New Delhi:

Investigations into the deadly blast near Delhi’s Red Fort last year have uncovered that members of a so-called “white-collar” terror module, including highly educated doctors, relied on a complex network of ‘ghost’ SIM cards and encrypted messaging platforms to stay in touch with handlers based in Pakistan, officials said on Sunday.

The findings of the probe have played a key role in shaping a major policy decision by the Department of Telecommunications (DoT). On November 28 last year, the DoT issued a directive mandating that app-based communication services such as WhatsApp, Telegram and Signal must remain continuously linked to an active physical SIM card installed in the device.

According to officials, the accused followed a carefully planned “dual-phone” strategy to avoid detection. Each member of the module allegedly carried two or three mobile phones. One handset, registered in their own name, was used for everyday personal and professional communication. The other, referred to by investigators as a “terror phone”, was reserved exclusively for encrypted communication with handlers operating from Pakistan and Pakistan-occupied Kashmir.

The SIM cards used in these secondary phones were issued using Aadhaar details of unsuspecting civilians, which were allegedly misused. Investigators also uncovered a separate racket in Jammu and Kashmir where SIM cards were obtained using forged Aadhaar documents.

Officials said security agencies observed a worrying pattern in which these compromised SIMs remained active on messaging apps even after being taken across the border. By exploiting app features that allow usage without a physical SIM, handlers were able to guide recruits on assembling improvised explosive devices through online videos and plan attacks in India’s hinterland.

To address these vulnerabilities, the Centre has invoked provisions of the Telecommunications Act, 2023, and Telecom Cyber Security Rules. Under the new norms, all app-based service providers must ensure their platforms function only when an active SIM is present in the device. Telecom operators have also been instructed to automatically log users out of such apps if the SIM becomes inactive. Companies have been asked to submit compliance reports, failing which strict action will be taken.

The terror module came under the scanner in October 2025 after posters of the banned Jaish-e-Mohammad surfaced near Srinagar, prompting a detailed investigation that eventually led to arrests in Haryana’s Faridabad and the seizure of large quantities of explosive materials. The Red Fort blast, which claimed 15 lives, is currently being probed by the National Investigation Agency.

: Red Fort Blast Probe Reveals Ghost SIM Network, Triggers Tough Telecom Rules

The investigation into the deadly blast near Delhi’s Red Fort has exposed a highly organised “white-collar” terror module that used ghost SIM cards and encrypted messaging apps to coordinate with handlers based in Pakistan, officials said. The findings have prompted the government to tighten telecom security rules to prevent misuse of digital platforms by terror networks.

According to investigators, the accused adopted a “dual-phone” strategy to avoid detection. Each operative allegedly carried two or more mobile phones — one “clean” handset registered in their own name for everyday use, and another fitted with a ghost SIM for secret communication. The second phone was used exclusively for encrypted apps such as WhatsApp and Telegram to stay in touch with Pakistani handlers operating under codenames.

Officials revealed that the ghost SIMs were issued using misused or fake Aadhaar details of unsuspecting citizens, pointing to a larger illegal SIM racket. A major concern flagged by security agencies was that many of these SIM-linked accounts remained active even when accessed from across the border, including Pakistan-occupied Kashmir. Investigators described this as a serious cyber security threat.

The probe found that terror handlers exploited features in messaging apps that allow them to function even without an active physical SIM in the device. Using this loophole, the accused were allegedly guided to learn IED-making techniques through online platforms and were instructed to plan attacks within India.

Based on these findings, the Department of Telecommunications  issued a directive on November 28 mandating that app-based communication services must remain continuously linked to an active SIM card. Telecom operators have been directed to automatically log users out of apps like WhatsApp, Telegram and Signal if the SIM becomes inactive. All service providers have also been asked to submit compliance reports, with strict action warned for non-compliance.

Officials said the new rules are being fast-tracked, especially in Jammu and Kashmir, though eliminating all fraudulent and expired SIMs will take time. The move is being seen as a significant blow to the digital infrastructure used by terror groups to recruit, radicalise and coordinate attacks.

The terror module came to light in October 2025 after posters of the banned Jaish-e-Mohammad surfaced near Srinagar. Subsequent raids led to arrests in Haryana and the seizure of large quantities of explosives. The Red Fort blast, which claimed 15 lives, is currently under investigation by the National Investigation Agency.