Forced to Pull Story on Indian Firm's Alleged Global Hacking Operation, Reuters to Fight Court Order

New Delhi: Following a Delhi court’s preliminary order, the news agency Reuters has temporarily removed a special investigation which claimed that an Indian information technology company, Appin, stole data from prominent persons around the globe, including politicians, military officials and business executives.

Reuters, however, said that it “stands by its reporting and plans to appeal the decision.”

The additional district judge North West Rohini court found the article to be prima facie “indicative of defamation,” according to a copy of the order seen by The Wire.

The special report was published on November 16, 2023 and was titled, ‘How an Indian Startup Hacked the World’. It claimed that the Delhi-based firm Appin, which was started by brothers Rajat and Anuj Khare, allegedly hacked on an industrial scale, stealing data from political leaders, international executives, prominent attorneys and more. Reuters described its activity as a “sprawling cyber-mercenary operation that extended across the world.”

In an Editor’s note published on December 5, Reuters said it had temporarily removed the article to comply with a preliminary court order issued on December 4.

In his order, additional district judge Rakesh Kumar Singh noted that he was prima facie satisfied that the special report was “indicative of defamation,” and that the website should not retain such an article in the public domain.

The court, however, clarified that this was only a prima facie opinion. The “defendants shall have sufficient opportunity to express their views through reply, contest in the main suit etc. and the final decision shall be taken subsequently.”

The court order was issued amid a pending lawsuit brought against Reuters in November 2022 by the lawyers of Appin Association of Training Centre, accusing the news agency of a defamatory campaign. “As set forth in its court filings, Reuters disputes those claims,” the agency stated.

The Reuters report claimed its investigation found that Appin grew from an educational startup to “a hack-for-hire powerhouse”. Appin alumni went on to form other firms that are still active, the report said.

The report said that Khare was a 20-year-old computer science student when he and his friends came up with the idea for Appin in 2003. They launched their first classes on computer programming. By 2005, the company had an office in west Delhi. Soon, he took charge of the firm with his brother Anuj, a motivational speaker who returned to India after a stint running a startup in Texas, Reuters said.

Rajat Khare’s US representative, the law firm Clare Locke, rejected any association between its client and the cyber-mercenary business. It told Reuters that Khare “has never operated or supported, and certainly did not create, any illegal ‘hack for hire’ industry in India or anywhere else.”

Clare Locke said, “Mr. Khare has dedicated much of his career to the fields of information technology security – that is, cyber-defense and the prevention of illicit hacking.”

Reuters noted that while the original Appin has now largely disappeared from public view its impact was still felt today, as copycat firms led by its alumni continue to target thousands.

Khare’s lawyers said media articles tying him to hacking were “false” or “fundamentally flawed.”

Clare Locke, as quoted in the report, said under Khare’s tenure, Appin specialised in training thousands of students in cybersecurity, robotics and artificial intelligence, “never in illicit hacking.” The lawyers said Khare left Appin, in part, because rogue actors were operating under the company’s brand, and he wanted “to avoid the appearance of associations with people who were misusing the Appin name.”

The Delhi district judge, while ordering Reuters to take down the article, said the “balance of convenience” lies in directing the withdrawal of the content.

“I am of the opinion that even if the defendants for some period do not retain the article on the website and on that account they suffer any market value, [they] can be ultimately compensated by money from the plaintiff but the retention of such material on the website if allowed, the same may have devastating effect on the general students population of India (sic),” the court said.

Reuters said its report on Appin was based on thousands of company emails as well as financial records, presentations, photos and instant messages from the firm. Reporters also reviewed case files from American, Norwegian, Dominican and Swiss law enforcement, and interviewed dozens of former Appin employees and hundreds of victims of India-based hackers, it said. The reporters gathered the material – which spans 2005 until earlier this year – from ex-employees, clients and security professionals who’ve studied the company, the agency added.

Reuters said it verified the authenticity of the Appin communications with 15 people, including private investigators who commissioned hacks and ex-Appin hackers themselves. The news agency also asked US cybersecurity firm SentinelOne to review the material for signs that it had been digitally altered. The firm said it found none, according to the report.