Ahmedabad: A dark web marketplace selling stolen email accounts for as little as $1 apiece has emerged as a key link in the chain of bomb hoax emails that terrorised schools, courts, and govt institutions across Gujarat earlier this year.The man allegedly running that marketplace, Sourav Biswas, 30, was arrested from West Bengal on March 1 in a joint operation by Ahmedabad’s crime branch and cybercrime branch. He was brought to the city on transit remand on March 3, and was placed in police custody for interrogation. Cybercrime police said Biswas supplied compromised IDs to the individuals responsible for the threatening emails.Biswas’s path to the dark web did not begin with grand criminal ambition. He had worked at a cybercafe and later drifted into digital marketing, eventually promoting erectile dysfunction medicines for a local pharmaceutical distributor. The work involved blasting promotional emails to large recipient lists. As his accounts were repeatedly blocked by recipients for spamming them, he started hunting for fresh email addresses in bulk, discovered underground forums and dark web marketplaces, and found he could buy around 1,000 email accounts with passwords for roughly $100. Then came the realisation that flipped his operation: other people needed those accounts too. He began reselling the same bundle for around $150, pocketing a steady profit from the margin.Over time, the side trade grew into something more systematic. Investigators say Biswas built and operated a platform called expetseller.shop, which offered an expanding menu of illegal digital goods and services, said investigators. “Listed on the site were hacked Gmail accounts, Google Voice numbers, social media accounts, compromised bank accounts, VPN and proxy services, remote desktop access, and valid phone numbers. He would source compromised credentials from dark web marketplaces or leaked databases, alter the account details, and resell them. Payments were accepted in cryptocurrency to keep the financial trail dark,” said a Cybercrime officer.The bomb threat investigation brought cybercrime officials to his digital doorstep. After schools, courts, post offices, and govt institutions began receiving emails warning of bomb blasts — some containing provocative content referencing national leaders and apparently designed to inflame tensions — investigators traced the digital trail through several compromised email IDs circulating online. Technical analysis led them back to accounts sourced through Biswas. IP addresses linked to at least 50 threatening emails sent to institutions in Ahmedabad, Gandhinagar, and Vadodara were traced to Bangladesh. Preliminary findings suggest some of the email IDs Biswas sold went to buyers in Bangladesh.To confirm the illegal operation, Cybercrime officials ran a decoy exercise, posing as buyers interested in purchasing email accounts. “A subsequent raid on his residence led to the seizure of three CPUs, five hard disks, and a cache of nearly 200 Gmail credentials, the officer said, adding: “The sting helped establish that compromised accounts were indeed being sold through his platform. He was selling email accounts for $1-$5 each and accepted payments in cryptocurrency to avoid a financial trail.“Biswas, originally from Shri Palli Bazar in the Gobindpalli area of Barrackpore, North 24 Parganas district, West Bengal, is said by police to have moved to India from Bangladesh during the Covid-19 period in 2021. He settled close to the India-Bangladesh border — approximately 8 km from it, according to investigators — and obtained identity documents after arriving. Police are now verifying whether those documents were obtained legitimately.The case has been registered under Sections 43, 66, and 66C of the Information Technology Act, along with other applicable provisions. Central agencies have been informed given the possible cross-border dimension. Investigators are continuing to analyse the seized devices, map out additional buyers, and determine the full scale of the network.
