In 2022, when Netherlands-based digital forensics expert Robert Jan Mora was reviewing screenshots of Pune Police reports on some of the accused in the Bhima Koregaon case, he found something strange.

The Bhima Koregaon case has garnered international infamy for the prolonged persecution of 16 human rights defenders under terrorism-related charges, with individuals and organisations from across the world calling for the release of all accused. A registered information technology auditor in his country, Mora had already investigated many large cyber crime breaches in several parts of the world. When the Bhima Koregaon files reached him — he was reviewing them for a Washington Post reporter — he was already mulling over questions of how malware can be deployed to incriminate political opponents. By that point, Massachusetts-based Arsenal Consulting had concluded that a hacker had used malware to infiltrate the devices of some of the Bhima Koregaon accused and plant “incriminating” evidence. Mora’s findings, to an extent, fortified Arsenal’s claims.

In 2023 he wrote about it in his blog:

“In the RFSL (Regional Forensic Science Laboratory, Pune) report, I discovered something interesting – malware, not identified as such in the (RFSL) report, on an external pen drive that was seized from Mr. Wilson.”

In a keynote address, delivered at a digital forensics summit in Seoul, South Korea, earlier this month, Mora elaborated on his findings. His talk titled “Digital Forensics at Scale – Malware lessons Learned from the Bhima Koregaon Case” noted that even though the malware he found may not be the same malware that Arsenal identified as a threat actor, it still flung the door open for a barrage of doubts over the state’s investigation in the case. Mora notes that, from his perspective, the very presence of malware on a device owned by accused Rona Wilson that the state hasn’t explicitly reported to the court fortifies Arsenal’s findings. He finds the Arsenal report convincing.

It ought to be mentioned that the National Investigation Agency has called the Arsenal report “a distortion of facts” and maintained that “no such malware (as suggested by Arsenal) was found”.

The odd case of missed malware?

In a separate conversation with me, shortly after his keynote address at Seoul’s DFRWS APAC 2025, Mora explains:

“The Pune police reporting indicated there was no malware found during their investigation. However, during our own analysis of Pune Police (RFSL) official reporting on Rona Wilsons’ seized USB drive, we spotted at least one malware implant. I was able to find the same file from Rona Wilsons’ USB pen drive on the Google owned antivirus scanning platform VirusTotal and it was detected by numerous vendors as NJRAT or HOUDINI RAT.”

He added that this is a well-known malware that can easily be discovered with common anti-virus scanners. “The file being so easily and widely detected as malware, indicates that if no malware was found during the Pune police or NIA investigation, then perhaps malware scanning of the seized data was overlooked as numerous tools would have quickly flagged it,” Mora said.

Why are these people still imprisoned?

Rona Wilson, a researcher, spent over six years behind bars in a terrorism-related case that relies significantly on forensic evidence collected from his computer. He was finally granted bail in January 2025, with the Bombay high court noting that the case is not likely to reach a conclusion anytime soon.

“It is thus by now a settled and recognised principle of law that the prolonged incarceration without trial amounts to infringement or violation of Article 21 of the Constitution of India,” the court had said.

Several of his co-accused are still languishing in custody.

Octogenarian Jesuit priest Stan Swamy, another co-accused, passed away an incarcerated under-trial while pleading the courts for bail. Arsenal Consulting reported that Swamy had been targeted by an extensive malware campaign, in which the hacker had full access to his computer for nearly five years. As per Arsenal, the hacker which targeted Wilson and Swamy did the same with human rights lawyer Surendra Gadling as well. Gadling was arrested in 2018 and still remains behind bars.

“So why are these people still in prison, why did Stan Swamy lose his life?” Alpa Shah, a professor of Anthropology at Oxford University asks me over a phone call. In a book, spanning 344 pages, Shah has systematically detailed several instruments, including malware, spyware and hacking, which may have been exploited to consistently fabricate evidence in this case.

Noting that Mora has arrived at these findings entirely on his own, like other independent investigators before him, Shah says: “He is just the most recent of a whole series of independent people who have been investigating this issue and who independently came up with conclusions that something is very, very wrong with the evidence in this case.”

What existing investigations reveal

Before Robert Mora, The Caravan had reported about malware use in this case, Amnesty International and Citizen Lab had alleged that nine of the accused were unlawfully targeted by a spyware attack, and US-based Sentinel One had identified a purported threat actor (ModifiedElephant) that had been employing remote access trojans since 2012. All of this is in addition to Arsenal’s findings. The Indian government, meanwhile, has either denied or not responded to these reports.

But what stands out as most alarming of all these reports in this case? For Mora, it is Arsenal’s claim that the purported hacker attempted an extensive “clean up” of malicious activity from Swamy’s computer the night before the police seized it. He tells me that, as per him, it shows “that the threat actor was aware that a bust or raid would be conducted. So that indicates a level of coordination that I find intriguing.”

Based on the digital evidence available to him, Mora says, “it’s very clear that the systems (owned by the accused) had been compromised, via means such as phishing emails that infect inboxes of those they reach. Some of the defendants seem to have received phishing emails from accounts (which may have already been compromised) of people known to them.”

Next steps

Considering that so many years have passed and so many people still continue to be trapped in this case, either pining for the half-freedoms of interim bail or released conditionally after years of custody, Mora suggests that the courts should now try to get to the bottom of this case. He says they can do it by independently verifying the findings.

“Courts could appoint a digital forensic expert themselves to verify the claim. That should be very easy, because the same images that were received by Arsenal are the same forensic images that the prosecution has used.”

Motivated by the discoveries he has made and reviewed in this case, the threat investigator is now working with Interpol to create new guidelines to improve the quality and transparency of digital forensic investigations across the world.

“It does not guarantee that you will always detect advanced malware, but it will definitely be more transparent as you will have a checkpoint in time of when the material is scanned or analysed with antivirus or EDR detection capabilities.” Essentially, what Mora means is that if the updated Interpol guidelines are implemented, a malware scan will be made mandatory on seized evidence, and verifiable in time.

“Currently, the forensic guidelines do not mandate law enforcement to perform antivirus malware scanning on seized material,” he says. “In the digital forensic reports of Wilson and of other defendants, in this case, it is not clear if such an anti-virus scan even occurred.”

“Following the antivirus or EDR scan on seized material, if potential relevant malware is found, more advanced techniques like memory forensics and virtualisation of the defendant machine should take place to determine if the malware was the source of the potential incriminating evidence,” Mora elaborated. Overall, he remains convinced that investing in building knowledge and skill around malware and memory forensics is vital “to maturing the digital forensics field as a whole and key to detecting advanced nation threat actors”.

Mora’s goal, ultimately, is that the Rona Wilsons of the future do not have to suffer a similar plight, crushed and ensnared by dubious evidence.

Why this matters

I ask Professor Shah why renowned researchers and investigators like herself and Mora, based in other parts of the world, care so much about the Bhima Koregaon case. Her answer is two-fold: the sheer scale of injustice is deeply troubling for the people involved and for India, but such cases also have implications for democracies everywhere.

“What we see in India is the playbook of the collapse of democracy,” she says.

“Democratic rights activists, who were fighting for the rights of India's most marginalised minorities, seem to have been framed and imprisoned.  And if we don't draw attention to what may have happened, what hope do we have for democracy anywhere?  It's very important to demand justice – not only for the individuals concerned and their families, but for every Indian who may face the same fate. Moreover, this is not just an Indian affair as we see the repression of  democratic rights activists elsewhere in the world as well. The fight for justice in India matters for the fight for justice everywhere.”

Mora says that he understands that the Indian state needs to ensure security and protect its people from terrorist attacks, but the threshold for enacting a law like the Unlawful Activities (Prevention) Act  needs to be higher. He maintains that he has never seen anything like this case before, and therefore he follows it.

Finally, he notes that if the courts in India were to independently verify the investigative reports on the Bhima Koregaon case, they would come to their own judgment and tell the state’s agencies: “well guys, you failed.”

Mekhala Saran is pursuing a PhD in Communications and New Media at the National University of Singapore. She was formerly a legal journalist.

The Wire is now on WhatsApp. Follow our channel for sharp analysis and opinions on the latest developments.