Key evidence against Bhima Koregaon accused found to be planted: Report

The Washington Post on Wednesday reported that the key evidence to incriminate activists in the Bhima Koregaon case was planted in the laptop seized by the police.

An extensive forensic report by Arsenal Consulting, a Massachusetts-based digital forensics firm found that the key evidence used to incriminate activists of plotting against the Indian government has been planted on the personal laptop of Rona Wilson, one of the accused, reported The Washington Post.

Arsenal examined the laptop at the request of Wilson’s lawyers and found that at least 10 letters were planted on it before his arrest, the report said.

Activists and intellectuals arrested for inciting the Bhima Koregaon violence have been imprisoned without any trial under the stringent Unlawful Activities Prevention Act (UAPA).

So far, 16 activists (BK 16) have been arrested in this case since 2018 – Jyoti Raghoba Jagtap, Sagar Tatyaram Gorkhe, Ramesh Murlidhar Gaichor, Sudhir Dhawale, Surendra Gadling, Mahesh Raut, Shoma Sen, Rona Wilson, Arun Ferreira, Sudha Bharadwaj, Varavara Rao, Vernon Gonsalves, Anand Teltumbde, Gautam Navlakha, Hany Babu and Father Stan Swamy.

Their bail pleas and requests for health assistance and other needs have been declined multiple times by several courts.

The initial arrests were based on an FIR filed in January 2018 against the speakers at Elgar Parishad 2017 for inciting violence at Bhima Koregaon, between the village’s Dalit and Maratha groups. Later, the main evidence cited against them are the letters found on Wilson’s laptop that contained a variety of claims, of which the most damning letter contained Wilson discussing a plot to assassinate the Prime Minister with the banned Communist Party of India (Maoist).

It has been widely reported that none of the recovered letters were handwritten or bear any kind of signatures. Chargesheets filed against many of the accused activists allege that they are active members of or have connections with the CPI(M).

The report by Arsenal suggests that an attacker used malware to infiltrate Rona Wilson’s laptop, but no information on the attacker’s identity is to be found. The report identified this case as one of the “most serious cases involving evidence tampering that Arsenal has ever encountered.”

According to the report, the attack took place on an afternoon in June 2016 when Wilson received several emails from what looked like a known fellow activist, who urged him to click on a download link. The link looked like a statement from a civil liberties group but actually deployed malicious software called NetWire, allowing a hacker to access the device.

It has been found that the malware kept track of Wilson’s keystrokes, passwords, and browsing activity. Recovered file system information shows that the attacker created a hidden folder into which at least 10 incriminating letters were delivered and attempted to conceal the steps. No evidence has been found that Wilson ever accessed these letters. The report also says that the documents were created using a newer version of Microsoft Word, unavailable on Wilson’s laptop.

Mark Spencer, president of Arsenal, told WP that the attack was “extremely dark” and “very organized” in intent. Arsenal has taken up several high-profile cases in the past including a similar 2016 evidence tampering of a Turkish journalist and the 2019 Boston Marathon Bombing.

The Washington Post requested three outside experts to review the report, all of whom found the conclusions to be valid. John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto said that the report documenting malware attack raises “urgent questions about the reliability of evidence from that computer in a prosecution.”

Adam Myers from CrowdStrike, one of the experts asked to analyze the report believes that it’s not a coincidence that the same domain names and IP addresses are found in both Amnesty International and Arsenal reports. Amnesty International revealed last year that people helping the arrested activists were also victims of malware attacks that deployed NetWire on their devices.

Although the report does not identify any single person or institution behind the attack, the forensic analysis reveals that the same attacker targeted Wilson’s co-defendants as well, by deploying the same servers and IP addresses over a period of four years. Experts are of opinion that the attack on Wilson’s computer is part of a larger orchestrated malware campaign.

Lawyers for other defendants have been requesting the authorities to provide digital images of the seized devices and pieces of evidence. So far, the belongings of no more than two defendants have been shared.

Responding to the Arsenal’s report, Wilson’s lawyer Sudeep Pasbola told The Washington Post that it proves his client’s innocence. He added that this evidence “destabilizes” the case against the imprisoned activists.

However, a spokesperson for the National Investigation Agency (NIA), Jaya Roy, said that they could not find any malware on Wilson’s device, adding that there is substantial and oral evidence against the accused.

Wilson’s lawyers included the Arsenal report in a petition filed in the Bombay High Court on Wednesday, urging the judges to dismiss the case against their client.