When an email lands in a school's inbox threatening an explosion, the response is immediate and tangible. Sirens blare across South Delhi's leafy boulevards, students are evacuated to playgrounds and a contingent of sniffer dogs and bomb disposal squads descends on the campus. It is a scene that has played out dozens of times in the first few weeks of 2026 alone.
But while the tactical response is loud and swift, inside the cyber cells of the Delhi Police, the reality is far quieter and significantly more frustrating. For the digital forensics teams, each new hoax is not just a disruption of public order; it is a "forensic dead end."
Despite a spate of high-profile scares stretching back to May 2024 and continuing into this year, the perpetrators remain largely untraceable — digital ghosts operating with impunity.
The inability to crack these cases isn't a matter of manpower, but of confronting the formidable architecture of global digital privacy. According to a TOI report, investigators have admitted that they are essentially "chasing shadows in a room full of mirrors."
At the heart of the investigation's dead end lies the Virtual Private Network (VPN). When a cyber cell team attempts to 'ping' the origin of a threatening email, they aren't led to a desktop in Delhi or even a specific location in India. Instead, they hit a server in a jurisdiction with opaque data laws, such as Panama, the Seychelles or the United States.
In a recent spate of threats in South Delhi earlier this month, the technical probe led authorities to a VPN service based in Bangladesh. Days later, similar threats in Northwest Delhi pointed to a server in the US. Hoaxes reported in West Delhi a few months ago involved a Singapore-based VPN.
Hoaxers use "VPN chains" — routing their connection through multiple encrypted tunnels — to ensure the IP address visible to law enforcement is a dummy. By the time the digital trail is followed, it has bounced across continents.
"The IP address that police see may belong to a server in Austria, Singapore or the Netherlands," a cyber cell investigator was cited by TOI as saying. "To us, it is like chasing a shadow in a room full of mirrors; every time we think we have a lead, the trail bounces to another country."
To unmask the real user, police must request logs from the VPN provider. However, this is where the trail doesn't just go cold — it ceases to exist.
Most premium VPN services, which sophisticated hoaxers use, operate on a strict no-log policy. They are designed specifically not to store records of who used their service or at what time.
Even if Delhi Police sends a formal request, the provider can truthfully reply that there is simply no data to hand over. The anonymity is baked into the business model.
The choice of email platform adds another impregnable layer. In several major waves of bomb threats — including the massive surge in hoaxes in May 2024 and the recent cases this month — the senders have utilised Switzerland-based ProtonMail.
ProtonMail is notorious among law enforcement agencies for its "militant commitment to privacy." It uses end-to-end encryption, which even the company itself cannot bypass. Furthermore, creating an account does not require a phone number or verifiable personal details.
Because the service is protected by Swiss privacy laws, Delhi Police cannot simply issue a standard search warrant. To obtain any information, they must navigate the Mutual Legal Assistance Treaty (MLAT) — a diplomatic marathon that requires proving 'double criminality' (that the act is a crime in both India and Switzerland).
Even if that lengthy process is successful, the most police might receive is basic metadata, like the time the account was created, which is useless against a user who signed up with a masked identity.
Investigators frequently encounter another tactical smokescreen: the '.ru' domain. Many hoax emails are sent from Russian services like mail.ru. By the time a request for information moves through the bureaucratic channels of Interpol and the Russian authorities, the specific account is often deleted, and any logs are overwritten.
The '.ru' suffix is rarely a sign of the sender's location, but rather a deliberate tool to buy time and exploit the sluggish pace of international diplomacy, ensuring the trail goes cold before the paperwork is even completed.
Given these immense hurdles, how have any cases been solved? Police occasionally catch a break, but it almost always happens when the perpetrator is an amateur — usually a student copycat who makes a fundamental error in operational security.
In late 2024, a student in Delhi was apprehended after sending a threat to his own school to avoid taking an exam. His mistake? He forgot to turn on his VPN, leaving his home IP address exposed for investigators to find immediately.
However, for the professional operators who target dozens of schools simultaneously — sometimes over 100 in a single morning — such mistakes are rare. The scale of these attacks suggests a level of planning that involves scraping school databases from the dark web or using automated crawlers.
As long as the internet's architecture prioritises unbreakable anonymity, Delhi Police remain trapped in a reactive mode: clearing buildings, inspecting belongings, and debunking threats, while the instigators lurk unseen behind screens.
Without international reforms to bridge these investigative gaps, schools — and the city — face an ongoing siege from these elusive digital phantoms, demanding urgent attention from policymakers to fortify cyber defences.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
