A large-scale spy-for-hire operation that targeted thousands of organisations and individuals in hacking attempts – including human rights groups and politicians – has been exposed and traced back to a secretive Indian tech company.

Researchers Citizen Lab spent more than two years mapping the infrastructure used by a hacker-for-hire operation it had dubbed “Dark Basin”.

The organisation targeted thousands of individuals and hundreds of organisations across six continents, including Greenpeace, politicians in Mexico and high-profile private equity firms in the US.

The researchers linked this organisation with “high confidence” to BellTroX InfoTech Services, an obscure IT firm based in New Delhi.

“Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients, against opponents involved in high-profile public events, criminal cases, financial transactions, news stories and advocacy,” the Citizens Lab report said.

Between 2013 and 2020 the organisation sent tens of thousands of malicious messages to the individuals and organisations designed to dupe them into handing over login details.

These emails would often pose as messages from others in the organisation, Facebook login requests or graphic notifications asking the user to unsubscribe from pornography websites.

While the report could not identify who the clients of the hack-for-hire groups were, the way targets were approached “showed it had a deep knowledge of informal organisational hierarchies”.

“Some of this knowledge would likely have been hard to obtain from an open source investigation alone,” it said.

“Combined with the bait content...we concluded that Dark Basin operators were likely provided with detailed instructions not only about whom to target, but what kinds of messages specific targets might be responsive to.”

Those targeted by BellTrox included US digital rights organisations Free Press and Fight for the Future, which said that the accounts of a small number of employees had been compromised but the wider network was unaffected.

A number of climate-focused groups in the US were also the subject of hacking campaigns, including Greenpeace and the Climate Investigations Centre, along with well-known investors in America, including private equity firm KKR and short-seller Muddy Waters.

Those targeted by the IT firm were often linked to only one side of a contested legal proceeding, advocacy issue or business deal, the report found.

In comments to Reuters, BellTroX owner Sumit Gupta declined to reveal the company’s clients and denied any wrongdoing in the matter.

“I didn’t help them access anything, I just helped them with downloading the emails and they provided me with all the details,” Gupta said. “I am not aware how they got these details but I was just helping them with the technical support.”

Citizen Lab researcher John Scott-Railton said this was “one of the largest spy-for-hire operations ever exposed”, and that no sector was safe from the risks it posed.

“Dark Basin’s thousands of targets illustrate that hack-for-hire is a serious problem for all sectors of society, from politics, advocacy and governments to global commerce,” the report said.

According to the Reuters report, five people familiar with the matter have said that BellTrox’s targeting of US companies and individuals are under investigation by US law enforcement.

Citizen Lab’s investigation of the hacking group began when it was contacted by a journalist in 2017 who asked it to investigate a phishing attempt.

This was linked to a custom URL shortener which was found to be linked to a larger network operated by a single group.

“Because the shorteners created URLs with sequential shortcodes, we were able to enumerate them and identify almost 28,000 additional URLs containing email addresses of targets,” the report said.

“We used open source intelligence techniques to identify hundreds of targeted individuals and organisations.”

Citizen Lab and its collaborator NortonLifeLock found “numerous technical links” between the hacking campaigns and BellTroX, leading it to conclude with “high confidence” that it was behind the cyber attacks.

“We were able to identify several BellTroX employees whose activities overlapped with Dark Basin because they used personal documents, including a CV, as bait content when testing their URL shorteners,” it said.

“They also made social media posts describing and taking credit for attack techniques containing screenshots of links to Dark Basin infrastructure.

“BellTroX and its employees appear to use euphemisms for promoting their services online, including ‘ethical hacking’ and ‘certified ethical hacker’.

BellTrox’s slogan is: ‘you desire, we do’.”

The BellTroX website now shows an “account suspended” message.