Bhima Koregaon case: planted evidence?

Investigations by Arsenal Consulting, a global digital forensics consulting company, have revealed that evidence had been planted in the activist Rona Wilson’s computer, raising larger issues of unethical surveillance and motivated targeting of individuals.

Published : Feb 27, 2021 06:00 IST

Parambir Singh, Additional Director General of Police, Law and Order, at a press conference in Mumbai in August 2018 with a printout showing a catalogue, allegedly found on Rona Wilson’s computer, of arms and ammunition.

Parambir Singh, Additional Director General of Police, Law and Order, at a press conference in Mumbai in August 2018 with a printout showing a catalogue, allegedly found on Rona Wilson’s computer, of arms and ammunition.

Rona Wilson, the New Delhi-based activist who was arrested in June 2018 for his alleged connections with banned extreme Left organisations, has steadfastly maintained that the evidence against him is fabricated and the charges are false. The police claim the extreme Left organisations orchestrated the Elgar Parishad in 2018. Wilson, who works for the Committee for the Release of Political Prisoners, has been imprisoned for three years now. The Arsenal Consulting report has now corroborated his version, but he is not yet free.

A report released by Arsenal Consulting on February 10 stated that the activist’s computer had been repeatedly hacked for over two years. Worse, the ‘letters’ establishing his ‘extremist’ links, on which the prosecution case is based, were planted as folders in his computer through a malware. Wilson’s lawyers have submitted a copy of the report to the Bombay High Court. It is expected to weaken the case against the 15 activists arrested in connection with the Bhima Koregaon/Elgar Parishad case, all of whom are mentioned in those ‘letters’.

Digital experts say the Arsenal Consulting report brings to the fore a deeply disturbing trend of unethical surveillance and even targeting of individuals by planting fabricated evidence.

The report’s findings lead to several questions. Why was Wilson specifically tracked? Who is really behind the hacking? What is the larger motive, as all the 15 accused appear to be linked to one another? If the computer had been hacked into in 2016, was there a plan to go after the victim once an opportunity came up? Was Bhima Koregaon that opportunity?

Also read: Elgar Parishad arrests: Decimation drive

Susan Abraham, lawyer and wife of Vernon Gonsalves, one of the jailed activists, said that as soon as the report was submitted defence lawyers of the accused filed a petition. She told Frontline : “The petition challenges the entire basis of the Bhima Koregaon case since the entire edifice of the case is based on the so-called letters. The report exposes that these documents were planted through malware. Obviously, the case has to be quashed and the undertrials set at liberty.”

Rama Ambedkar, wife of the academic Anand Teltumbde, who is also in jail, said at a press conference: “This has gone on for too long. Arsenal has done the work that a responsible government agency should have done. We must immediately put this evidence at the centre of the case and not only release all accused on bail but also institute a Special Investigation Team charged with the task of getting to the bottom of how such a conspiracy was created.” A family member of one of the accused said: “It needs to be acknowledged that this is a plain and simple plant. What more can prove that those letters were false? Our people were not behind any conspiracy, they are victims of a conspiracy.”

No malware found: NIA

The National Investigation Agency (NIA), which is probing the case, said the digital extracts used by Arsenal Consulting were sent to the Regional Forensic Science Laboratory in Pune. NIA spokesperson Jaya Roy told the media that the lab said the extracts show no evidence of any malware in the seized laptop/and other devices. A deathly silence is the response of the police to the allegation. The Pune police, who had dramatically brandished the ‘letters at a press conference in 2018, are also conspicuously quiet.

Also read: Over 1,000 scientists, academics come out against NIA's probe into Bhima Koregaon violence

Digital experts say that it will be difficult to trace the hacker. But Sandeep Shukla, head of the Department of Computer Science and Engineering, Indian Institute of Technology Kanpur, said: “… that should not take away from the fact that the forensic investigation is thorough, it can be corroborated and the courts should take cognisance of the technical evidence. There is no doubt of the authenticity of the investigation and analysis. Arsenal Consulting is among the best in the world. From the data that emerged one of the most shocking aspects is how long the computer was compromised.”

The report

The Arsenal Consulting report explains the manner in which the computer was tampered with, its language reflecting a sense of shock. It said: “The attacker was responsible for compromising Mr Wilson’s computer for just over 22 months. The attacker had extensive resources (including time) and it is obvious that the primary goals of the attack were surveillance and incriminating document delivery. Arsenal has connected the same attacker to a significant malware infrastructure, which has been deployed over the course of approximately four years to not only attack and compromise Mr Wilson’s computer for 22 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile Indian cases as well. It should be noted that this is one of the most serious cases involving evidence tampering that Arsenal has ever encountered, based on various metrics which include the vast timespan between the delivery of the first and last incriminating documents.”

The report said that the attacker used Varavara Rao’s email account to get Wilson to open a series of emails. When Wilson finally managed to open a particular document, the attacker got into the computer. “Opening the document (a decoy within a RAR archive file named “another victory.rar”) was part of a chain of events which led to the installation of the NetWire remote access trojan (RAT) on Mr Wilson’s computer.” The hacker cleverly used a simple, commonly used dropbox link to get an unsuspecting Wilson to click on it. When he clicked it, it opened a link to a malicious command and control server. According to computer experts, NetWire is a remote-access malware focussed on password stealing and keylogging. It has remote-control capabilities and has been used by malicious groups since 2012.

Also read: Elgar Parishad case: Victims of vendetta

The company says it used various forensic techniques to determine whether the computer was compromised by the same attacker between June 13, 2016, and April 17, 2018. It believes it is the same attacker and draws attention to “the degree to which the attacker customised their infrastructure while targeting Mr Wilson”. Arsenal Consulting says the attacker used several hosts to carry out the infiltration. The company contacted a few whose services were abused by the attacker to build and maintain the malware infrastructure. Some responded as they understood the gravity of the situation, while others adopted a “duck and cover” strategy, said the report.

Arsenal Consulting, based in Massachusetts, has a reputation for uncovering digital crime. It has been involved in cracking several terror cases across the world, including the 2013 Boston Marathon bomb blast. While Wilson’s lawyer apologised for not being able to comment, a source said Wilson’s defence team approached Arsenal Consulting via the American Bar Association to investigate a copy of Wilson’s computer hard drive. The main one had been seized by the police.

A good part of the report explains the forensics used in uncovering the attack on the computer. Among its key findings, all pertinent to the case, are apparently simple things such as that the Microsoft Word version used to create the letters by the attacker was a 2010 or later version. The report said: “Wilson’s computer had a 2007 version, which is relevant because some of the most incriminating documents on Mr Wilson’s computer, which he allegedly authored, were saved to PDFs by Word 2010 or Word 2013.” Second, Arsenal finds no evidence to suggest the top 10 most important documents or the hidden folder were ever opened or that Wilson interacted with the files. It says a thorough analysis of NetWire’s impact on the victim’s computer reveals that the incriminating documents delivered to a hidden folder on Wilson’s computer was done by NetWire and not by other means.

The letters

In September 2018, the Pune police claimed that they had recovered 13 incriminating letters from hard drives and other memory devices of the activists arrested in connection with the Bhima Koregaon case. The Bombay High Court rebuked the police for sharing the documents with journalists. But the police achieved their aim of creating a narrative of portraying activists as “urban naxals” who worked with Maoist groups to destabilise India and the ruling Bharatiya Janata Party (BJP). They even accused the activists of planning to assassinate Prime Minister Narendra Modi.

The ‘letters’ reportedly contained references to civil rights activists, Adivasi and Dalit groups, and student unions from Jawaharlal Nehru University, Delhi University, Tata Institute of Social Sciences. The police said they found correspondence between all the activists and even Dalit leaders Jignesh Mewani and Prakash Ambedkar. At the time, independent security experts questioned the veracity of the letters, but the police held on to their “proof”.

Also read: Offensive strategy

Arsenal Consulting recovered 10 of these “letters” from Wilson’s computer. The report says forensics proves they were planted. According to a lawyer involved with the Bhima Koregaon case, this is critical for Wilson’s trial. How did the police know where to recover the documents? How could they find the hidden folder so easily? Did someone lead them to it?

The report provides a brief summary of each of the 10 letters (see image). An alleged letter (Ltr_1804_to_CC.pdf) from Wilson to “Comrade Prakash” mentioning a meeting which talks about a requirement of Rs. 8 crore towards obtaining M4 carbines and four lakh rounds of ammunition is perhaps the most explosive. In another letter (Ltrs-2612_to_CC.pdf) to “Comrade Prakash”, Wilson mentions a supplier in Nepal and getting the “…equipment ready on the ground”. There are others on encounters, recruitment of cadre (alluding to the naxal movement) and mobilisation of Dalit campaigns.

Mumbai Rises to Save Democracy, a small group of activists, held a press conference in response to the report, to speak about the dangers of infiltration. Father Solomon, a colleague of Father Stan Swamy, said the jailed priest had told NIA officers every time they interrogated him that evidence had been planted on his computer. Father Swamy even pointed out the errors in the documents, saying he would never have made these mistakes.

A tragic tale

The Bhima Koregaon/Elgar Parishad story is traced to January 1, 2018, when thousands of Dalit pilgrims gathered at a small town near Ahmednagar in Maharashtra called Bhima Koregaon to commemorate the 200th anniversary of the Bhima Koregaon battle. (A small contingent of Dalit soldiers had fought alongside the British army to defeat the oppressive Peshwas.) Things turned ugly when local Maratha leaders instigated their community to throw stones and attack Dalit pilgrims. One person was killed in the violence. The incident caused a few flare-ups across the State but a potentially volatile situation was contained quickly. From initially probing the Bhima Koregaon incident, the Pune police did a strange turnaround and began investigating the Elgar Parishad, which took place a day before on December 31, 2017.

Also read: Dalit defiance

The Elgar is an annual gathering of Dalit organisations. In 2017, it was attended by several prominent Dalit leaders, activists and hundreds of Dalits. Acting on a complaint filed by a Tushar Damgude, who claimed speakers at the Elgar were “anti-national” and they instigated the Bhima Koregaon violence, the Pune police began a nationwide search for activists allegedly connected with banned Maoist groups, who they believed were the actual organisers of the Elgar. Wilson was among the first to be arrested in June 2018. Subsequently, 14 people—well-known, well-respected academics, lawyers, activists and social workers—were arrested under the stringent Unlawful Activities Prevention Act (UAPA), which denies bail. Among the accused are Varavara Rao and Father Stan Swamy, who are octogenarians suffering from debilitating illnesses. The NIA took over the case in January 2020 after the newly elected Maharashtra government decided to review the situation. The NIA is accountable only to the Centre.

Observers say the Bhima Koregaon story has become a tragic tale of the state using its might to target and incarcerate professionals whose only crime is to fight for Dalit rights. While a few charge sheets have recently been filed, there appears no sign of a trial. Defence lawyers have repeatedly stated that there is not a shred of substantive evidence linking the accused to the Elgar Parishad. Barring one, none of the others were even present in Pune.

Why Rona Wilson?

Wilson was present neither at the Elgar Parishad nor at Bhima Koregoan, yet he was arrested in connection with the so called “conspiracy”. Lawyers working on the case say his work in the Committee for the Release of Political Prisoners made him a thorn in the government’s side. He is known for his work on securing the release of prisoners being tried for terror crimes—mainly those from Kashmir. Each of the persons accused in the Bhima Koregaon case practised a form of dissent that the ruling regime was presumably uncomfortable with. Their arrests are a clear message for activism—that it will not be tolerated. The Arsenal Consulting report has shown just how vicious the establishment can be and how vulnerable citizens are.

Meanwhile, in Maharashtra, the organisers of the annual Elgar Parishad successfully held the 2021 Elgar in Pune. Unfortunately, the State government has decided to go after Sharjeel Usmani, a student from Aligarh Muslim University, apparently for promoting enmity between different groups through his speech. There was some hope that this government would be more supportive of democracy, but it seems to have fallen prey to the ways of autocracy.

Sign in to Unlock member-only benefits!
  • Bookmark stories to read later.
  • Comment on stories to start conversations.
  • Subscribe to our newsletters.
  • Get notified about discounts and offers to our products.
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide to our community guidelines for posting your comment