Red Fort Blast: Accused Used ‘Ghost’ SIMs, Encrypted Apps to Link With Pakistan - What Probe Revealed

Investigators probing the deadly blast near Delhi’s Red Fort last November say a “white-collar” terror module used a sophisticated network of so-called “ghost” SIM cards, multiple mobile phones and encrypted

messaging apps to stay in touch with handlers based in Pakistan.Officials said the findings of the probe led to a major policy intervention by the Department of Telecommunications (DoT), which issued a directive on November 28 mandating that app-based communication platforms must remain continuously linked to an active physical SIM card inside the device.According to investigators, the accused, several of them highly educated doctors, followed a strict “dual-phone” or even “triple-phone” protocol to evade surveillance. Each carried a “clean” phone registered in their own name for everyday use and one or more separate handsets used exclusively for communication with terror handlers via apps such as WhatsApp and Telegram.

Those secondary devices were fitted with SIM cards issued in the names of unsuspecting civilians, whose Aadhaar details were allegedly misused. Police said they also uncovered a parallel racket in Jammu and Kashmir in which SIM cards were obtained using fake Aadhaar credentials.Among those named in the probe are Muzammil Ganaie, Adeel Rather and others. Another accused, Dr Umar-un-Nabi, was killed while driving the explosives-laden vehicle that detonated near the Red Fort on November 10.Officials said the handlers, operating from Pakistan and Pakistan-occupied Kashmir, used codenames such as “Ukasa”, “Faizan” and “Hashmi”. By exploiting features that allow messaging apps to function without a physical SIM in the device, they were able to remain logged in across borders even after SIMs were removed.Investigators said this loophole allowed handlers to guide recruits remotely, including directing them to learn improvised explosive device (IED) assembly through online videos and to plan attacks in India’s hinterland. Some of the recruits had initially expressed a desire to travel to conflict zones in Syria or Afghanistan, officials added.To counter such misuse, the Centre invoked provisions of the Telecommunications Act, 2023, and the Telecom Cyber Security Rules. Under the new framework, within 90 days, all Telecommunication Identifier User Entities must ensure their applications work only if an active SIM is installed in the device. Telecom operators have also been directed to automatically log users out of apps such as WhatsApp, Telegram and Signal if no active SIM is detected. Officials said all service providers, including platforms such as Snapchat, ShareChat and JioChat, have been asked to submit compliance reports to the DoT. Non-compliance could invite stringent action under cyber security and telecom laws.The DoT has said the ability to use messaging apps without a SIM poses a serious cyber security challenge and has been exploited for terror activities and cyber fraud originating from outside the country. The directive is being fast-tracked in the Jammu and Kashmir telecom circle, though officials acknowledged that identifying and deactivating all fraudulent or expired SIMs will take time. Investigators believe the measure will deal a significant blow to the digital infrastructure used by terror networks to recruit, radicalise and manage “white-collar” operatives.The terror module began to unravel in October 2025 after posters of the banned Jaish-e-Mohammad appeared on walls outside Srinagar, threatening attacks on police and security forces. Following the arrests, police tracked links to Al Falah University in Faridabad, Haryana, where two doctors were taken into custody and large quantities of explosives were seized.The Red Fort blast, which killed 15 people, is now being investigated by the National Investigation Agency.(With PTI inputs)