US authorities are investigating a vast hacking-for-hire operation that involves attempts to pilfer confidential communications from investigative journalists, short sellers and advocacy groups fighting climate change, according to law enforcement officials, court documents and cybersecurity officials who have tracked the scheme for years.

The overall operation was stunning in scale and in some instances successful, according to several cybersecurity researchers who have been tracking the hackers. Among the thousands of entities allegedly targeted were hedge funds Coatue Management LLC and Blue Ridge Capital LLC, non-profit groups fighting telecommunications companies over control of the internet, and journalists from multiple news organisations, according to several cybersecurity researchers including the Toronto-based research group Citizen Lab, which tracks illegal hacking and surveillance.

The hackers are based in northern India and are typically hired by private investigators and other middlemen in Israel, the US and Europe, the researchers say. But their ultimate clients are often law firms or corporations, which may receive pilfered material under the guise of corporate intelligence or litigation preparation, according to court documents and several people familiar with the scheme.

Although it’s unclear who wrote the checks that ultimately funded the hacking operations, the apparent beneficiaries include specific industries and major companies, including embattled German technology firm Wirecard AG, according to Citizen Lab and other cybersecurity researchers.

US prosecutors in New York and FBI agents are investigating the hacker-for-hire scheme, according to three people familiar with the probe. At least one person implicated in the scheme has already been arrested. In an indictment last year, Aviram Azari, an Israeli private investigator, is accused of working with a group of Indian hackers to target hundreds of potential victims with phishing emails. He has pleaded not guilty, according to his attorney Barry S. Zone, who called the charges exaggerated.

The indictment doesn't identify what hackers, victims or companies may benefited from any such activities.

A Wirecard spokeswoman, Iris Stoeckl, said her company hasn’t been in contact, either directly or indirectly, with a hacker group in India. Wirecard said it acted legally in its investigation into short sellers and critics of the firm.

A spokesman for the US Attorney’s Office in Manhattan declined to comment, as did a spokeswoman for the Federal Bureau of Investigation.

Many cyberattacks involve criminal gangs who try to steal log-in credentials or credit-card data; in these cases, the groups both plan the operation and benefit from the stolen data. But in this instance, the hackers were paid to carry out targeted attacks by third parties.

Digital sleuths working at Citizen Lab and two other cybersecurity companies have tied at least some of the hacking back to an Indian company called Belltrox Infotech Services, which operates from a crowded neighbourhood of New Delhi. Working independently, the researchers said they tracked the intrusions back to Belltrox through a series of apparent mistakes made over the years by its hackers.

Belltrox didn't respond to requests for comment sent to multiple email accounts associated with the company and its officers. Sumit Gupta, who is listed in corporate registration documents as Belltrox director, couldn’t be reached for comment. Veenu Arora, who is Gupta’s wife and is also listed as a Belltrox director, denied any wrongdoing in an interview with Bloomberg News. She said that she runs a medical transcription company and that Gupta runs a cake shop.

Surender Mehra, who said he co-founded an earlier incarnation of the company with Gupta called Belltrox Digital Security, said in an interview with Bloomberg News that he left the company after becoming concerned about some of Gupta's activities. "He was into hacking,’’ Mehra said. After the split, Mehra said that Gupta started a different company, Belltrox Infotech Services. On Tuesday, Belltrox Infotech Services's website, which was functioning as recently as two weeks ago, was down. "This account has been suspended,” read a message on the home page.

A major investigation into hacking-for-hire would probably trigger probes in other countries, said Polly Sprenger, a UK-based corporate investigations attorney and member of a 2012 Home Office inquiry into private spying. "The more important effect of the case is not the actions of this one set of hackers. It’s bringing attention to the people who cause this industry to occur – the lawyers, the consultants and the corporate clients,” she said. "Where the DOJ goes, other countries and other prosecutors will follow.”

In addition to the research conducted by Citizen Lab, at least two confidential reports on Belltrox have been produced by BAE Systems Applied Intelligence, part of the European defense contractor BAE Systems Plc. It refers to Belltrox by the code name Amanda Lovers, because many of its phishing emails were sent from a fictional persona using that name. The reports were described by people familiar with BAE’s investigation.

Additional details were provided to Bloomberg News by a researcher for another global cybersecurity company that tracked the Belltrox hackers over several years and asked not to be identified.

Wirecard, which was founded in 1999 and processes financial transactions over the internet, became one of Germany’s hottest technology companies. But its success has been marred by allegations of accounting improprieties by short sellers and financial analysts. Activist investors have called for the ouster of Markus Braun, the chief executive officer. Last week, German authorities searched its headquarters as part of a probe into suspected market manipulation. Wirecard said the investigation wasn't targeting the company but members of the management board and that it was confident the allegations would prove unfounded.

Along the way, financial firms and reporters looked into market manipulation by Wirecard. Hedge funds, short sellers, journalists and investigators who explored the topic were among those targeted by the hacking-for-hire operation, Citizen Lab concluded. "Some individuals were targeted almost daily for months, and continued to receive messages for years," according to the Citizen Lab report, which didn’t identify who hired the hackers.

The hackers may have been betrayed by their own mistakes. In trying to attribute a cyberattack to a specific hacker or group, cybersecurity researchers often search for signature patterns in code or tools used by hackers.

In this instance, when the hackers attempted to steal a target’s passwords, they often sent emails with custom link shorteners, which linked to fake pages designed to steal login credentials, according to cybersecurity researchers. The shorteners, used to disguise the phishing links, including "strongbolthostinghk[.]com” and others associated with India, such as Holi, a well-known Indian celebration, according to Citizen Lab.

At the end of those links would be a combination of two letters, like "bG”. By sticking variations of two letters at the end of the domains, researchers found large caches of fake sign-in pages with the target’s email address already filled in, the researchers said.

Security researchers matched link shorteners used by Belltrox to those used against short sellers for Wirecard and journalists who had published critical articles, among others. At least 130 of these fake sign-in pages were uploaded on Nov 29, 2017, to the Internet Archive, otherwise known as the Wayback Machine, a non-profit digital library that stores copies of internet pages. It’s not clear who uploaded the pages there.

Those pages show that dozens of people from at least 10 hedge funds and research firms were targeted with a variety of phishing attempts. They all had a history of short-selling Wirecard stock or publishing critical reports about the firm.

Custom link shorteners used in hacking operations have also been used publicly by Belltrox employees, including in one case to link to an online version of the employee’s resume, according to Citizen Lab and another cybersecurity researcher.

The archived pages show these hackers set up bogus log-in pages for several top executives at Coatue Management, including the chief investment officer, chief financial officer, chief legal officer, general counsel and two senior managing directors. At a second firm, the hedge fund Theleme Partners, four people were targeted, including the firm’s founder and chief executive officer, Patrick Degorce. Five employees at Blue Ridge Capital were targeted.

Coatue declined to comment. Theleme and Blue Ridge didn’t respond to requests for comment.

In another alleged Belltrox operation, the Electronic Frontier Foundation in a 2017 blog post detailed cyberattacks on activists fighting for "net neutrality”, a policy that seeks to treat all Internet traffic equally and which telecommunications companies have aggressively lobbied against. One of the targets of the alleged attacks, Evan Greer, told Bloomberg News that she was already on high alert when she realised someone was trying to hack her email.

For several weeks in 2017, her colleagues at Fight for the Future, an advocacy group engaged in a battle over the internet rules, had been receiving "phishing” emails – phony messages that appeared to be from friends, family and colleagues but in fact were trying to trick them to give up passwords. Among them was an email Greer received from an account in the name of Sophia Johnson, saying she wanted to buy some of Greer’s music.

Greer replied with a link to her Bandcamp page. But the Johnson account sent back a message saying she was having problems purchasing the music and included a link asking if it was the right one. "Thanks for your reply, but link is not working. Kindly check this link,” said the email, which was published in the blog post. It led to a bogus Google sign-in page, an apparent attempt to steal her password.

"That’s when we were like ‘This is serious. This is sophisticated’,” Greer said. "Clearly whoever was doing this had done some amount of research on us. They were clearly targeting us, and it seems very likely that someone was paying them to do so.”

Eva Galperin, a cybersecurity researcher at the Electronic Frontier Foundation, said the hackers who targeted Greer also attempted to hack activists in similar groups for months. (EFF provided assistance to Greer and other activists who were attacked.) Although she’s seen more sophisticated attacks in her career, these stood out for their ingenuity and persistence. "All they needed to do to get access was to have one of their targets have one bad day and rush through and click something. They took advantage of that very, very quickly.” EFF's blog post didn’t identify the hackers. Citizen Lab linked the EFF hack to the Belltrox hacking operation, and it said another net neutrality advocacy group, Free Press, was also targeted.

The hacker-for-hire scheme also targeted climate-change activists involved in a campaign called #ExxonKnew, according to Citizen Lab. Hacking attempts were made against the personal and business email accounts of those involved in the campaign, which accused Exxon of conspiring to cover up its early knowledge of climate change. Family members, including a minor child, were also targeted, according to Citizen Lab.

A document stolen by hackers that outlined a potential legal strategy against Exxon was published in a news article, according to court documents. The filings don’t identify who stole the document. Exxon Mobil has no knowledge of, or involvement in, the hacking activities outlined in Citizen Lab’s report, the company said.

Although the full scope of the federal investigation into the hacking-for-hire operation isn’t known, Azari’s arrest by federal agents last September after he arrived at New York’s John F. Kennedy Airport provides a glimpse into the inquiry.

US prosecutors accuse Azari, who ran an investigations firm in Haifa, Israel, of working with a group of Indian hackers that targeted hundreds of victims and infiltrated the accounts of at least six, including several in New York City, according to the indictment, which was unsealed the day after his arrest. Azari was an alleged facilitator for hackers who used "spear-phishing’’ attacks against targets he identified to steal login credentials for all manner of digital troves – work and personal email accounts, social media sites, online storage services.

The indictment doesn't name the Indian hacking group working with Azari. However, because of an apparent error, the indictment reveals the last name of one of the hackers, which also matches the name of a Belltrox employee whose LinkedIn account lists a variety of hacking skills. That person didn't respond to a request for comment.

According to the indictment, the hackers described themselves as "Email Penetration Experts, sophisticated developers for extracting files", capable of getting "the backup of the email from any account and files from any windows computer”. The hackers told Azari: "We can make some money working together.”

Belltrox Digital Security was incorporated in Rajasthan, India, in 2012 and marketed itself as "a leading cyber investigation litigation support firm". The company's partners split in 2013, according to Mehra, and Gupta renamed the firm Belltrox Infosec Services. The latest incarnation of the website advertised, ''You desire, we do.’’

In an online biography, Gupta describes Belltrox as a "cyber intelligence services company” that caters to "private investigators, corporate lawyers, corporate investigators, corporate firms, celebrities and politicians". Although Belltrox Infotech Services markets itself as a medical transcription company, several of its employees tout their hacking skills or cybersecurity expertise on Linkedin.

In 2015, Gupta, who also goes by Sumit Vishnoi, was indicted by federal prosecutors in 2015 in California on 10 counts of email and computer hacking. Two San Francisco-area private investigators were charged with hiring Gupta to access the emails of defendants in a legal dispute between two multi-level marketing companies.

Prosecutors unsuccessfully sought his arrest in India; a person familiar with the case said US authorities had difficulty getting cooperation from the Indian government. The case against Gupta stalled, and it was ultimately rolled into a larger federal investigation, said the person, who declined to elaborate. It’s not clear whether there’s a link between the Gupta case and the current hacker-for-hire investigation.

Nonetheless, it illustrates the difficulty of prosecuting such an operation. The middlemen in that case, the two private investigators, pleaded guilty; Gupta remains at large. – Bloomberg