Langbahn Team – Weltmeisterschaft

Appin (company)

Appin
IndustryComputer security
Founded2003
Founder
  • Rajat Khare
  • Anuj Khare
Headquarters,
Services
WebsiteOfficial website

Appin was an Indian cyberespionage company founded in 2003 by brothers Rajat and Anuj Khare. It initially started as a cybersecurity training firm, but by 2010 the company had begun providing hacking services for governments and corporate clients that "stole secrets from executives, politicians, military officials and wealthy elites around the globe." Their hacking exploits and Rajat Khare's unprecedented efforts to suppress reporting have been covered by major outlets like Reuters, The New Yorker, Wired, SRF Investigativ, Intelligence Online, and many others.[1] They created the model that is still used by the Indian hack-for-hire industry.[2][3]

The company offered what its founders referred to as "ethical hacking" services, capable of breaking into and stealing sensitive information from anyone's computer.[4][5][6][7] Since at least 2010, they have targeted victims globally with hacking and phishing attacks for espionage and information theft.[8][9] They have been on the radar of by U.S. intelligence since 2009, when the NSA began surveillance after observing them hack high-value Pakistani officials.[2]

In 2010, Rajat Khare sent bulk emails to private intelligence firms across Europe offering hacking-for-hire services.[4][6][7] Starting on January 5, 2012, a cyberattack targeted Peter Hargitay, a Zurich-based FIFA insider and consultant for Australia's 2022 World Cup bid. Hargitay and his son hired an expert who traced the hack to a server linked to Rajat Khare. The attack was part of an extensive hacking operation targeting numerous individuals for smear campaigns. This was tied to Qatar's web of espionage, codenamed Project Merciless, to secure the 2022 FIFA World Cup hosting rights.[2][10][11] In the same year, an Indian cybersecurity consultant claimed to have traced an attempted hack on one of his clients to Appin.[12] In February 2013, the Chicago Mercantile Exchange filed a complaint with the World Intellectual Property Organization regarding a phishing attack that used a suspicious domain to steal investment information.[13][9][14] In March of that year, after Telenor filed a criminal case with Norwegian police Kripos over a hack stealing 66,000 emails from its leadership and legal advisor, the infosec community obtained evidence that allowed them to access Appin's unsecured servers and link the group to several high-profile cyberattacks.[8][15][16][17][18] Notably, Norman Shark publicly linked the Telenor hack to Appin.[19][20][2]

Appin's random attacks drew global attention, and by 2013, they had become well-known among security researchers, who referred to them using various monikers to describe their pattern of activity, including Operation Hangover by Shadowserver Foundation, Monsoon by Forcepoint, and Viceroy Tiger by CrowdStrike.[21][19][22][23][24][25][10] From 2013 onward, Google spent a decade monitoring Appin-linked hackers who targeted tens of thousands of email accounts on its platform.[26][27] Security researchers have been cautious in their public statements linking Appin to the hacking and phishing incidents to avoid legal trouble; however, privately, they remain confident in the connection.[2]

Since 2012, Appin and its CEO Rajat Khare have been under criminal investigations in multiple countries. Authorities in the Dominican Republic raided a local newspaper publisher in 2012 and formally accused him of collaborating with Rajat Khare to hack emails.[28] The publisher later admitted that in 2011, he paid Appin between $5,000 and $10,000 a month to spy on over 200 prominent Dominicans, including then-President of the Dominican Republic, Leonel Fernández. In the U.S., following an analysis of a 2012 hack targeting a Native American tribe, the FBI linked multiple cases to a single perpetrator. Collaborating with Swiss authorities, the FBI identified the perpetrator as Appin and shared that they had human intelligence through a confidential source. Rajat Khare's communications and activities were also tracked by the FBI. Later, in mid-2020, the private detective who had contracted Appin for hacking the Native American tribe confessed in an affidavit.[29] Similarly, an Israeli private investigator who hired Appin to hack at least three dozen people admitted to employing them to steal emails from a Korean businessman.[3][30] Meanwhile, Norwegian investigators had connected Appin to the Telenor hack, while Swiss authorities had also linked Appin and Rajat Khare to a criminal complaint filed by the Hargitays for intrusion into their systems. In 2021, the State Bank of India filed a criminal complaint with the Central Bureau of Investigation, Appin's former client, accusing Rajat Khare and others of embezzling 8.06 billion rupees ($97 million) from loans to Educomp, where Khare was a director.[31][32][2]

Starting in or around 2012, various reports from media outlets, research organizations, and multinational corporations have linked Appin to hacking incidents targeting prominent figures, including Boris Berezovsky and Mohamed Azmin Ali. Less well-known individuals, such as a landscape architect in New Jersey and several lawyers, were also targeted. The attacks extended to the families of U.S. government officials, including the wife of Representative Mike Rogers, who was the Chairman of the U.S. House Intelligence Committee at the time. Also among the victims were human rights activists, such as those associated with the Oslo Freedom Forum, along with governmental and private organizations.[33][4][34][35]

Appin Technology rebranded multiple times before adopting the name Sunkissed Organic Farms in 2017. Its subsidiary, Appin Software Security—which performed hacking and phishing operations—became Adaptive Control Security Global Corporate (ACSG) in 2015. Rajat Khare resigned as director of Appin Technology in 2016 and now resides in Switzerland.[10] He and Shweta Khare run the Luxembourg-based venture capital firm Boundary Holding.[36] Rajat Khare's family still controls the renamed Indian companies, including ACSG, which officially claims to do confidential computer security work for governments. Some of Appin's former employees went on to form similar mercenary hack-for-hire firms, including CyberRoot Risk Advisory Services[37] and BellTroX InfoTech[38][39][40][41], both of which were featured in a New Yorker article[4], as well as Rebsec Solutions.[2][42][43][26]

History

In December 2003, Rajat Khare along with high school friends conceived Appin to offer technology training workshops to university students. By 2005, now joined by Anuj, an entreprenuer and former motivational speaker, the company had an office in western New Delhi. Appin began as a digital security consultancy that provided cybersecurity classes to help Indian organizations defend themselves online. This drew the attention of Indian government officials, who were navigating internet-era intelligence challenges and seeking ways to hack into computers and emails.

Shortly thereafter, Appin established a subsidiary to conduct surveillance activities for the Indian government. Employees signed non-disclosure agreements and were assigned to military-controlled facilities, where they worked away from their colleagues in the wider company. Their targets included Pakistan, China, and Khalistani separatists from India's Punjab state.

By 2009, the company's clients had included the Indian Armed Forces, the Ministry of Home Affairs, and the Central Bureau of Investigation. Appin claimed their solutions were used by government intelligence agencies to monitor hostile individuals, marketed software for analyzing call metadata, and explored importing Israeli cell phone interception devices. For the fiscal year ending in 2009, the company earned nearly $1 million in revenue and a profit of about $170,000, with a projected tenfold increase in revenue over the next 36 months.[44][45]

The company also made extra money by discreetly reselling material it had hacked for one Indian agency to another. This practice of double-dipping was eventually uncovered, prompting several outraged Indian intelligence agencies to terminate their contracts with Appin. Facing dwindling opportunities in intelligence work, Appin shifted its focus to hacking and phishing for the private sector.[2]

Controversies

Appin and co-founder Rajat Khare have systematically pressured news sources in multiple countries, including France, Luxembourg, Switzerland, the United Kingdom, and India, to remove references in articles to the company and Khare.[46][47][48][1]

On November 2, 2022, Swiss media outlet SRF Investigativ published an investigative piece about Qatar's elaborate and extensive espionage operation aimed at securing its hosting of the 2022 FIFA World Cup. The operation, which was dubbed Project Merciless, involved hacking emails and phones of FIFA officials and critics of Qatar's corruption and poor human rights record. It also targeted their friends and family members to run smear campaigns and influence FIFA policy.[10][11] In November 2022, a lower court in Geneva ordered the publication to provisionally remove Rajat Khare's name and photo from the article.[1]

On June 1, 2023, The New Yorker published an article titled, "A Confession Exposes India’s Secret Hacking Industry." Appin first sued the U.S. magazine in India, and later, Rajat Khare filed a lawsuit against it in Switzerland. The New Yorker refused to take down their article, stating that they fully stand behind the piece, which is an accurate and fair account of a matter of legitimate public interest. They further stated that they will continue to defend the right to publish important reporting without fear or favor.[4][1][49]

On November 16, 2023, Reuters published an explosive article about the company and its cofounder Rajat Khare titled, "How an Indian Startup Hacked the World." Drawing on hundreds of interviews and thousands of vetted documents, Reuters found that Appin "grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe." The report was based on Appin's activities for nearly two decades, including company records, law enforcement files, and input from former employees, clients, and security professionals. The raw material was authenticated by Reuters and further verified by U.S. cybersecurity firm SentinelOne.[2][1][50]

Appin sued Reuters, claiming the news agency had engaged in a "defamatory campaign."[51][5] It obtained an injunction from a Delhi court and, on December 4, 2023, Reuters temporarily removed its article. Reuters said that it stood by its reporting.[52][5][53] An archived version of the Reuters article hosted on the Wayback Machine was likewise removed following demands from lawyers representing Appin co-founder Rajat Khare.[54] Appin further sent demands to Meta Platforms, LinkedIn and Naukri.com to block accounts associated with the authors of the Reuters story.[48]

In February 2024, Wired reported that lawyers for Appin and a related entity called the Association for Appin Training Centers have filed lawsuits and made legal threats against more than a dozen news organizations. Appin sent emails demanding news site Techdirt and the organization MuckRock which hosted some of the information Reuters relied on. The two sites denied that the injunction was binding on them.[55][47][56] Other sites, such as the Lawfare blog, removed material based on the Reuters article.[5][55] The Electronic Frontier Foundation (EFF) announced that they responded on behalf of Techdirt and MuckRock to legal threats made by Appin Training Centers. One of the arguments the EFF made in their letter to Appin is that the Indian court's order is unenforceable in U.S. courts because it conflicts with the First Amendment and Section 230 of the Communications Decency Act (47 U.S.C. § 230), as reinforced by the SPEECH Act (28 U.S.C. § 4102). The EFF also urged recipients of Indian gag orders to carefully evaluate their legitimacy.[57][47][56]

The Reuters article was restored in October 2024, after the Delhi court rescinded its injunction on October 3, 2024, noting "the plaintiff has not been able to show any prima facie case to make interference in the process of journalism".[58][59] The article is back online at its original location.[33]

On November 21, 2024, Reporters Without Borders (RSF) reported that works from at least 15 different media outlets had been modified or withdrawn as a result of a strategic lawsuit against public participation or a notice from Rajat Khare or Appin Training Centers, while posts praising Khare on self-published sites flooded the internet. Additionally, an Intelligence Online article was the subject of an abusive Digital Millennium Copyright Act takedown request.[1][60][61]

References

  1. ^ a b c d e f "RSF investigation: the Indian cyber-security giant silencing media outlets worldwide". Reporters Without Borders. 2024-11-21. Retrieved 2024-12-31.
  2. ^ a b c d e f g h i Satter, Raphael; Siddiqui, Zeba; Bing, Chris (2023-11-16). "How an Indian startup hacked the world". Reuters. Retrieved 2024-12-31.
  3. ^ a b Satter, Raphael; Bing, Christopher (2022-06-30). "How mercenary hackers swat litigation battles". Reuters. Retrieved 2024-12-31.
  4. ^ a b c d e Kirkpatrick, David (1 June 2023). "A Confession Exposes India's Secret Hacking Industry". The New Yorker. Retrieved 20 Nov 2023.
  5. ^ a b c d "The Hack-for-Hire Industry: Death by a Thousand Cuts + When Theft Doesn't Work... Troll". Lawfare. Retrieved 2024-02-10.
  6. ^ a b "An email from Appin to the World Association of Detectives". DocumentCloud. 2010-10-23. Retrieved 2025-01-11.
  7. ^ a b "A PowerPoint slide with Appin surveillance proposals". DocumentCloud. 2010-11-22. Retrieved 2025-01-07.
  8. ^ a b Muncaster, Phil (2013-05-21). "'India attacked Norwegian telco to get at Pakistan, China' - report". The Register. Retrieved 2025-01-02.
  9. ^ a b Fowler, Geoffrey A.; Valentino-DeVries, Jennifer (2013-06-23). "Spate of Cyberattacks Points to Inside India". The Wall Street Journal. Retrieved 2025-01-01.
  10. ^ a b c d Eiholzer, Leo; Schmid, Andreas (2022-11-02). "'Project Merciless': how Qatar spied on the world of football in Switzerland". Swiss investigative program Rundschau (swissinfo.ch). Retrieved 2025-01-04.
  11. ^ a b Suderman, Alan (2021-11-23). "World Cup host Qatar used ex-CIA officer to spy on FIFA". Associated Press. Retrieved 2025-01-09.
  12. ^ Mookhey, K.K. (2013). "Malware Analysis Report" (PDF). Network Intelligence. Retrieved 2025-01-05.
  13. ^ Jackson, Kelly (2013-05-20). "'Commercialized' Cyberespionage Attacks Out Of India Targeting U.S., Pakistan, China, And Others". Dark Reading. Retrieved 2025-01-01.
  14. ^ "Administrative Panel Decision - Chicago Mercantile Exchange Inc., CME Group Inc. v. Lun Ai - Case No. D2013-0350". WIPO Arbitration and Mediation Center. 2013-04-15. Retrieved 2025-01-01.
  15. ^ Boutin, Jean-Ian (2013-05-16). "Targeted information stealing attacks in South Asia use email, signed binaries". WeLiveSecurity. Retrieved 2025-01-03.
  16. ^ Jackson, Kelly (2013-07-18). "'Hangover' Persists, More Mac Malware Found". Dark Reading. Retrieved 2025-01-01.
  17. ^ Vijayan, Jai (2023-11-16). "Shadowy Hack-for-Hire Group Behind Sprawling Web of Global Cyberattacks". Dark Reading. Archived from the original on 2023-12-07.
  18. ^ Johansen, Per Anders (2013-03-17). "Spionerte på Telenor-sjefer, tømte all e-post og datafiler". Aftenposten (in Norwegian). Archived from the original on 2013-03-20.
  19. ^ a b Fagerland, Snorre; Kråkvik, Morten; Camp, Jonathan (2013). "Operation Hangover: Unveiling an Indian Cyberattack Infrastructure" (PDF). Norman ASA. Archived from the original (PDF) on 2013-06-12. Retrieved 2023-12-18.
  20. ^ "Norwegian company names Indian firm for global cyber offensive?". The Times of India. 2013-05-23. Archived from the original on 2013-05-24. Retrieved 2025-01-10.
  21. ^ Fagerland, Snorre (2013-05-20). "The Hangover Report". Norman ASA. Archived from the original on 2013-10-26. Retrieved 2023-12-18.
  22. ^ Santos, Doel; Hinchliffe, Alex (2020-07-03). "Threat Assessment: Hangover Threat Group". Palo Alto Networks. Retrieved 2025-01-01.
  23. ^ Hinchliffe, Alex; Falcone, Robert (2020-05-11). "Updated BackConfig Malware Targeting Government and Military Organizations in South Asia". Palo Alto Networks. Retrieved 2025-01-01.
  24. ^ "Operation Hangover: Unveiling an Indian Cyberattack Infrastructure" (PDF). Seebug, part of 360 Netlab. Archived from the original (PDF) on 2022-01-21. Retrieved 2023-12-18.
  25. ^ Settle, Andy; Griffin, Nicholas; Toro, Abel. "Monsoon – Analysis of an Apt Campaign Espionage and Data Loss Under the Cover of Current Affairs" (PDF). Forcepoint. Retrieved 2025-01-01.
  26. ^ a b Huntley, Shane (2022-07-30). "Countering hack-for-hire groups". Google. Retrieved 2025-01-04.
  27. ^ Vijayan, Jai (2022-07-01). "Google: Hack-for-Hire Groups Present a Potent Threat". Dark Reading. Retrieved 2025-01-06.
  28. ^ "Orden Judicial de Arresto (Judicial Arrest Warrant)". DocumentCloud (in Spanish). July 2012. Retrieved 2025-01-03.
  29. ^ "Santarpia affidavit detailing his interactions with Appin". DocumentCloud. 2020-06-17. Retrieved 2025-01-05.
  30. ^ "Korea Motors Israel - Affidavit of Aviram Halevi". DocumentCloud. 2016-05-23. Retrieved 2025-01-10.
  31. ^ "Central Bureau of Investigation First Information Report against Rajat Khare and Others". DocumentCloud. 2021-06-29. Retrieved 2025-01-05.
  32. ^ "Rajat Khare's directorship at Educomp". DocumentCloud. 2015-03-20. Retrieved 2025-01-05.
  33. ^ a b Satter, Raphael (16 Nov 2023). "How an Indian startup hacked the world". Reuters. Archived from the original on 2023-11-17. Retrieved 20 Nov 2023.
  34. ^ Wild, Franz (11 May 2022). "Inside the global hack-for-hire industry". Bureau of Investigative Journalism. Retrieved 20 Nov 2023.
  35. ^ Tom Hegel (November 16, 2023). Elephant Hunting: Inside an Indian Hack-For-Hire Group (Report). SentinelLabs. Archived from the original on 17 Nov 2023.
  36. ^ Haidar, Faizan (2023-09-05). "Boundary Holding's top executives buy land in Delhi for Rs 76 crore". The Economic Times. Retrieved 2025-01-10.
  37. ^ Dvilyanski, Mike; Franklin, Margarita; David, Agranovich (2013-05-16). "Threat Report on the Surveillance-for-Hire Industry" (PDF). Meta. Retrieved 2025-01-10.
  38. ^ Bing, Christopher (2022-04-20). "Israeli charged in global hacker-for-hire scheme pleads guilty". Reuters. Retrieved 2025-01-12.
  39. ^ Reddick, James (2023-11-17). "Israeli private eye gets 80-month sentence for global hack-for-hire scheme". The Record. Retrieved 2025-01-12.
  40. ^ "Israeli Hacker-For-Hire Sentenced To 80 Months In Prison For Involvement In Massive Spearphishing Campaign". US DOJ. 2023-11-16. Retrieved 2025-01-12.
  41. ^ "Private Investigators Indicted In E-Mail Hacking Scheme". US DOJ. 2015-02-11. Retrieved 2025-01-12.
  42. ^ "Appin companies' name change documents". DocumentCloud. Retrieved 2025-01-06.
  43. ^ "Formerly-known-as-Appin companies' financial and shareholding statements". DocumentCloud. Retrieved 2025-01-06.
  44. ^ "Early marketing brochure from the Appin Security Group". DocumentCloud. 2007. Retrieved 2025-01-04.
  45. ^ "Appin documents for Indian Angels Network". DocumentCloud. 2009-04-04. Retrieved 2025-01-04.
  46. ^ Ingram, Mathew. "A leak-hosting site looks to thaw the chill of censorship". Columbia Journalism Review. Retrieved 2024-02-12.
  47. ^ a b c Greenberg, Andy (February 1, 2024). "A Startup Allegedly Hacked the World. Then Came the Censorship—and Now the Backlash".
  48. ^ a b "Global censorship campaign raises alarms". Freedom of the Press. 2024-01-18. Retrieved 2024-02-12.
  49. ^ "Arrêt du mardi - 17 septembre 2024". justice.ge.ch (in French). 2024-09-17. Retrieved 2025-01-09.
  50. ^ Lizza, Ryan; Bade, Rachael; Daniels, Eugene (2023-11-18). "Playbook: Biden vs. Haley on abortion". POLITICO. Retrieved 2024-02-12.
  51. ^ Omar, Rashid (2023-12-07). "Forced to Pull Story on Indian Firm's Alleged Global Hacking Operation, Reuters to Fight Court Order". The Wire. Archived from the original on 2023-12-08.
  52. ^ Masnick, Mike (2023-12-07). "Indian Court Orders Reuters To Take Down Investigative Report Regarding A 'Hack-For-Hire' Company". Techdirt.
  53. ^ Cox, Joseph (2023-12-06). "Reuters Takes Down Blockbuster Hacker-for-Hire Investigation After Indian Court Order". 404 Media. Retrieved 2023-12-18.
  54. ^ Schaffer, Michael (2024-01-19). "How a Judge in India Prevented Americans From Seeing a Blockbuster Report". POLITICO. Retrieved 2024-02-12.
  55. ^ a b Masnick, Mike (2024-02-01). "Sorry Appin, We're Not Taking Down Our Article About Your Attempts To Silence Reporters". Techdirt. Retrieved 2024-02-10.
  56. ^ a b "The Association of Appin Training Centers is waging a global censorship campaign to stop you from reading these documents". MuckRock. 2024-02-01. Retrieved 2024-02-10.
  57. ^ Galperin, Cooper Quintin and Eva (2024-02-08). "EFF Helps News Organizations Push Back Against Legal Bullying from Cyber Mercenary Group". Electronic Frontier Foundation. Retrieved 2024-12-30.
  58. ^ "Reuters exposé of hack-for-hire world is back online after Indian court ruling". Reuters. October 26, 2024. Retrieved 2024-12-19.
  59. ^ "VINAY PANDEY VS. RAPHEL SATTER AND ORS" (PDF). 2024-10-03. Retrieved 2025-01-01.
  60. ^ "La réputation d'un "roi de la tech" indien au cœur d'un curieux bras de fer". Gotham City (in French). 2022-12-07. Retrieved 2024-12-31.
  61. ^ "Former Indian cyber privateer Rajat Khare is helping Qatar keep the football World Cup safe". Intelligence Online. 2022-10-20. Retrieved 2024-12-31.