Appin (company)

Company typePrivate

FoundedDecember 2003

Appin

Company type	Private
Industry	Computer security
Founded	December 2003 (2003-12)
Founder	Rajat Khare
Fate	Renamed (Sunkissed Organic Farms, 2017)
Headquarters	New Delhi , India
Key people	Anuj Khare (co-director)
Services	Cybersecurity training Penetration testing
Number of employees	650^[1] (2013)
Subsidiaries	Appin Software Security (later Adaptive Control Security Global Corporate)
Website	appintechnology.com (archived)

Appin was an Indian cyber espionage company that provided hacking services to governments, private investigators, and corporate clients. Founded in 2003 by Rajat Khare and high school friends, Appin began as a technology education startup, offering franchised courses in programming, robotics, and cybersecurity to Indian university students. By 2007, it had launched a digital security consultancy whose work for Indian intelligence and military agencies drew the company into government surveillance operations, and by 2010 it had shifted to mercenary hacking for private-sector clients. It operated a digital platform through which 70 clients commissioned hacks against hundreds of targets worldwide.^[2]

According to investigative reports by Reuters, Appin was a "hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe."^[2] The company is credited with creating the operational model still used by India's cyber-mercenary industry.^[3]^[4]^[5] Khare, through his U.S. law firm Clare Locke, has denied any involvement in hacking, stating he "has never operated or supported, and certainly did not create, any illegal 'hack for hire' industry" and that under his tenure Appin specialised in training students in cybersecurity, "never in illicit hacking."^[2] His lawyers have described media reports tying Khare to hacking as "false" or "fundamentally flawed" and have said he left Appin in part because rogue actors were misusing the company's brand.^[2]^[6]

Between 2012 and 2016, Appin became the subject of criminal investigations in several countries, though these were eventually closed without charges.^[2] Google's threat intelligence team tracked hackers linked to Appin targeting tens of thousands of email accounts.^[7]^[2] Following increased scrutiny, Appin scaled back its online presence and was subsequently renamed multiple times, ultimately becoming Sunkissed Organic Farms in 2017, while former employees went on to found other hack-for-hire firms that continue to operate.^[4]^[2]

Co-founder Rajat Khare, who resides in Switzerland, has been the subject of ongoing legal actions and media investigations. According to a report by Reporters Without Borders, Khare and entities associated with Appin have targeted at least 15 media outlets with lawsuits and legal demands in multiple countries, which RSF described as "an offensive on an unprecedented global scale" to suppress reporting on the company's activities.^[8]

Founding and government work

In December 2003, Rajat Khare, along with high school friends, conceived Appin to offer technology training workshops to university students. By 2005, Rajat Khare had been joined by his brother Anuj Khare, a former motivational speaker, and the company had an office in western New Delhi. Their franchise offered courses in programming, robotics, and cybersecurity. By 2007, Appin had opened a digital security consultancy helping Indian organisations defend themselves online. This drew the attention of Indian government officials, who were navigating internet-era intelligence challenges and seeking ways to hack into computers and emails.^[2]

Shortly thereafter, Appin established a subsidiary called Appin Software Security, also known as the Appin Security Group, to conduct surveillance activities for the Indian government. Employees signed non-disclosure agreements and were assigned to military-controlled facilities, where they worked away from their colleagues in the wider company. Their targets included Pakistan, China, and Khalistan movement separatists from India's Punjab state.^[2]^[9]

By 2009, the company's clients had included the Research and Analysis Wing (RAW), the Intelligence Bureau, India's military, the Ministry of Home Affairs, and the Central Bureau of Investigation (CBI).^[2]^[5] Appin claimed its solutions were used by government intelligence agencies to monitor hostile individuals, marketed software for analysing call metadata, and explored importing Israeli cell phone interception devices. For the fiscal year ending in 2009, the company earned nearly $1 million in revenue and a profit of about $170,000, with projections of a nearly tenfold revenue increase over the following 36 months.^[2]

The company also generated additional revenue by covertly reselling material it had hacked for one Indian agency to another.^[2] This practice was eventually uncovered, prompting several Indian intelligence agencies to terminate their contracts with Appin. According to Reuters, following the loss of government contracts, Appin shifted its focus to private sector clients.^[2]

Private sector operations

According to a 2023 New Yorker report citing Geneva investigator Jonas Rey, Khare approached private intelligence firms across Europe around 2010 offering hacking services, and an Appin presentation from that period advertised the company's hacking capabilities.^[5]^[2] Khare's lawyers at Clare Locke have said he had never seen the 2010 presentation and that "the document is a forgery or was doctored."^[2] Around 2011, Appin began operating a digital dashboard dubbed "My Commando" for spy services, resembling an e-commerce platform with a menu of hacking options. Customers logged in to request Appin to hack emails, computers, or phones, monitor the operation's progress, and later download the stolen data.^[2]^[9] Seventy global clients hired Appin to hack hundreds of targets through "My Commando."^[2]^[5]

Among the system's early users were Israeli private detectives Aviram Halevi and Tamir Mor, who accessed it in 2011. That year, Mor ordered hacks on more than 40 targets, including Malaysian politician Mohamed Azmin Ali, Russian oligarch Boris Berezovsky, and members of Berezovsky's legal team.^[2] Around the same time, another user hired Appin to hack 30 targets, including a Rwandan dissident and the wife of another wealthy Russian going through a divorce.^[2]

The targets also included Kristi Rogers—the wife of Representative Mike Rogers, who was the Chairman of the U.S. House Intelligence Committee at the time.^[2]^[5]

Other individuals, such as a landscape architect in New Jersey and a Native American tribal member, were also targeted using the system.^[2] Appin also targeted a human rights activist associated with the Oslo Freedom Forum, along with governmental and private organisations.^[2]^[4]^[9]

In January 2012, a series of targeted emails containing malicious attachments were sent to Peter Hargitay, a Zurich-based FIFA insider and former adviser to FIFA President Sepp Blatter, who had been consulting for Australia's 2022 FIFA World Cup bid.^[10]^[2] Hargitay and his son Stevie detected the intrusion, and an expert they hired traced the attack to a server near Zurich airport whose billing records listed Khare as the client.^[2] The Hargitays filed a criminal complaint with Swiss authorities.^[2]^[10]

According to a 2022 investigation by SRF Investigativ, the attack was part of an extensive espionage campaign in which Qatar sought to protect its 2022 World Cup hosting rights by hacking the emails and phones of FIFA officials and critics of its bid, and running smear campaigns to influence FIFA policy.^[10]^[11] Qatar had hired Global Risk Advisors, a firm founded by former CIA operative Kevin Chalker, which frequently used subcontractors; the Hargitay hack was subsequently traced to Appin.^[10]^[12]^[13] The broader campaign, dubbed "Project Merciless," spanned five continents over several years.^[10]^[12] Hack-for-hire companies founded by Appin alumni were also later implicated in the campaign.^[11]

Also in 2012, a German private investigator paid Appin $3,000 to hack an email during an inheritance feud involving a wealthy businessman.^[3] In the Dominican Republic, authorities raided a local newspaper publisher in 2012 and formally accused him of collaborating with Khare to hack emails and extract information from the nation's elite for his digital newspaper. The publisher later admitted that in 2011, he paid Appin between $5,000 and $10,000 a month to spy on over 200 prominent Dominicans including Leonel Fernández, then president of the Dominican Republic.^[2]

Investigations and attribution

In 2012, after analysing a hack and leak targeting a Native American tribal member, the FBI linked multiple cases to a single perpetrator. Collaborating with Swiss authorities, the FBI identified the perpetrator as Appin and shared that they had human intelligence through a confidential source.^[2]

In early 2013, Norwegian telecommunications company Telenor discovered that hackers had stolen as many as 66,000 emails from its chief executive, two personal assistants, and a senior lawyer in what the company described as industrial espionage; Norwegian police traced the attack to IP addresses in New Delhi.^[2] Appin's operations began attracting attention worldwide.^[10] By 2013, they had become well known among security researchers. Researchers referred to the group using various monikers, including Operation Hangover by Shadowserver Foundation and Norman Shark,^[14]^[15]^[16] Monsoon by Forcepoint,^[17] and Viceroy Tiger by CrowdStrike.^[18]^[19]^[20] These reports documented campaigns in which targeted emails containing malicious attachments with exploit-laden documents were used to deploy custom malware (keyloggers, document uploaders, and credential-harvesting tools) across more than 600 command-and-control domains, using only previously known exploits rather than zero-days.^[15]^[20]

In 2023, SentinelOne's analysis of internal Appin records concluded that the company owned and controlled the attack infrastructure and had developed malware in-house, including a keylogger deployed against Pakistani government targets in 2009. Appin also procured exploits from freelancers and commercial vendors.^[9]

From 2013 onward, Google spent a decade monitoring hackers linked to Appin who targeted tens of thousands of email accounts on its platform.^[7]^[2] Due to the unusually high volume of activity by the hackers, Google expanded its systems and procedures to keep up with them.^[2] Security researchers avoided publicly naming Appin due to legal concerns, though they privately confirmed the link to Reuters.^[2] In 2013, an Appin representative told the Wall Street Journal that the company "denies it had any role in any of the attacks" and said that someone, possibly a former employee, had been using its name.^[1] The representative separately called the Norman Shark report "a marketing gimmick" and said Appin was "in no manner connected or involved with the activities" described in it.^[21]

Since 2012, Appin and its co-founder Rajat Khare have been the subject of criminal investigations in multiple countries. Swiss authorities linked Appin and Khare to a criminal complaint filed by the Hargitays for intrusion into their systems, while Norwegian investigators connected Appin to the Telenor hack. These multinational investigations were carried out over several years but were eventually closed without charges being filed.^[2]^[10]

In 2016, the woman who had hired a private detective to access the email of her fellow Native American tribal member pleaded guilty in federal court. Later, in mid-2020, that detective confessed in an affidavit that he had hired Appin to carry out the email heist. Similarly, Aviram Halevi, who hired Appin to target at least three dozen people in 2011,^[2] admitted to employing them to steal emails from a Korean businessman.^[3] In 2021, the State Bank of India filed a criminal complaint with the Central Bureau of Investigation, Appin's former client, accusing Khare and others of embezzling ₹8.06 billion ($97 million) from loans to Educomp, where Khare was a director. Khare's lawyers said he had been "cleared" by Educomp's management but did not provide evidence; as of November 2023, Reuters could not determine the status of the case.^[2]

Legal campaign against media

Appin and co-founder Rajat Khare have filed lawsuits and sent legal demands to news organisations in multiple countries, including France, Luxembourg, Switzerland, the United Kingdom, and India, seeking removal of references in articles to the company and Khare.^[22]^[6]^[23]^[8] Khare's lawyers at Clare Locke have said the underlying allegations are "categorically false" and "have been rejected by courts and regulatory bodies and debunked by experts," and that Khare's career has been dedicated to "cyber-defense and the prevention of illicit hacking."^[6]

In November 2022, a lower court in Geneva ordered SRF Investigativ to provisionally remove Khare's name and photo from its investigative report on the Project Merciless espionage operation. When contacted by RSF, Khare's Swiss lawyer, Nicolas Capt, stated that Khare has taken "legitimate legal action — civil and criminal — to protect his honour, which has been damaged by false accusations."^[8]

In June 2023, The New Yorker published an investigation on India's hacking-for-hire industry, detailing the operations of firms founded by Appin alumni, such as BellTroX Infotech Services and CyberRoot Risk Advisory. The Association of Appin Training Centers (AOATC) first sued the U.S. magazine in India, and later, Khare filed a lawsuit against it in Switzerland. A spokesperson for The New Yorker told RSF that the magazine "fully stands behind the piece, which is an accurate and fair account on a matter of legitimate public interest" and would "continue to defend the right to publish important reporting without fear or favor."^[5]^[8]

On 16 November 2023, Reuters published an article about the company and its co-founder Khare titled, "How an Indian Startup Hacked the World." The investigation found that Appin "grew from an educational startup to a hack-for-hire powerhouse that stole secrets from executives, politicians, military officials and wealthy elites around the globe." The report was based on Appin's activities for nearly two decades, including company records, law enforcement files, and input from former employees, clients, and security professionals. The raw material spanning 2005 to 2023 was authenticated by Reuters and further verified by U.S. cybersecurity firm SentinelOne.^[2]^[8]

The AOATC sued Reuters, claiming the news agency had engaged in a "defamatory campaign"^[24]^[25] and accusing the agency of "defamation, mental harassment, stalking, sexual misconduct and trauma" based on what the complaint characterised as unsolicited messages Reuters reporters sent to Appin Training Centers' employees and students.^[6] It obtained an injunction from a Delhi court and, on 4 December 2023, Reuters temporarily removed its article. Reuters said that it stood by its reporting.^[26]^[25]^[27]

An archived version of the Reuters article hosted on the Wayback Machine was likewise removed following demands from lawyers representing Khare.^[28] Lawyers for the AOATC further sent demands to Meta Platforms, LinkedIn and Naukri.com to block accounts associated with the authors of the Reuters story.^[23]

On the same day as the Delhi court injunction, the Indian Ministry of Home Affairs revoked the Overseas Citizenship of India (OCI) card of Raphael Satter, one of the Reuters journalists who reported the story, stating he had been "practising journalism without proper permission" and "maliciously creating adverse and biased opinion against Indian institutions in the international arena".^[29] Satter said he had received threats from individuals associated with Appin during his reporting, one of whom alluded to potential "diplomatic action" unless he abandoned his investigation.^[29]

In February 2024, Wired reported that lawyers for Appin and a related entity called the "Association for Appin Training Centers" have filed lawsuits and made legal threats against more than a dozen news organisations. Appin sent emails demanding that news site Techdirt and the organisation MuckRock, which hosted some of the information Reuters relied on, take down their content. The two sites denied that the injunction was binding on them.^[30]^[6]^[31] Other sites, such as the Lawfare blog, removed material based on the Reuters article.^[25]^[30]

The Electronic Frontier Foundation (EFF) responded on behalf of Techdirt and MuckRock, arguing that the Indian court's order is unenforceable in U.S. courts because it conflicts with the First Amendment and Section 230 of the Communications Decency Act, as reinforced by the SPEECH Act. The EFF also argued that recipients of such orders should carefully evaluate their enforceability.^[32]^[6]^[31]

In February 2024, two episodes of the American podcast Behind the Bastards about Khare were pulled from podcast platforms after the show received a legal threat; the episodes had avoided using Khare's name in their titles.^[8]

The Reuters article was restored in October 2024, after the Delhi court rescinded its injunction on 3 October 2024, noting "the plaintiff has not been able to show any prima facie case to make interference in the process of journalism".^[33] The article is back online at its original location.^[2]

On 21 November 2024, Reporters Without Borders (RSF) reported that works from at least 15 different media outlets had been modified or withdrawn as a result of a strategic lawsuit against public participation or a legal notice from Khare or Appin Training Centers. RSF also found that numerous posts praising Khare appeared on platforms such as Medium, authored by accounts with generic names and AI-generated profile photos that commented on one another's content, in what RSF described as an attempt to "flood the Internet" and "drown out the troublesome investigations". Additionally, an Intelligence Online article^[13] was the subject of what RSF described as an "abusive DMCA takedown request".^[8]^[34]

In March 2025, Satter petitioned the Delhi High Court to challenge the OCI revocation.^[29] During a November 2025 hearing, the court criticised the Ministry of Home Affairs for its documentation, with the judge stating that MHA officers had "completely distorted" the paperwork supporting the cancellation.^[35]

Legacy

Alumni firms

Following Norman Shark's public attribution of the Telenor hack to Appin,^[15] the company faced increasing scrutiny, and the group began scaling back its online presence.^[2] Around that time, former Appin employees branched out, founding similar hack-for-hire firms.^[4] Khare's lawyers have said he cannot be held responsible for the activities of those alumni firms, comparing such attribution to "holding Harvard University responsible for the terrorist bombings carried out by its former student Ted Kaczynski."^[2]

Two such companies—BellTroX Infotech Services, led by Sumit Gupta, and CyberRoot Risk Advisory^[36]—started collaborating with Appin, sharing staff and computer infrastructure for their hacking operations.^[3]

Their activities were identified using a database of over 80,000 phishing emails sent to 13,000 targets from 2013 to 2020.^[3] This database was vetted by six expert groups, with each group independently confirming recognised hacking activity.^[3] Further analysis by Mandiant, LinkedIn, Google,^[7] and court records revealed that the hacking was carried out by three Appin-linked companies with an intermingling of resources among them.^[3] This network of mercenaries charged clients anywhere from a few thousand to over a million dollars,^[36] while paying workers just $370 per month.^[3]

The hackers targeted attorneys and their clients, including companies, advocacy groups, media organisations, and business executives. According to Shane Huntley of Google's threat intelligence team, these attacks had "real potential to undermine the legal process."^[3] Reuters linked Appin alumnus Sumit Gupta to Aviram Azari, a former Israeli policeman who was sentenced to 80 months in prison for his role in a global hack-for-hire scheme,^[3]^[37]^[38] the Dark Basin campaign, and the wider network of Indian hack-for-hire operators.^[3]^[5] In a 2020 interview with Reuters, Gupta denied wrongdoing, acknowledging that he provided technical support to private detectives but stating he was not personally involved in cyber espionage.^[36]^[2] By 2023, attempts to reach him were unsuccessful.^[2]

Rebrandings and aftermath

Appin Technology rebranded multiple times before adopting the name Sunkissed Organic Farms in 2017. Its subsidiaries also underwent rebranding. In 2015, Appin Software Security became Adaptive Control Security Global Corporate (ACSG).^[2]

Later, Rajat Khare resigned as director of the company (by then renamed from Appin Technology) in 2016 and moved to Switzerland, where, according to SRF Investigativ, "he now presents himself as a renowned start-up investor."^[2]^[10] Together with his wife Shweta, Khare runs Boundary Holding, a Luxembourg-based venture capital firm.^[39] His family controls companies founded under the Appin name, as well as the renamed Indian firms, including ACSG, which describes itself as a "critical infrastructure protection company that caters to government clients."^[2]