their real concern is that the activists are languishing in jails.


“We are hoping this leads to some form of justice,” Guerrero-Saade told the magazine.

Twelve of the 16 accused persons are currently in jail, including Babu and Wilson. Rao is out on temporary medical bail that ends next month, while lawyer-activist Sudha Bharadwaj was granted regular bail in December.

Tribal rights activist, Jesuit priest Stan Swamy, died on July 5 while awaiting trial in Mumbai.

Advocate Mihir Desai, who is representing several of the persons accused in the case, told Wired that at face value, the evidence seem “very damning”.


“We have known things have been planted, but the police could have always said, ‘we are not involved in all this,’” he said. “By showing the police did this, it would mean there was a conspiracy to arrest these people. It would show the police have acted in a vicious and deliberate manner knowing fully well this was false evidence.”

Desai added that he would independently verify the evidence.