the story So Far:
TeaThe investigation into the recent car blast near Delhi’s Red Fort has revealed a chilling dimension – modern terrorist modules are no longer just exploiting ideological or logical networks, they are also leveraging advanced digital tradecraft to plan and coordinate such attacks. While law enforcement agencies continue to verify all leads, the revelations emerging from the investigation confirm well-established academic research on how violent actors exploit encrypted platforms, decentralized networks, and espionage-style communications to evade surveillance.
What happened?
On November 10, there was an explosion in a car near Gate No. 1 of the Red Fort metro station. At least 15 people were killed in the blast, and more than 30 others were injured, making it one of Delhi’s deadliest terrorist incidents in recent memory. Indian authorities immediately moved to treat the incident as a terrorist attack rather than an accident and handed over the investigation to the National Investigation Agency (NIA) under anti-terrorism laws.
At the center of the investigation are three doctors allegedly linked to the terror module: Dr Omar Un Nabi, Dr Muzammil Ganai and Dr Shaheen Shahid, all associated with Al Falah University in Faridabad. According to investigators, these individuals were deeply involved in the operational planning of the attack.
What were the key findings?
Some of the more worrying aspects uncovered so far include:
Encrypted Communication: The trio are alleged to have communicated through Swiss messaging app Threema, a platform known for its high privacy design. Threema does not require a phone number or email for registration; Instead, it provides users with a random user ID unlinked to any personal identifier. Investigators suspect that the three accused may have set up their own private Threema servers, creating a closed, isolated network through which they shared maps, layouts, documents and instructions. The server may have been hosted in India or abroad (investigation regarding its origin is ongoing). Threema’s architecture is particularly useful for avoiding detection because it provides end-to-end encryption, does not store metadata, and allows deletion of messages at both ends. These features make it extremely difficult for digital forensics teams to reconstruct complete communication chains.
Sharing information using ‘dead-drop email’: In what is being described as a classic “espionage-style” technique, the suspects apparently used a shared email account (accessible to all module members) to communicate via unsent drafts. Instead of sending messages, they will save drafts; Another member will log in, read or update them, and delete them – leaving no outgoing or incoming records on a traditional mail log. This method, sometimes called a “dead drop”, is particularly deadly because it produces almost no digital footprint.
Reconnaissance and ammunition storage: According to interrogation and forensic data, the accused conducted several recce missions in Delhi before the attack. Investigators allege that ammonium nitrate, a powerful industrial explosive, was possibly deposited through a red EcoSport vehicle that has now been seized. The use of a familiar vehicle, rather than something more suspicious, may have helped the module remain under the radar during the logistics buildup.
operational disciplineand external relations: Sources say Dr Omar, who was allegedly the driver of the car that caused the blast, “switched off his phones” and severed digital ties after the arrest of his colleagues, a sophisticated strategy to limit exposure. Furthermore, although the investigation is ongoing, some sources suggest that the attack is linked to Jaish-e-Mohammed (JeM) or was following a JeM-inspired module. The layered communications architecture – encrypted apps, dead-drop emails – coupled with rare but deliberate physical recon, suggests a cell that counted operational security among its top priorities.
What about academic scholarships?
The tactics reportedly used in this attack align directly with patterns documented in counterterrorism scholarship. Researchers have long warned that extremist actors are increasingly using end-to-end encrypted (E2EE) tools to coordinate, share files, and plan in relative anonymity.
Apps like Threema, which reduce or eliminate metadata retention, make it significantly more difficult for surveillance agencies to reconstruct communication graphs. Furthermore, by running a private server, the threat actor effectively bypasses centralized infrastructure and associated law-enforcement contact points. The use of unsent email drafts is typical of old-school spycraft adapted for the digital age. This method leaves no clear transmission record, allowing standard surveillance or legal interception to fail.
The mix of encrypted apps, anti-trace technology (like VPNs), and physical tradecraft (Reiki, minimal digital footprint) suggests a multi-domain approach to operational security – exactly what academic counterterrorism analysts have been warning about for years.
What are the implications?
As more terror modules adopt privacy-preserving technologies, traditional surveillance such as phone tapping, metadata collection, and email intercepts have become less effective. This should force law enforcement agencies to rethink their investigation framework.
Threema has reportedly been banned in India (under Section 69A of the Information Technology Act, 2000), yet suspects continue to use it through VPNs and foreign proxies. This shows that bans alone cannot prevent misuse of such apps, especially by sophisticated operators. Investigators require advanced capabilities such as being able to track private servers, reverse engineer encrypted networks, and apply memory forensics to detect such modules. Without specific technical expertise standard equipment seizure may not suffice.
Additionally, if the link to external operators (such as Jaish-e-Mohammed) proves true, the attack may be part of a broader network. The level of planning and security discipline shown suggests not a single cell, but a well-trained, possibly international, group.
What are some policy solutions?
There are several policy and strategic solutions to strengthen counter-terrorism capabilities and posture. The first is to build a dedicated digital forensics team. Recovering short-term data requires establishing and expanding teams skilled in encrypted-platform analysis, server forensics, and memory dumping. The government should invest in units that specifically monitor the misuse of E2EE platforms, anonymizing services, and VPN exit nodes for potential terrorist trade.
Secondly, self-hosted communications infrastructure needs to be regulated. The State needs to formulate a regulatory framework mandating private servers hosting communications platforms to comply with lawful access obligations, while balancing privacy rights. There is a need to encourage collaboration with technology providers to enable lawful interception under strictly controlled, judicially-supervised processes.
Third, the legal framework needs to be enhanced. For example, anti-terrorism laws need to be updated so that they clearly address the threats posed by encrypted, decentralized communications. Introduce or refine the digital dead-drop detection mechanism in the probe. Law enforcement should be trained to look for shared accounts, draft-only mailboxes, and similar tradecraft.
Fourth, community and institutional engagement should be prioritized. The fact that the suspect was reportedly a university doctor is extremely worrying; Such institutions need support for early detection of radicalisation. Counter-radicalization programs can be deployed tailored toward highly educated recruits. Modules working in professional settings (doctors, academics) are often less visible, but may have greater technical or conceptual sophistication.
And finally, there is a need to strengthen international cooperation. Given the potential international nature of the attack (encrypted apps, private servers, cross-border funding), the State should deepen cooperation with foreign intelligence and law enforcement agencies. It should also encourage tech diplomacy, and engage with countries where encrypted-messaging apps like Threema are based to explore legitimate but privacy-respecting access to self-hosted infrastructure linked to terror cases. There should also be public awareness about how modern terror cells operate.
What next?
The investigation into the Red Fort blast shows how fast modern terrorist modules are evolving. They no longer rely solely on brute force or mass propaganda – they are integrating advanced digital tradecraft with traditional fundamentalism and operational planning.
These developments align strongly with academic insights into extremist behavior in the digital age. As violent actors become more technologically adept, states must also adapt – not only by strengthening brute-force capabilities, but by developing sophisticated, multidisciplinary intelligence, cyber-forensic and legal tools.
For India – and for democracies globally – this case is a sobering reminder that the next frontier in counter-terrorism lies not just on physical terrain, but also in encrypted, decentralized and deeply private digital spaces. If we are to protect our cities and societies, we must combat this threat not only on roads and borders, but also on servers and code.
The author is a retired Additional Director General of the Indian Coast Guard.
