The threat of digital tradecraft in terrorism | Explained
The story so far:
T.The evolving investigation into the recent car explosion near Delhi’s Red Fort has revealed a chilling dimension: Modern terror modules no longer merely leverage ideological or logistical networks but also leverage advanced digital commerce tools to plan and coordinate such attacks. While law enforcement continues to verify all leads, the findings emerging from the investigation confirm well-established academic research on how violent actors leverage encrypted platforms, decentralized networks, and spy-style communications to evade surveillance.
What happened?
On November 10, a car exploded near Gate 1 of the Red Fort Metro Station. At least 15 people were killed and more than 30 others were injured in the blast, making it one of the deadliest terror incidents in Delhi in recent memory. Indian authorities moved quickly to treat the incident as a terrorist attack rather than a simple accident and handed over the investigation to the National Investigation Agency (NIA) under anti-terrorism laws.
At the center of the investigation are three doctors allegedly linked to the terror module: Dr. Umar Un Nabi, Dr. Muzammil Ganaie and Dr. Shaheen Shahid, all affiliated with Al Falah University, Faridabad. According to investigators, these men were deeply involved in the operational planning of the attack.
What were the main findings?
Some of the concerning issues uncovered so far include:
Encrypted communication: The trio allegedly communicated via Threema, a Swiss messaging app known for its high privacy design. Threema does not need a phone number or email address to sign up; instead, it assigns users a random user ID that is not linked to any personal identifier. Investigators suspect that the three defendants may have set up their own private Threema servers, creating a closed, isolated network where they shared maps, layouts, documents and instructions. The server may be hosted in India or abroad (investigations into its origin are ongoing). Threema’s architecture is particularly useful for evading detection because it offers end-to-end encryption, requires no metadata storage, and allows messages to be deleted from either end. These features make it extremely difficult for digital forensics teams to reconstruct entire communication chains.
Sharing information using ‘endless emails’: In what has been described as a classic “spy-style” technique, the suspects apparently used a shared email account (accessible to all module members) to communicate via unsent drafts. Instead of sending messages, they were saving drafts; another member logs in, reads or updates and deletes them; Thus, there are no outgoing or incoming records left in traditional mail records. This method, sometimes called “dead fall,” is particularly insidious because it creates almost no digital footprint.
Reconnaissance and ammunition stockpiling: According to interrogations and forensic data, the accused was carrying out multiple reconnaissance missions in Delhi before the attack. Investigators allege ammonium nitrate, a powerful industrial explosive, was likely stockpiled via a red EcoSport vehicle that has now been seized. Using a familiar vehicle rather than a more suspicious one may have helped the module stay under the radar during logistics preparation.
operational disciplineand external links: Sources said Dr. was the driver of the car that caused the explosion. He claims that Umar “turned off his phones” and cut digital ties after his friends’ arrest; this was a sophisticated tactic to limit exposure. Moreover, although investigations are ongoing, some sources suggest that the attack is linked to Jaish-e-Mohammed (JeM) or follows a JeM-inspired module. Its layered communications architecture (encrypted applications, urgent emails) combined with infrequent but deliberate physical scans suggest a cell that counts operational security among its highest priorities.
What about academic scholarships?
The tactics used in this attack were reported to be directly consistent with patterns documented in counterterrorism research. Researchers have long warned that extremist actors are increasingly using end-to-end encrypted (E2EE) tools to coordinate, share files and plan in relative anonymity.
Apps like Threema that minimize or eliminate metadata storage make it significantly harder for surveillance agencies to reconstruct communication graphs. Moreover, by running a private server, the threat actor effectively bypasses the central infrastructure and relevant law enforcement touchpoints. The use of unsent email drafts is characteristic of old-school espionage adapted for the digital age. This method leaves no obvious transmission log, thus precluding standard surveillance or legal interference.
The blend of encrypted applications, anti-tracking techniques (such as VPNs), and physical commerce (reconnaissance, minimal digital footprint) suggests a multi-domain approach to operational security; This is exactly what academic counterterrorism analysts have been warning about for years.
What are the consequences of this?
As more terror modules adopt privacy-preserving technologies, traditional surveillance such as phone tapping, metadata collection, and email intercepts have become less effective. This should force law enforcement to rethink their investigative architecture.
Threema is reportedly banned in India (under Section 69A of the Information Technology Act, 2000), but suspects appear to continue using it via VPNs and foreign proxies. This shows that bans alone cannot prevent the abuse of such apps, especially by sophisticated operators. Investigators need advanced capabilities such as the ability to monitor private servers, reverse engineer encrypted networks, and apply memory forensics to track such modules. Standard device seizures may not be sufficient without expert technical expertise.
Moreover, if the link to external processors (such as JeM) proves correct, this attack could be part of a wider network. The level of planning and security discipline demonstrated is suggestive of a well-trained, possibly transnational group, rather than a single cell.
What are some policy solutions?
There are numerous policies and strategic solutions to strengthen counterterrorism capabilities and posture. The first is to create dedicated digital forensics teams. There is a need to establish and expand teams skilled in encrypted platform analysis, server forensics, and memory offloading to recover temporary data. In particular, the government should invest in units that monitor abuse of E2EE platforms, anonymization services, and VPN exit nodes for potential terrorist trafficking.
Second, the self-hosted communications infrastructure needs to be streamlined. The government needs to create regulatory frameworks that require private servers hosting communications platforms to comply with legal access obligations, while balancing privacy rights. Collaboration with technology providers needs to be encouraged to enable legal intervention under tightly controlled, judicially supervised processes.
Third, legal frameworks need to be strengthened. For example, counterterrorism laws need to be updated to clearly address the threats posed by encrypted, decentralized communications. Introduce or improve digital dead spot detection mechanisms in research. Law enforcement should be trained to search for shared accounts, draft-only mailboxes, and similar commercial tools.
Fourth, social and institutional participation needs to be prioritized. It is extremely worrying that the suspects are reported to be doctors from a university; Such institutions need support to detect radicalization early. Counter-radicalization programs aimed at highly educated recruits could be implemented. Modules operating in professional fields (doctors, academics) are generally less visible but may have greater technical or ideological complexity.
Finally, international cooperation needs to be strengthened. Given the possible transnational nature of the attack (encrypted applications, private servers, cross-border financing), the state needs to deepen cooperation with foreign intelligence and law enforcement. It should also promote technology diplomacy and engage with countries where encrypted messaging apps like Threema rely on exploring legal but privacy-respecting access to self-hosted infrastructure linked to terrorism cases. The public also needs to be made aware of how modern terrorist cells work.
What’s next?
Red Fort explosion investigation shows how modern terrorist modules are rapidly evolving. They no longer rely solely on brute force or mass propaganda; they integrate advanced digital craft with traditional radicalization and operational planning.
These developments resonate strongly with academic understandings of extremist behavior in the digital age. As violent actors become more technically adept, states must adapt; not only by strengthening brute force capacity, but also by developing sophisticated, multi-disciplinary intelligence, cyber forensics and legal tools.
For India and global democracies, this case is a reminder that the next frontier in counterterrorism is not just in physical space, but also in encrypted, decentralized and highly private digital spaces. If we want to protect our cities and societies, we must meet this threat not only on the streets and borders, but also in servers and code.
The writer is retired Additional Director General of the Indian Coast Guard.
