Chasing shadows: How VPNs keep Delhi school hoaxers out of reach
Bomb hoaxes continue to target Delhi schools. Police face challenges tracing threats due to VPNs and encrypted emails. Perpetrators use international servers and privacy-focused services. Tracing these digital phantoms is a complex and often frust...
By ET Online | Updated:
TIL Creatives
After a wave of bomb hoaxes hit several South Delhi schools earlier this month, police traced the digital footprints to a virtual private network (VPN) service in Bangladesh. Days later, similar threats in northwest Delhi were linked to a U.S.-based VPN, while hoaxes in west Delhi schools a few months ago led investigators to a Singapore-based service.
Yet, even as authorities reached out to these providers for user information, more threats continued to flood in.
Why does law enforcement seem powerless to stop these menaces?
When a threatening email lands in a school inbox, the response is immediate and highly visible: sirens wail, students are evacuated, sniffer dogs comb the premises, and uniformed officers swarm the campus. But in the quieter confines of Delhi’s cyber cell, the battle is uphill and often demoralizing. Each hoax represents a forensic dead end.
Despite numerous high-profile scares stretching into early 2026, the perpetrators remain digital phantoms. The challenge isn’t manpower; it’s the technical hurdles: Swiss servers’ ironclad privacy, the opaque governance of foreign domains, and the multi-layered protections of VPNs.Investigator's nightmare
When investigators attempt to trace a threat, they rarely land on a computer in Delhi. Instead, they are led to servers in jurisdictions like Panama or the Seychelles. VPN chains—routing connections through multiple encrypted tunnels—ensure that the IP address visible to Delhi Police is a decoy.
“The hoaxers hide their actual location in Delhi or elsewhere behind a series of encrypted ‘tunnels.’ The IP address that police see may belong to a server in Austria, Singapore, or the Netherlands. To us, it is like chasing a shadow in a room full of mirrors; every time we think we have a lead, the trail bounces to another country,” said a cyber cell investigator.
To reveal the real IP, police must request logs from the VPN provider. But most premium services operate on a strict no-log policy, meaning they do not store records of who used the service at a specific time. Simply put, the data doesn’t exist. The trail doesn’t just go cold—it vanishes.
The challenge is compounded by the platforms the perpetrators use. In several major waves of bomb threats, including a surge in May 2024 and the recent cases this month, the emails were sent via Switzerland-based ProtonMail. Known for its staunch commitment to privacy, ProtonMail employs end-to-end encryption, does not require phone numbers or personal identification, and cannot decrypt user messages. From an investigative standpoint, this is a nightmare.
Swiss privacy laws prevent Delhi Police from issuing standard search warrants. Requests must go through the Mutual Legal Assistance Treaty—a diplomatic marathon requiring proof of “double criminality,” meaning the act is a crime in both India and Switzerland. Even then, the information police may receive is minimal metadata, such as account creation times, rarely enough to pinpoint a masked user.
Adding another layer of complexity is the so-called ‘Russian angle.’ Many hoax emails carry a “.ru” domain suffix, often from services like mail.ru, serving as a tactical smokescreen. By the time requests move through Interpol, the accounts are usually deleted, and the logs overwritten.
Occasionally, investigators catch a break, often due to operational mistakes by amateur hoaxers. In late 2024, a Delhi student sending a threat to avoid an exam was caught after forgetting to turn on his VPN, exposing his home IP.
But professional operators, who can target dozens of schools in a single morning, leverage the global digital infrastructure to their advantage. Many appear to use automated tools to scrape school databases from the dark web, making the attacks highly coordinated and difficult to trace.
For now, Delhi Police remain trapped in a reactive cycle: evacuate students, search campuses, and declare hoaxes—while those behind the screen remain untouchable, digital ghosts operating with near-perfect anonymity.
(With inputs from TOI)
Yet, even as authorities reached out to these providers for user information, more threats continued to flood in.
Why does law enforcement seem powerless to stop these menaces?
When a threatening email lands in a school inbox, the response is immediate and highly visible: sirens wail, students are evacuated, sniffer dogs comb the premises, and uniformed officers swarm the campus. But in the quieter confines of Delhi’s cyber cell, the battle is uphill and often demoralizing. Each hoax represents a forensic dead end.
Despite numerous high-profile scares stretching into early 2026, the perpetrators remain digital phantoms. The challenge isn’t manpower; it’s the technical hurdles: Swiss servers’ ironclad privacy, the opaque governance of foreign domains, and the multi-layered protections of VPNs.Investigator's nightmare
When investigators attempt to trace a threat, they rarely land on a computer in Delhi. Instead, they are led to servers in jurisdictions like Panama or the Seychelles. VPN chains—routing connections through multiple encrypted tunnels—ensure that the IP address visible to Delhi Police is a decoy.
ADVERTISEMENT
“The hoaxers hide their actual location in Delhi or elsewhere behind a series of encrypted ‘tunnels.’ The IP address that police see may belong to a server in Austria, Singapore, or the Netherlands. To us, it is like chasing a shadow in a room full of mirrors; every time we think we have a lead, the trail bounces to another country,” said a cyber cell investigator.
To reveal the real IP, police must request logs from the VPN provider. But most premium services operate on a strict no-log policy, meaning they do not store records of who used the service at a specific time. Simply put, the data doesn’t exist. The trail doesn’t just go cold—it vanishes.
The challenge is compounded by the platforms the perpetrators use. In several major waves of bomb threats, including a surge in May 2024 and the recent cases this month, the emails were sent via Switzerland-based ProtonMail. Known for its staunch commitment to privacy, ProtonMail employs end-to-end encryption, does not require phone numbers or personal identification, and cannot decrypt user messages. From an investigative standpoint, this is a nightmare.
Swiss privacy laws prevent Delhi Police from issuing standard search warrants. Requests must go through the Mutual Legal Assistance Treaty—a diplomatic marathon requiring proof of “double criminality,” meaning the act is a crime in both India and Switzerland. Even then, the information police may receive is minimal metadata, such as account creation times, rarely enough to pinpoint a masked user.
ADVERTISEMENT
Adding another layer of complexity is the so-called ‘Russian angle.’ Many hoax emails carry a “.ru” domain suffix, often from services like mail.ru, serving as a tactical smokescreen. By the time requests move through Interpol, the accounts are usually deleted, and the logs overwritten.
Occasionally, investigators catch a break, often due to operational mistakes by amateur hoaxers. In late 2024, a Delhi student sending a threat to avoid an exam was caught after forgetting to turn on his VPN, exposing his home IP.
ADVERTISEMENT
But professional operators, who can target dozens of schools in a single morning, leverage the global digital infrastructure to their advantage. Many appear to use automated tools to scrape school databases from the dark web, making the attacks highly coordinated and difficult to trace.
For now, Delhi Police remain trapped in a reactive cycle: evacuate students, search campuses, and declare hoaxes—while those behind the screen remain untouchable, digital ghosts operating with near-perfect anonymity.
(With inputs from TOI)
Download
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
The Economic Times Business News App for the Latest News in Business, Sensex, Stock Market Updates & More.
Download
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
The Economic Times News App for Quarterly Results, Latest News in ITR, Business, Share Market, Live Sensex News & More.
ADVERTISEMENT
