New Delhi: Over a series of tweets in April 2020, an anonymous Twitter account @Aarthisharma08 claiming to be a disgruntled employee of the Bharatiya Janata Party's (BJP's) Information Technology Cell (IT Cell) alleged the existence of a highly sophisticated and secret app called 'Tek Fog'. They claimed this app is used by political operatives affiliated with the ruling party to artificially inflate the popularity of the party, harass its critics and manipulate public perceptions at scale across major social media platforms.

The Twitter handle's mention of Tek Fog – a 'secret app' that they said was able to 'bypass reCaptcha codes' allowing fellow employees to 'auto-upload texts and hashtag Trends' – caught the attention of the authors of this piece, who reached out to the individual behind the account in order to investigate the existence of this hitherto unknown app.

Over subsequent conversations, the source claimed their daily job involved hijacking Twitter's 'trending' section with targeted hashtags, creating and managing multiple WhatsApp groups affiliated to the BJP and the directing the online harassment of journalists critical of the BJP, all via the Tek Fog app.

The source went on to allege that they had decided to come forward after their supposed handler – Devang Dave, ex national social media and IT head, Bharatiya Janata Yuva Morcha (the youth-wing of the BJP) and current election manager for the party in Maharashtra – failed to deliver on a lucrative job offer promised in 2018 if the BJP was able to retain power in the 2019 Lok Sabha elections.

Over the next two years, a process of correspondence followed where the team at The Wire set out to test what could and could not be verified in the allegations made by the whistleblower, in addition to investigating the broader implications of the existence of such an app on the public discourse and the sanctity of the country's democratic processes.

Each of the allegations made by the whistleblower were subjected to a process of independent verification through which the team sought to learn more about the different functionalities of the app, the identity of the app creators, its users and the organisations enabling its use. Via encrypted emails and online chat rooms, the individual behind the Twitter account sent several screencasts and screenshots demonstrating the app's features. The source also shared payslip and bank statements to establish their identity (on this condition that this not be made public) and that of their employers.

The source did not provide The Wire direct access to the Tek Fog app. They claimed that this was due to the presence of various security restrictions – including the requirement of three one-time passwords (OTPs) to login to the app dashboard and the use of a local firewall that prevents access outside of the facility. They were, however, able to connect us via email to a BJYM official who provided code scripts that helped the team identify the various external tools and services connecting to the secure server hosting the Tek Fog app. The same script also led The Wire's team to one of the servers hosting the app, allowing us to independently verify that the app was functional at the time of publication and was not just a prototype.

In addition to the primary evidence provided by the source, the team at The Wire also employed a wealth of open-source investigative techniques to conduct an extensive forensic analysis of the various social media assets provided by the source, and to corroborate the network infrastructure underpinning the use of the app. The team also interviewed other independent experts and current employees at the organisations implicated in the broader operation in a bid to glean more insight into the network.

Through this process, The Wire was able to build upon these first shreds of evidence and uncover a vast operation pointing towards the existence of a group of public and private actors working together to subvert public discourse in the world's largest democracy by driving inauthentic trends and hijacking conversations across almost all major social media platforms.

Pandora's app of social media manipulation:
Four alarming features

The screencasts and screenshots of Tek Fog provided by the source highlighted the various features of the app and helped the team gain further insight into the operational structure of the network of cyber troops using it on a daily basis to manipulate public discourse, harass and intimidate independent voices, and perpetuate a partisan information environment in India.

1 / Engineering the public narrative

One of the primary functions of the app is to hijack the 'trending' section of Twitter and 'trend' on Facebook. This process uses the app's in-built automation features to 'auto-retweet' or 'auto-share' the tweets and posts of individuals or groups and spam existing hashtags by accounts controlled by the app operatives. 12

This feature is also used to amplify right-wing propaganda, exposing this content to a more diverse audience on the platform, making extremist narratives and political campaigns appear more popular than they actually are.

The Wire verified this claim by monitoring the inauthentic and suspicious on-platform activity of two trending hashtags provided by the source ahead of time. Each of the provided hashtags reached the platforms' trending section after being inauthentically amplified by a range of suspicious accounts.

One of the hashtags – #CongressAgainstLabourers – was shared 3by the source at 8:25 pm IST on May 4, 2020, as part of a screenshot revealing their 'daily task' list for that day. According to the same screen, the source was tasked with making the hashtag appear in at least 55,000 tweets and reach the 'trending' section of the platform.

An analysis of the on-platform activity of the hashtag via Meltwater Explore, a social media analysis tool, revealed that the hashtag had first appeared two hours prior on Twitter, eventually peaking at around 9 pm, half an hour after the source had shared the screen. The trend went on to accumulate 57,000 mentions, surpassing their assigned goal by 2,000 tweets. Moreover, the screen also showed how the source had posted the hashtag using 1,700 accounts in the first two hours after 'activating' the task, a fact that was corroborated by this independent analysis with exactly 1,700 accounts posting the hashtag at around 6:30 pm IST.

The screenshots also show that these accounts are created using the in-app features that allow individual operatives to generate 'temporary' email addresses, activate phone numbers and by-pass programming limitations, and email and OTP verification set by WhatsApp, Facebook, Instagram, Twitter and Telegram. 45

The team, however, could not verify whether these were 'temporary' accounts created by the app or the existing accounts belonging to real BJP workers and app operatives that were integrated into the app to allow for scheduled posting.

2 / Phishing 'inactive' WhatsApp accounts

Another alarming feature offered by the app is its ability to allow individual operatives to hijack 'inactive' WhatsApp accounts of private citizens and use their phone number to message their 'frequently contacted' or 'all contacts', using a technique resembling 'token theft'. 67App operators also use this feature to phish the personal information of targeted users to add to a cloud-based political database. The addition of private citizens into this database makes them available as potential targets in future harassment and trolling campaigns.

The Wire verified this feature by asking the source to perform a real-time demonstration of the WhatsApp exploit. Within minutes of being provided with a custom text message by the authors, the source used the Tek Fog app to hijack an 'inactive' WhatsApp account belonging to one of the authors and used the compromised account to send the custom text message to the researchers' 'frequently contacted' users on the platform.

All the top five users (including one that belonged to the other author) received the custom text message confirming that this particular feature of the app was functional at the time of analysis.

3 / Using database of private citizens for targeted harassment

The screenshots and screencasts of the app show an extensive and dynamic cloud database of private citizens categorised according to their occupation, religion, language, age, gender, political inclination and even physical attributes. The screenshots also indicate that this database allows app operatives to 'auto-reply' to individuals or groups by connecting a Google Sheet or by auto generating keywords and phrases, a vast majority of which are abusive or derogatory. 891011

The Wire verified this feature by monitoring the replies sent to 'female journalists', one of the targeted groups shown in the app. Between January 1, 2021, to April 31, 2021, the team parsed 4.6 million replies received by 280 of the most retweeted women journalists on Twitter, discovering that 18% (over 800,000 replies) were made from accounts managed via the Tek Fog app. Many of these replies included one or more profane keywords shown in the app screenshots, suggesting that the delineation of targets into different categories allows operatives to target victims with extreme granularity.

The Wire was unable to access any of the connected Google Sheets as the app operatives do not possess a direct link allowing them to edit or view the documents but rather can only select available 'inputs' from an auto-suggested menu in the app. However, AltNews, has previously reported on the BJP's use of Google Sheets to disseminate narratives.

4 / No trace left behind

Another important functionality present in the app screens was the ability for app operatives to delete or remap all existing accounts at a moment's notice. This feature theoretically allows them to destroy all incriminating evidence of their past activity. 1213

However, the very nature of the feature itself precluded The Wire from independently verifying whether it was active at the time of publication.

The corporate-technical nexus behind
Tek Fog

After reviewing the features of the Tek Fog app the team asked the whistleblower to provide information regarding their employers. A bank statement and payslip sent by them surprisingly listed the involvement of two private companies, Persistent Systems and Mohalla Tech Pvt. Ltd. as their 'employer' and 'assigned client', respectively.

Persistent Systems is an Indian-American publicly traded technology services company founded in 1990. Mohalla Tech Pvt. Ltd. is the company behind Sharechat, a popular Indian regional language social media platform funded by Twitter.

The source explained that Persistent Systems employ them as a 'social media incharge' based out of the company's corporate office in Nagpur, India. However, their current project to operate the Tek Fog app required close collaboration with Sharechat and the person they identified as their immediate supervisor, Devang Dave, the former National Social Media and IT Head of BJYM and the current election manager for the BJP in Maharashtra.

The Wire could not independently confirm Dave's direct supervisory role though our technical analysis confirms a broad connection.

Persistent Systems link to Tek Fog

Persistent Systems is a technology services company that has heavily invested in acquiring government contracts since 2015. In an interview with The Hindu Businessline in January 2018, Mritunjay Singh, the then-executive director and president-services of the company claimed that the company was 'bullish on government spending on Information Technology to give a boost to its revenues'. A few months later, in July of the same year, India's Ministry of Health and Family Welfare chose Persistent Systems to build a digital data hub that would record, store and process health information across ten Indian states.

The Wire investigated Persistent Systems' role in the Tek Fog operation by reaching out to an independent source currently employed at the company. This source provided screenshots of the company's Microsoft Sharepoint (an internal collaboration tool), indicating the app's active development through around 17,000 assets identified by the search term 'Tek Fog'.

These assets include technical documents that suggest the development of different layers of the app, including Twitter and WhatsApp integration, data input tools through Google forms, payment infrastructure via Paytm and automation tools using Tasker – an Android application that triggers specific actions like sending a message, based on inputted 'contexts' like user location, time, date, event and gesture. 1415

The Wire contacted Persistent Systems for their response but they refused to comment on the piece prior to publication.

Using Sharechat to seed hate speech

The source claimed that the app operatives used Sharechat, the flagship product of Mohalla Tech Pvt. Ltd. to test and curate fake news, political propaganda and hate speech before automating it to other popular social media platforms like Twitter, Facebook, and WhatsApp.

Marketed as India's #1 social media app, Sharechat has thousands of targeted regional communities that allow millions of users to share posts, news, photos, memes, and videos in their local language. The app acts as both a social network – where users can follow accounts, message existing users – and an open broadcasting platform, where people share content with strangers.

Sharechat supports 14 different local languages and focuses on hyperlocal content catering to India's burgeoning class of non-English speaking social media users predominantly hailing from the Tier-2 and Tier-3 cities. With a claimed base of 160 million users in India, the company raised $502 million in April 2021 from Tiger Global, Snap and some existing investors such as Twitter, and $145 million in a fresh funding round last July, valuing the company at nearly $3 billion.

In 2018, Hindustan Times reported that the company was plagued by fake news and hate speech issues, with many of its communities rife with misinformation and political propaganda. In the same year, The Ken questioned the firm's privacy policy that allowed advertisers and business partners to access its users' contact list, location data and device details, including the other apps installed on a user's phone. A year later, the Economic Times reported that the company had deleted more than half a million accounts amounting to over 4,87,000 unique posts, for violating the platform's community guidelines governing the promotion of harmful and abusive content to incite violence and manufactured hashtag campaigns.

During the Uttar Pradesh elections in 2017, Ankur Shrivastava, the product lead at Sharechat, published a Medium post highlighting the company's steps to woo political parties to the social media platform. This included creating special communities and tags for regional parties and deriving a popularity index for them in the UP elections. A year later, MoneyControl published an article highlighting how multiple regional and national parties had created profiles on the vernacular platform, hoping to leverage the platform's access to its predominantly regional audience.

To verify their claim and provide further insight into the platform's connection to the broader operation, the whistleblower provided a list of 14 accounts controlled by them via the Tek Fog app, each of which had a linked account on Sharechat. 1617

The Wire monitored the public posts made by these accounts on Sharechat as well as on Twitter/Facebook over a period of 30 days from April 1 to April 30, 2020. A script that compared the posts made by the accounts on Sharechat to those made by the same account on Facebook/Twitter was utilised revealing that 90% of the posts were common across the various platforms. Further review of the timestamps of these posts highlighted that these common posts were first uploaded on Sharechat before being migrated over to Twitter or Facebook.

To determine whether this pattern represented the broader behaviour of the Tek Fog network of accounts, we parsed 3.8 million publicly available posts uploaded in the popular 'Hindi' and 'Marathi' trending communities on Sharechat. This dataset was mapped onto a network graph via Graphistry, a visualisation software to highlight the relationships between different communities within Sharechat and other publicly available mainstream social media platforms, including Twitter 'lists' and Facebook 'groups'.

The graph showed that almost 87% of content uploaded into popular Marathi communities and 79% of posts in Hindi communities on Sharechat were subsequently shared onto mainstream social media platforms by accounts participating in these 'trending' regional language based political communities. 18

All of their posts were then fed into the IBM Watson tone analyser, a natural language processing (NLP) tool capable of detecting emotional and language tones. Using various deep learning AI models, we classified these posts under different emotional and tonal labels. This analysis helped illuminate if the shared content has an emotion of hatred and, if so, where the hatred was redirected to: gender, religion, disability, ethnicity, caste and sexual orientation. This technique was used to categorise all the posts under four brackets: Racist, Sexist, Casteist or None – those falling under the first three brackets with a confidence level of 90% and above were labeled as hate speech. Out of the total 3.8 million posts reviewed via this method, almost 58% (2.2 million) of them could be labeled as 'hate speech'. This result was cross verified using Comprehend, another NLP tool provided by Amazon Web Services.

The Wire reached out to the grievance officer of Sharechat for their response on the story but they denied an immediate comment, seeking more time for an internal investigation.

The A records:
Tying it all together

To better understand the connection between the Tek Fog operation and the BJYM, the source connected the authors via email to another current BJYM office-holder. This individual sent us a piece of code via their official email id, that helped the team identify the various external websites and tools connecting to the secure server hosting the Tek Fog app.

This bit of code, called a Network Profiler, was written in the Python language and displayed the Tek Fog server's real-time network activity – showing data sent and received and a list of all the websites and services accessing the app. The BJYM office holder executed the code, timestamped on February 1, 2020, at 6:46 PM GMT. It 'unlocked' the Tek Fog application programming interface – or API, a connection between two systems executed through code – hosted on a content delivery network managed by Persistent. The code bypassed the inbuilt security system to spit out a list of websites and services accessing the Tek Fog app on that particular day. 19

The Wire was able to corroborate the authenticity of the script by having it reviewed by an independent expert, currently employed as a lead software architect at Microsoft. The independent expert was able to restore the missing libraries present in the original script[1], and ran the script on their local computer. They went on to confirm that the script acts as an 'inbound network profiler' that produces a list of all the websites and services accessing their local servers.

The team also used a threat intelligence platform[2] to reveal the digital identity of these services, by their links (for example, The Wire is identifiable by its link thewire.in). 2021

One of the first identified links was metabase.sharechat.com – suggesting Sharechat's direct involvement in the Tek Fog operation. Apart from Sharechat, there were popular business tools used for productivity (Google Docs and Sheets, Zoho), automation (Zapier, Tasker) and analytics (Grafana, Google Analytics). Others, however, linked to pro-establishment Hindi-and-English websites and news platforms, including Republic World, OpIndia, ABP News and Dainik Jagran, raising questions regarding the complicity of certain digital media outlets in helping the BJP perpetuate a partisan informational ecosystem in the country.

The remaining links corroborate integral parts of the broader Tek Fog investigation, including the involvement of BJYM through Devang Dave. Two of the listed links – 172.104.48.129 and 103.53.43.161[3] – accessed the Tek Fog app: the first established a link with the BJYM website and the second with isupportnamo.org, which is managed by Dave.

Dave denied these claims via email saying that his technical team couldn't find any association of BJYM or isupportnamo servers with such an app ever. He also claimed that "none of his team members or anyone has been ever also in touch with such an app or people associated with such an app".

This contradicts common technical understanding. Tek Fog is a private app and has no open APIs – meaning it's not possible for you or me to establish a connection with it and exchange data. Doing that would require, at the very least, the deliberate involvement of some employees working at these organisations.

Adding to the intrigue, an hour before Devang's response to the questions posed by The Wire, the Twitter account belonging to the original whistleblower was compromised, and the associated user name was changed from @AarthiSharma08 to @AarthiSharma8. The change in user name can be independently verified by visiting the URL of an old tweet from the account that now redirects to the new username.

When the authors reached out to the source to inquire into the reason behind this change, they confirmed that their account had been hacked, and their emails and passwords associated with the account were changed. The source provided the authors with a screenshot of the security email they had received from Twitter that alerted them to the hack. 22

Locating the
Tek Fog server

The final piece of the puzzle was to locate and archive a copy of the Tek Fog app. To achieve this, the team sought to verify the BJYM source's claim that the servers using the IP addresses 172.67.154.90 and 104.21.80.213 – two of the links in the script output – were geo-replicated servers hosting the app itself.

Geo-replication is a form of system design in which the same app data is stored on multiple servers located at distant physical locations. Commonly, this is a way to ensure those accessing the contents of the server don't have to wait for it to transmit data from another part of the planet; closer servers respond faster. But such data distribution also means that if one server is compromised, another can take over its responsibilities, thus evading hacking attempts or surveillance.

The Wire created a server to monitor and archive the two IP addresses on February 5, 2021, to verify the authenticity of this claim. After four months, on June 1, 2021, at 00:00 hrs, the server at 172.67.154.90 displayed the 'login screen' 23of the Tek Fog app, and remained 'live' for 24 hours, before switching to a page that said 'access denied' 24on June 2, 2021, at 00:00 hrs. The design of the login screen matched the screenshots initially handed to the team by the original whistleblower working as an app operator out of the facility in Nagpur, providing us with further confidence in the authenticity of the operation and further technical evidence that Tek Fog was a live app that had progressed beyond a merely theoretical phase.

The long road
ahead

Given the operation's ideological nature, the true motive behind Persistent Systems and Mohalla Tech Pvt. Ltd. involvement in the BJP's organised social media manipulation campaign remains opaque. What is clear, however, is that the potential scale, sophistication and pervasive nature of the Tek Fog operation provide unprecedented evidence of private actors engaging in the application of dubious digital practices – typically seen in totalitarian and closed societies such as China and North Korea – in the world's largest democracy.

In subsequent stories forming part of the Tek Fog investigation, The Wire will explore the technology behind the secretive app and how the ruling party's political operatives used the app's organised social media manipulation campaigns around significant national events such as the anti-Citizenship (Amendment) Act protests, the Delhi communal violence and the COVID-19 pandemic in the country.

Note: If you are working with Persistent Systems, Sharechat or the BJYM and are using/ have used or know more about the Tek Fog app and the broader operation underpinning its use, please contact us at tekfog@protonmail.com. We will ensure your anonymity and privacy at all costs.