Two senior officials working for Bangladesh's anti-terrorist police allegedly collected secret and personal information from citizens and sold it to criminals on Telegram, JS has learned.
The data allegedly sold included citizens' national identity data, mobile phone call records and other “classified information,” according to a letter signed by a senior Bangladeshi intelligence official seen by JS.
The letter, dated April 28, was written by Brigadier General Mohammad Baker, who is director of the National Telecommunications Monitoring Center, or NTMC, the country's electronic eavesdropping agency. Baker confirmed the legitimacy of the letter and its contents in an interview with JS.
“Departmental investigations are underway in both cases,” Baker said in an online chat, adding that Bangladesh's interior ministry ordered affected police organizations to take “necessary action against these officers.”
The letter, which was originally written in Bengali and addressed to the senior secretary of the Public Security Department of the Ministry of Home Affairs, claims that the two police officers were given access to “extremely sensitive information” from private citizens and passed them on on Telegram.
According to the letter, the police officers were arrested after investigators analyzed the log files of the NTMC systems and how often the two had accessed them.
The letter reveals the identity of the officials. One of the suspects is a police inspector who works at the Anti-Terrorism Unit (ATU). The other is an assistant police inspector with the Rapid Action Battalion, also known as RAB 6. a controversial paramilitary unit that the US government sanctioned in 2021 amid allegations that the unit is linked to hundreds of disappearances and extrajudicial killings. JS is not naming the two people accused because it is unclear whether they have been charged under the country's legal system.
The NTMC is a government intelligence agency established under the Ministry of Home Affairs of Bangladesh. The agency's core task is to monitor all telecommunications traffic and intercept telephone and web communications to detect and prevent threats to national security.
Organizations such as Human Rights Watch And Freedom House have criticized the NTMC for the lack of safeguards against abuse, both against freedom of expression and privacy. Over the years, NTMC has acquired advanced technology companies in Israelwhich Bangladesh does not officially recognize, as well other western countriesto carry out mass surveillance of opposition party members, journalists, civil society members and activists.
As part of its mission, the NTMC operates the National Intelligence Platform, or NIP, an internal government web portal that contains classified citizen information such as national identifiers, cell phone registration and mobile data, criminal profiles and other information.
Several law enforcement and intelligence agencies have user accounts on the NTMC's NIP portal.
NTMC's own investigation found that officers used the NIP platform more often than others, seeking out and collecting information that was not relevant to them.
“Considering the context, such irrelevant access and unlawful transfer of extremely sensitive classified data must be investigated to identify anyone involved and we also request appropriate action against all identified/involved,” the letter said.
Baker told JS that there were a “number of Telegram channels,” adding that one of them was called BD CYBER GANG.
JS was unable to identify the specific channel on Telegram.
Contact us
Do you have more information about this incident, or similar incidents? From a non-work device, you can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email. You can also contact Zulkarnain Saer Khan on Signal at +36707723819, or on @ZulkarnainSaer. You can also contact JS via SecureDrop.
Baker told JS that it appears the two agents sent the information to the administrator of at least one Telegram group, who then tried to sell it.
Baker said the two officers have been notified of the investigation.
Due to the investigation, access of all NIP users from ATU and RAB 6 has been suspended “until the relevant officials are identified and appropriate action is taken,” the letter said.
Baker confirmed the suspended access and said that if officers “require information for investigative purposes, they can collect it through the police and RAB headquarters.”
Spokespeople for Bangladesh's interior ministry and ATU did not respond to multiple requests for comment. An individual who identified himself to RAB 6 only as an “operations officer” told JS that the agency had no comment.
Last year, a security researcher discovered that the NTMC was leaking people's personal data on an unsecured server. Including the leaked data real names, phone numbers, email addresses, locations and exam results, according to Wired. Another Bangladeshi government agency, the Office of the Registrar General, Birth and Death Registrationalso leaked sensitive data from citizens last year, as JS reported at the time.
In both cases, the leaks were found by Viktor Markopoulos, a researcher working at Bitcrack Cyber Security.
While these were significant cases of data exposure, this incident allegedly involving the ATU and RAB 6 officers is potentially more damaging as the officers allegedly sold information online in an attempt to take advantage of their privileged access to classified personal information.
Although the incident is under investigation, a well-placed government source told JS that there are still officials offering to sell citizens' data.
