Another bullet from Arsenal pierces through NIA’s Bhima Koregaon case!

Now evidence emerges of files being planted on Surendra Gadling’s hard drive using same malware as in the case of Rona Wilson


American digital forensics firm Arsenal has delivered yet another body blow to the case being built by the National Investigation Agency (NIA) against the activists and human rights defenders accused in the Bhima Koregaon conspiracy case. It has unearthed evidence that 14 key files mentioned in the chargesheet against activist and lawyer Surendra Gadling were planted on his hard drive using Netwire, the very same malware that was used to plant false evidence on a laptop belonging to Rona Wilson, another accused in the case.

SabrangIndia had previously reported Arsenal’s findings in Rona Wilson’s case. “Arsenal has connected the same attacker to a significant malware infrastructure which has been deployed over the course of approximately four years to not only attack and compromise Mr. Wilson’s computer for 22 months, but to attack his co-defendants in the Bhima Koregaon case and defendants in other high-profile cases as well,” a report by the Massachusetts-based digital forensics firm had said after they had examined an electronic copy of Wilson’s laptop.

In light of the new developments related to evidence being planted on Surendra Gadling’s hard drive, friends and family of Bhima Koregaon accused have released a statement sharing Arsenal’s findings. “This new report finds the exact same malware infrastructure (customized NetWire Remote Access Trojan) on Gadling’s hard drive, and the identity of the attacker as common to both Wilson and Gadling. These findings point to an organized conspiracy of evidence tampering/planting in the Bhima Koregaon case,” they say.

Further, Arsenal has found this new development to be “one of the most serious cases involving evidence tampering that Arsenal has ever encountered, based on various metrics which include the vast timespan between the delivery of the first and last incriminating documents on multiple defendants’ computers.” 

According to the latest findings in the case, 14 files were allegedly planted on Gadling’s computer between February 29, 2016, when the computer was first infected via an email sent to Gadling and November 2, 2017. That was when the attacker lost access to Gadling’s computer because of a Windows reinstallation. The report also documents extensive surveillance of Mr. Gadling’s computer with over 30,000 files being allegedly copied from his devices to the attacker’s command and control (C2) server. These new findings take the total number of files documented as having been planted on defendants’ hard drives to 48! 

The report documents in detail the full transcript of the attacker’s work across multiple computers on July 22, 2017 when the attacker first moved a set of files from their ‘command and control’ server to Rona Wilson’s hard drive, and 15 minutes later using the same malware infrastructure moved another set of files to Gadling’s computer.

Friends and family of the Bhima Koregaon accused have now demanded answers from the Pune Police and the NIA to the following questions:

  • Who planted the files?
  • How did the police or the regional forensic lab locate hidden folders and files planted through the use of malware while at the same time claiming that they did not detect any malware on the said devices?
  • Why are the NIA or police not interested in investigating this planting of evidence?
  • With three reports published that establish without doubt that the incriminating evidence was planted by a hacker, is the case any longer maintainable?

Rona Wilson and Sudha Bharadwaj have already demanded a probe into Arsenal’s findings. Shoma Sen has moved court demanding that UAPA charges against her be dropped in light of Arsenal’s findings. But the NIA has attempted to dismiss Arsenal’s findings. In an affidavit submitted to the Bombay High Court in May, the NIA said, “All the contentions which are raised by the Petitioner are entirely based on the basis of the report of M/s. Arsenal Consultancy. This report does not form part of the Chargesheets which are filed by the Respondent and Pune police. It is settled position of law that, documents which are not relied into the Chargesheet cannot be relied by the Petitioner and as such there is no question of looking into the report of the M/s. Arsenel Consultancy and as such the entire contention of the Petitioner deserve to be rejected as the same are based on the report which does not find place in the present Chargesheet.”


Bhima Koregaon case: Was evidence planted to implicate activists?
Primary goals were surveillance and incriminating document delivery: Arsenal Report
Rona Wilson moves Bombay HC, demands probe into ‘planted evidence’
Probe claims of Rona Wilson’s laptop being hacked: Sudha Bharadwaj’s family and friends
Former Professor Shoma Sen moves Bombay HC against UAPA charges
Bhima Koregaon case: NIA attempts to dismiss Arsenal’s findings about Rona Wilson’s laptop



Related Articles