NEW DELHI: Investigations into the blast near Delhi’s Red Fort on November 10 last year have revealed how a “white-collar” terror module relied on a sophisticated network of “ghost” SIM cards and encrypted messaging apps to stay in touch with Pakistani handlers.The accused, many of them highly educated doctors, used illegally obtained or fraudulently issued SIM cards and multiple mobile devices to evade surveillance.
The findings of this probe subsequently became the basis for a sweeping directive issued by the Department of Telecommunications (DoT) on November 28, mandating that app-based communication services such as WhatsApp, Telegram and Signal must remain continuously linked to an active physical SIM card installed in the device.A “ghost” SIM card is a mobile connection that is illegally issued or fraudulently activated without being linked to the actual user, security officials said. Such SIMs are typically obtained using forged or misused identity documents, including Aadhaar details of unsuspecting civilians, or through bulk activations that bypass verification norms. Investigators say these numbers allow criminals and terror operatives to communicate and use encrypted messaging applications while remaining largely untraceable, posing a significant challenge to telecom surveillance and law enforcement agencies.The ‘dual-phone’ playbookOfficials said the probe uncovered a tactical “dual-phone” protocol followed by the module. Each accused carried two to three mobile phones. One “clean” handset, registered in their own name, was used for routine personal and professional communication to avoid suspicion. The second, described as a “terror phone”, was used exclusively for encrypted communication with handlers in Pakistan through WhatsApp and Telegram, officials said.The SIM cards used in these secondary devices were issued in the names of unsuspecting civilians whose Aadhaar details had been misused, the officials told news agency PTI. In a parallel development, Jammu and Kashmir Police also uncovered a separate racket in which SIM cards were issued using fake Aadhaar cards.Among those arrested were Muzammil Ganaie and Adeel Rather, while Dr Umar-un-Nabi, another key accused, was killed while driving an explosives-laden vehicle near the Red Fort, officials said. The Pakistani handlers were identified by the codenames ‘Ukasa’, ‘Faizan’ and ‘Hashmi’.A disturbing trendInvestigators said security agencies noted a disturbing trend in which these compromised SIMs remained active on messaging platforms even when the devices were being operated from Pakistan-occupied Jammu & Kashmir (PoJK) or Pakistan. By exploiting app features that allow continued access without a physical SIM inside the device, handlers were able to remotely guide the module.Officials said the operatives were directed to learn improvised explosive device (IED) assembly through online videos and plan “hinterland” attacks, even though some of the recruits initially wanted to join conflict zones in Syria or Afghanistan.How does the government plan to tackle this?To plug these vulnerabilities, the Centre invoked the Telecommunications Act, 2023, along with the Telecom Cyber Security Rules, to “safeguard the integrity of the telecom ecosystem”. Under the new framework, all Telecommunication Identifier User Entities (TIUEs) have been given 90 days to ensure their applications function only when an active SIM card is present in the device.The order also directs telecom operators to automatically log users out of platforms such as WhatsApp, Telegram and Signal if no active SIM is detected. Messaging and social media platforms, including Snapchat, Sharechat and Jiochat, have been asked to submit compliance reports to the DoT.“This feature of using apps without a SIM is posing a challenge to telecom cyber security as it is being misused from outside the country to commit cyber frauds and terror activities,” the DoT had said while explaining the rationale behind the move.The directive is being fast-tracked in the Jammu and Kashmir telecom circle. While officials acknowledge that deactivating all expired or fraudulent SIMs will take time, the move is being viewed as a significant blow to the digital infrastructure used by terror networks to radicalise and manage “white-collar” operatives.Failure to comply with the new norms will attract stringent action under the Telecom Cyber Security Rules and other applicable laws, officials said.The white-collar terror moduleThe “white-collar” terror module began to unravel on the intervening night of October 18-19, 2025, when posters of the banned Jaish-e-Mohammad (JeM) appeared on walls outside Srinagar city, warning of attacks on police and security forces in the Valley.Treating the development as a serious threat, Senior Superintendent of Police, Srinagar, GV Sundeep Chakravarthy constituted multiple teams to carry out an in-depth investigation. Based on the statements of the arrested accused, the probe led police to Al Falah University in Haryana’s Faridabad, where two doctors, Ganaie, a resident of Koil in south Kashmir’s Pulwama, and Shaheen Sayeed from Lucknow, were arrested.A large cache of arms and ammunition, including 2,900 kg of ammonium nitrate, potassium nitrate and sulphur, was seized during the operation, officials said.The car explosion near the Red Fort, which claimed 15 lives, is being investigated by the National Investigation Agency (NIA).