Appin (company)

Appin was an Indian cyber espionage company founded in 2003 by brothers Rajat and Anuj Khare. It initially started as a cybersecurity training firm, but by 2010, the company had begun providing hacking services for governments and corporate clients that was reported to have stolen secrets from executives, politicians, military officials and wealthy elites worldwide. ''Reuters'', ''The New Yorker'', ''Wired'', '' SRF Investigativ'', and '' Intelligence Online'' have reported on Appin's hack-for-hire operations and Rajat Khare's extensive efforts to suppress coverage through civil and criminal actions. Appin created the model that is still used by the Indian hack-for-hire industry.

History

In December 2003, Rajat Khare along with high school friends conceived Appin to offer technology training workshops to university students. By 2005, now joined by Anuj, an entrepreneur and former motivational speaker, the company had an office in western New Delhi. Appin began as a digital security consultancy that provided cybersecurity classes to help Indian organizations defend themselves online. This drew the attention of Indian government officials, who were navigating internet-era intelligence challenges and seeking ways to hack into computers and emails.

Shortly thereafter, Appin established a subsidiary called Appin Software Security also known as the Appin Security Group to conduct surveillance activities for the Indian government. Employees signed non-disclosure agreements and were shipped to military-controlled facilities, where they worked away from their colleagues in the wider company.Their targets included Pakistan, China, and Khalistani separatists from India's Punjab state.

By 2009, the company's clients had included the Research and Analysis Wing (RAW), the Intelligence Bureau, the Indian Armed Forces, the Ministry of Home Affairs, and the Central Bureau of Investigation (CBI). Appin claimed their solutions were used by government intelligence agencies to monitor hostile individuals, marketed software for analyzing call metadata, and explored importing Israeli cell phone interception devices. For the fiscal year ending in 2009, the company earned nearly $1 million in revenue and a profit of about $170,000, with a projected tenfold increase in revenue over the next 36 months.

The company also made extra money by discreetly reselling material it had hacked for one Indian agency to another. This practice of double-dipping was eventually uncovered, prompting several outraged Indian intelligence agencies to terminate their contracts with Appin. Facing dwindling opportunities in intelligence work, Appin shifted its focus to hacking and phishing for the private sector.

In 2010, Rajat Khare sent bulk emails to private intelligence firms across Europe offering hacking-for-hire services. Around 2011, the mercenaries began operating a digital dashboard dubbed "My Commando" for spy services, resembling an e-commerce platform with a menu of hacking options. Customers logged in to request Appin to hack emails, computers, or phones, track the operation's progress like a delivery, and later download the stolen data. More than 70 global clients hired Appin to hack hundreds of targets through "My Commando."

Among the system's early users were Israeli private detectives Aviram Halevi and Tamir Mor, who accessed it in late 2011. That year, Mor ordered hacks on more than 40 targets, including Malaysian politician Mohamed Azmin Ali, Russian oligarch Boris Berezovsky, and his lawyers. Berezovsky was found dead in 2013 after losing a multibillion-dollar case the previous year. Around the same time, another user hired Appin to hack 30 targets, including a Rwandan dissident and the wife of another wealthy Russian going through a divorce. The targets also included Kristi Rogers—the wife of Representative Mike Rogers, who was the Chairman of the U.S. House Intelligence Committee at the time. Less well-known individuals, such as a landscape architect in New Jersey and a Native American tribal member, were also targeted using the system. Other victims of Appin included human rights activists, such as those associated with the Oslo Freedom Forum, along with governmental and private organizations.

Starting on 5 January 2012, a cyberattack targeted Peter Hargitay, a Zurich-based FIFA insider and consultant for Australia's 2022 World Cup bid. Hargitay and his son hired an expert who traced the hack to a server linked to Rajat Khare. The attack was part of an extensive hacking operation targeting numerous individuals for smear campaigns. This was tied to Qatar's web of espionage to secure the 2022 FIFA World Cup hosting rights. Hack-for-hire companies founded by Appin alumni were also implicated in the campaign.

Also in 2012, a German private investigator paid Appin $3,000 to hack an email during an inheritance feud involving a wealthy businessman. That same year, an Indian cybersecurity consultant traced an attempted hack on a client to Appin and discovered compromising material on its servers. In the Dominican Republic, authorities raided a local newspaper publisher in 2012 and formally accused him of collaborating with Khare to hack emails and extract information from the nation's elite for his digital newspaper. The publisher later admitted that in 2011, he paid Appin between $5,000 and $10,000 a month to spy on over 200 prominent Dominicans—including then-President Leonel Fernández.

In 2012, after analyzing a hack and leak targeting a Native American tribal member, the FBI linked multiple cases to a single perpetrator. Collaborating with Swiss authorities, the FBI identified the perpetrator as Appin and shared that they had human intelligence through a confidential source.

In February 2013, the Chicago Mercantile Exchange filed a complaint with the World Intellectual Property Organization regarding a phishing attack that used a suspicious domain to steal investment information. In March of that year, after Telenor filed a criminal case with Norwegian police Kripos over a hack stealing 66,000 emails from its leadership and legal advisor, the infosec community obtained evidence that allowed them to access Appin's unsecured servers and link the group to several high-profile cyberattacks that had been directed at more than a dozen countries. Notably, Norman Shark publicly linked the Telenor hack to Appin.

Appin's industrial-scale random attacks drew global attention, and by 2013, they had become well known among security researchers, who referred to them using various monikers to describe their pattern of activity, including Operation Hangover by Shadowserver Foundation and Norman Shark, Monsoon by Forcepoint, and Viceroy Tiger by CrowdStrike. From 2013 onward, Google spent a decade monitoring Appin-linked hackers who targeted tens of thousands of email accounts on its platform. Due to the unusually high volume worked by the hackers, Google had to expand its systems and procedures to keep up with them. Security researchers have been cautious in their public statements linking Appin to the hacking and phishing incidents to avoid legal trouble; however, privately, they remain confident in the connection.

Since 2012, Appin and its CEO Rajat Khare have been under criminal investigations in multiple countries. Swiss authorities linked Appin and Rajat Khare to a criminal complaint filed by the Hargitays for intrusion into their systems, while Norwegian investigators connected Appin to the Telenor hack. In 2016, the person who had hired a private detective to access the email of her fellow Native American tribal member pleaded guilty in federal court. Later, in mid-2020, that detective confessed in an affidavit that he had hired Appin to carry out the email heist. Similarly, Aviram Halevi, who hired Appin to hack at least three dozen people in 2011, admitted to employing them to steal emails from a Korean businessman. In 2021, the State Bank of India filed a criminal complaint with the Central Bureau of Investigation, Appin's former client, accusing Rajat Khare and others of embezzling ₹8.06 billion ($97 million) from loans to Educomp, where Khare was a director.

Controversies

Appin and co-founder Rajat Khare have systematically pressured news sources in multiple countries, including France, Luxembourg, Switzerland, the United Kingdom, and India, to remove references in articles to the company and Khare.

On 2 November 2022, Swiss media outlet '' SRF Investigativ'' published an investigative piece about Qatar's elaborate and extensive espionage operation to secure the 2022 FIFA World Cup hosting rights. The operation, which was dubbed Project Merciless, involved hacking emails and phones of FIFA officials and critics of Qatar's corruption and poor human rights record. It also targeted their friends and family members to run smear campaigns and influence FIFA policy. In November 2022, a lower court in Geneva ordered the publication to provisionally remove Rajat Khare's name and photo from the article. When contacted by RSF, Khare's Swiss lawyer, Nicolas Capt, stated that Khare has taken civil and criminal action in Switzerland and other countries to protect his honor.

On 1 June 2023, The ''New Yorker'' published an article titled, "A Confession Exposes India's Secret Hacking Industry." The article primarily focused on firms founded by Appin alumni, such as BellTroX Infotech Services and CyberRoot Risk Advisory, which have targeted climate activists, investors, lawsuit defendants, and organizations on a global scale and still remain operational. Appin first sued the U.S. magazine in India, and later, Rajat Khare filed a lawsuit against it in Switzerland. The New Yorker refused to take down their article, stating that they fully stand behind the piece, which is an accurate and fair account of a matter of legitimate public interest. They further stated that they will continue to defend the right to publish important reporting without fear or favor.

On 16 November 2023, ''Reuters'' published an explosive article about the company and its cofounder Rajat Khare titled, "How an Indian Startup Hacked the World." Drawing on hundreds of interviews and thousands of vetted documents, ''Reuters'' found that Appin "grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe." The report was based on Appin's activities for nearly two decades, including company records, law enforcement files, and input from former employees, clients, and security professionals. The raw material spanning 2005 to 2022 was authenticated by ''Reuters'' and further verified by U.S. cybersecurity firm SentinelOne.

Appin sued ''Reuters'', claiming the news agency had engaged in a "defamatory campaign." It obtained an injunction from a Delhi court and, on 4 December 2023, ''Reuters'' temporarily removed its article. Reuters said that it stood by its reporting. An archived version of the ''Reuters'' article hosted on the Wayback Machine was likewise removed following demands from lawyers representing Appin co-founder Rajat Khare. Appin further sent demands to Meta Platforms, LinkedIn and Naukri.com to block accounts associated with the authors of the ''Reuters'' story.

In February 2024, ''Wired'' reported that lawyers for Appin and a related entity called the Association for Appin Training Centers have filed lawsuits and made legal threats against more than a dozen news organizations. Appin sent emails demanding news site ''Techdirt'' and the organization MuckRock which hosted some of the information ''Reuters'' relied on. The two sites denied that the injunction was binding on them. Other sites, such as the ''Lawfare'' blog, removed material based on the ''Reuters'' article. The Electronic Frontier Foundation (EFF) announced that they responded on behalf of ''Techdirt'' and MuckRock to legal threats made by Appin Training Centers. One of the arguments the EFF made in their letter to Appin is that the Indian court's order is unenforceable in U.S. courts because it conflicts with the First Amendment and Section 230 of the Communications Decency Act (47 U.S.C. § 230), as reinforced by the SPEECH Act (28 U.S.C. § 4102). The EFF also urged recipients of Indian gag orders to carefully evaluate their legitimacy.

The ''Reuters'' article was restored in October 2024, after the Delhi court rescinded its injunction on 3 October 2024, noting "the plaintiff has not been able to show any prima facie case to make interference in the process of journalism". The article is back online at its original location.

On 21 November 2024, Reporters Without Borders (RSF) reported that works from at least 15 different media outlets had been modified or withdrawn as a result of a strategic lawsuit against public participation or a legal notice from Rajat Khare or Appin Training Centers, while posts praising Khare on self-published sites flooded the internet. Additionally, an ''Intelligence Online'' article was the subject of what Reporters Without Borders described as an "abusive DMCA takedown request".

Legacy

Following Norman Shark's public attribution of the Telenor hack to Appin, the company faced increasing scrutiny, and the group began scaling back its online presence. Around that time, former Appin employees branched out, founding similar hack-for-hire firms.

Two such companies—BellTroX InfoTech Services led by Sumit Gupta and CyberRoot Risk Advisory—started collaborating with Appin, sharing staff and computer infrastructure for their hacking operations.

Their activities were identified using a database of over 80,000 phishing emails sent to 13,000 targets from 2013 to 2020. This database was vetted by six expert groups, with each group independently confirming recognized hacking activity.
Further analysis by Mandiant, LinkedIn, Google, and court records revealed that the hacking was carried out by three Appin-linked companies with an intermingling of resources among them. This network of mercenaries charged clients anywhere from a few thousand to millions of dollars, while paying workers just $370 per month.

The hackers targeted attorneys and their clients—including companies, advocacy groups, media organizations, and business executives—seeking to undermine the legal process. Notably, media reports have linked Appin alumnus Sumit Gupta to criminal cases, former Israeli policeman Aviram Azari, Dark Basin, and the wider network of Indian hackers.
Appin Technology rebranded multiple times before adopting the name Sunkissed Organic Farms in 2017. Its subsidiaries also underwent rebranding. In 2015, Appin Software Security—which billed private eyes for the hacking work—became Adaptive Control Security Global Corporate (ACSG).

Rajat Khare resigned as director of Appin Technology in 2016 and now resides in Switzerland. The multinational criminal investigations into him and Appin ultimately proved abortive due to jurisdictional challenges.
After the Swiss criminal investigation into his hacking of the Hargitays was closed, in the fall of 2020, Khare purchased a villa in Switzerland for 13.5 million Swiss francs from the daughter of a Ukrainian oligarch. He now portrays himself as a renowned start-up investor.
In September 2023, The Economic Times reported that Rajat and Shweta Khare had purchased a plot in Delhi for ₹760 million (about $9.1 million). Together, they run Boundary Holding, a Luxembourg-based venture capital firm.

Rajat Khare's family controls companies founded under the Appin name, as well as the renamed Indian firms, including ACSG, which officially claims to provide confidential computer security services to governments.

See also

* Dark Basin

References

{{Hacking in the 2010s

Hacker groups
Cybercrime in India
Private intelligence agencies
Censorship in India
Strategic lawsuits against public participation
Hacking in the 2010s
Information technology companies of New Delhi
Indian companies established in 2003
Defunct companies of India
Corporate scandals
Technology companies established in 2003