New Delhi: Investigations into the "white-collar" terror module linked to the Red Fort blast on November 10 last year reveal that highly educated doctors used a sophisticated network of "ghost" SIM cards and encrypted messaging apps to coordinate with handlers in Pakistan, officials said on Sunday.
The findings formed the basis for a sweeping directive issued by the Department of Telecommunications (DoT) on November 28, 2025, which mandates that app-based communication services, including WhatsApp, Telegram and Signal, must be continuously linked to an active physical SIM card in the device.
Officials said the probe into the terror module and the Red Fort blast uncovered the use of "ghost" SIM cards by arrested doctors, including Muzammil Ganaie, Adeel Rather, and others, as part of a tactical "dual-phone" protocol to evade security agencies. Each accused, including Dr Umar-un-Nabi, who died while driving the explosives-laden vehicle near the Red Fort, carried two to three mobile handsets.
According to officials, each operative used one "clean" phone, registered in their own name, for routine personal and professional communications, while a second "terror phone" was used exclusively for WhatsApp and Telegram communication with Pakistani handlers identified by codenames 'Ukasa,' 'Faizan,' and 'Hashmi.'
The SIM cards for these secondary devices were issued using the identities of unsuspecting civilians, whose Aadhaar details were misused. Jammu and Kashmir Police further uncovered a separate racket in which SIMs were issued using fake Aadhaar cards.
Authorities noted a disturbing trend: these compromised SIMs remained active on messaging platforms across the border in Pakistan or Pakistan-occupied Kashmir (PoK). By exploiting features that allow messaging apps to operate without a physical SIM, handlers were able to direct the module to learn IED assembly via YouTube and plan attacks in India, despite the recruits initially seeking to join conflict zones in Syria or Afghanistan.
To address these security gaps, the Centre invoked the Telecommunications Act, 2023, and the Telecom Cyber Security Rules, 2023, to "safeguard the integrity of the telecom ecosystem." The rules require all Telecommunication Identifier User Entities (TIUEs) to ensure that app-based services function only if an active SIM is installed within 90 days. Telecom operators are directed to automatically log users out of apps such as WhatsApp, Telegram, and Signal if no active SIM is detected. All service providers, including Snapchat, ShareChat, and JioChat, must submit compliance reports to the DoT.
The DoT noted that the ability to use apps without a SIM poses a major cybersecurity threat, as it is exploited from outside the country for cyber fraud and terrorist activities. The directive is being fast-tracked in the Jammu and Kashmir telecom circle. Officials said that while deactivating all expired or fraudulent SIMs will take time, the move is expected to deliver a critical blow to the digital infrastructure used by terror networks to radicalise and manage "white-collar" operatives. Failure to comply will attract stringent action under the Telecom Cyber Security Rules and other applicable laws.
The "white-collar" terror module began to unravel on the night of October 18-19, 2025, when posters of the banned Jaish-e-Mohammad (JeM) appeared on walls just outside Srinagar city, warning of attacks on police and security forces in the valley. Senior Superintendent of Police, Srinagar, G V Sundeep Chakravarthy, formed multiple teams to investigate the matter thoroughly.
The probe led the Srinagar police to Al Falah University in Faridabad, Haryana, where two doctors, Muzammil Ganaie, a resident of Koil in south Kashmir’s Pulwama, and Shaheen Sayeed from Lucknow, were arrested. Authorities seized a large quantity of arms and ammunition, including 2,900 kg of ammonium nitrate, potassium nitrate, and sulphur.
The car explosion near the Red Fort claimed 15 lives and continues to be investigated by the National Investigation Agency (NIA).
With PTI inputs