Last year in January, the Central Bureau of Investigation (CBI) ended up making an arrest in Pune that was a first of its kind in India. Amit Vikram Tiwari, an unemployed college dropout, became the first alleged cyber criminal of India.
Tiwari's arrest has turned the arc lights on a breed of people working quietly in India. They are the Indian crackers (hackers who commit crimes for personal profit) who are selling their services and skills to those who can pay them well. In other words, they are mercenary crackers, or crackers for hire.
By and large, sources say, Indian crackers prefer to run their own scams and operations and operate on smaller scales. The bigger an operation, the more attention it will get and thereby increase the chances of someone going after them.
But some of India's ambitious crackers have realised that there's a large international market waiting to hire them and their skills. Tiwari is alleged to have been taken on board by one such crime group. And that's how he got caught - his name was supposedly dropped by an alleged Romanian hacker called Guccifer, who was being interrogated by US investigators, who passed the information to the CBI.
Tiwari's operation, while simple, was effective. He made money by getting people's Gmail login and password details and selling them to the highest bidder, who in turn used the information to make money. Around 935 accounts, of which 171 belonged to Indians, were sold. He could sell a single account's details for $250 (around Rs 15,000). He is believed to have made a whopping $2,50,000 (Rs 1.55 crore). According to an FBI report, three people were also arrested for hiring Tiwari and his cohorts.
The crackers, the sources say, have zeroed in on something called zero day exploits, code that can be used to compromise software (such as Google Chrome and Internet Explorer) by using existing security flaws that haven't been publicly disclosed.
'Yeah, there are some guys seriously getting into zero day exploits,' confirms hrs0n_484, a hacker who also knows at least two people involved in it. 'They work in loose knit groups with others, both in India and abroad. It's a bit like how you make any piece of software, you pool in everyone's talents.'
There are various ways a sale can be made. Often, the cracker has a website which serves as a store front. A few are on the regular Internet, but most of the crackers are on the deep web, a part of the world wide web which can't be reached by standard search engines.
Through these sites, a client can make a request of what they want done. Different crackers offer different services based on their self-professed areas of expertise. They do the job, and are paid for their service via the Internet. The crackers offer their clients complete anonymity, and never ask why they're being paid.
'It's all very professionally done,' explains an Indian hacker who wishes to remain anonymous. 'These people are not script kiddies (slang for unskilled or 'new' hackers). They aren't doing it for the thrill of it. The people who buy their services know that if they don't pay up properly, these guys will turn on them. So it's all handled quietly and smoothly.'
Indian crackers are not just into zero day exploits. Apparently, jobs on offer range from hacking Government of India servers to conducting industrial espionage, similar to the recent attack on Sony Pictures. Last year, hackers who called themselves the 'Guardians of Peace' infiltrated Sony's computer system, demanding that the Hollywood studio cancel its planned release of The Interview, a film about a plot to assassinate North Korean leader Kim Jong-un.
But these are just whispers in Internet communities which cannot be confirmed.
'People brag a lot in this community,' explains hrs0n_484, 'but if you spend enough time in it, you learn how to read into it. Personally, I wouldn't be surprised to find out that some people are getting offers to break into companies, or if people are already doing it!'
These mercenary crackers are only a small part of the larger underground Indian hacking community, but their activities have got some of the larger community sweating. Hackers (the non-criminal version of crackers) are worried that this kind of activity will draw unnecessary attention to them.
A hacker on an online forum describes his (or her) activity as a hobby - for fun. 'we just want to have fun. [but] now gov will start looking at everyone'.
Their fears are justified because, shortly after Tiwari's arrest, the CBI went on to arrest a few more people for cyber crimes in other cities.
With investigators looking closely at hackers, some feel that members of the community may be put under pressure to reveal names of other hackers who are not into crime. 'Hackers aren't hardened criminals. They will say anything to the CBI or the police out of fear, as long as they think they can save themselves,' the anonymous hacker complains. 'I'm worried that someone will snitch on me just to give the authorities some information, even though I haven't committed a single criminal act ever.'
But despite their fears, it might just turn out that they are in no danger. Janardhana Swamy, a Bangalore-based cyber security expert and former Bharatiya Janata Party member of Parliament, stresses that the Indian government and law enforcement are mostly unaware of what happens in the country's e-underbelly.
'This is just one case,' Swamy points out, referring to Tiwari's arrest. 'There are probably thousands of such cases in the country. Our cyber security is very poor compared to that in other countries and the size of our IT sector. We just don't have a system in place to track and catch these people.'
He fears that crackers will continue to operate because no one takes cyber security 'seriously' and there is little fear of getting caught because of that. Reddy's point is underscored by the fact that one of the web portals Tiwari used to sell his stolen Gmail account details was brazenly called hirehacker.net.
