More Data Show Evidence Against Bhima Koregaon Accused Was Planted

Further analysis by a US firm found 22 more files showing Bhima Koregaon accused Rona Wilson’s computer was hacked.

3 min read

In a second analysis report, a US-based digital forensics firm has found 22 additional files that show the computer of Bhima Koregaon case accused Rona Wilson was compromised by a malware attack for nearly two years preceding his arrest in June 2018. In February, the firm Arsenal Consulting had found 10 such files.

The new report says the files that have been cited as key evidence against the accused activists by the concerned probe agency – the National Investigation Agency (NIA) – were never created, opened or used by anyone who directly handled Rona Wilson's computer but were planted by a hacker with the help of a software, NetWire.


Arsenal, which analysed Rona Wilson's computer electronically on request of the defence lawyer, included data in its latest report that showed the hacker typing commands to deliver documents to a hidden folder. Mar Spencer, Arsenal's president, was quoted by The Washington Post as saying that this data was "equivalent of a videotape of someone committing the crime".

The February report by Arsenal had found that 10 such documents were deposited on Wilson’s laptop, including the letter discussing an alleged plot to assassinate PM Narendra Modi.

The 22 additional documents, which the US-based company says were placed in a hidden folder on Wilson's computer, include details of purported meetings of Maoist militants, discussions on fund transfers, communications between purported Maoist leaders and concerns over state crackdown.

In the latest report, Arsenal found two other files in a folder stored on the Windows drive of the laptop but unlike the other 22 files, they could not confirm if these two were planted by the same software.

The news of the initial report was first reported by The Washington Post on Wednesday, 10 February, who have also posted the full report for public viewing online.

The two reports by the US forensic firm throws these allegations into doubt, as it agrees with an earlier analysis in 2019 by The Caravan, that certain documents appear to have been planted on Wilson's computer using the malware.

According to the report, Wilson’s computer was first compromised on 13 June 2016, when he was sent emails that appeared to be from fellow accused Varavara Rao, which suggested that he click on a link to download a document. Wilson opened the document at 6:18 pm on the day, which led to the installation of the NetWire malware on his computer.

The same attacker was found to have compromised Wilson’s computer multiple times from June 2016 to 17 April 2018, when Wilson’s and the homes of others accused were raided in connection with the case.

Jaya Roy, a spokeswoman of the NIA, told The Washington Post that the analysis by a government forensic laboratory did not indicate any compromise and said, "The NIA cannot revisit “any evidence based on a private lab’s report.”

However, experts on malware and digital forensics contacted by The Washington Post reviewed the report and said the findings were sound.

Amnesty International had reported that several people assisting the accused, including their lawyers had been targeted using the NetWire malware in 2020, and several of the accused had been targeted using the infamous Pegasus malware as well in 2019.

Most of the IP addresses, used to target the activists and their associates, are assigned to HostSailor, a web-hosting and virtual private server company reportedly based in the United Arab Emirates. The newspaper contacted the group but did not receive any response.

(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)

Speaking truth to power requires allies like you.
Become a Member
Read More