 "Security personnel work at the site of an explosion near the historic Red Fort in the old quarters of Delhi, India, November 11, 2025. File Image/Reuters")
Investigators examining the deadly explosion near Delhi’s Red Fort have traced the core of the conspiracy to a secure communication channel built around Threema — a Switzerland-based encrypted messaging service banned in India.
According to officials, the three arrested doctors from Faridabad’s Al Falah University — Dr Umar Un Nabi, Dr Muzammil Ganaie, and Dr Shaheen Shahid — relied heavily on the platform to stay in touch, share instructions, and exchange sensitive material linked to the attack.
The blast on Monday evening claimed 13 lives, with another victim succumbing to injuries on Thursday.
Police now believe the module had been preparing for a series of coordinated strikes across Delhi and had already conducted multiple reconnaissance visits around the capital.
Officials describe Umar, who is believed to have been behind the wheel of the vehicle that exploded, as the primary channel linking the others.
They believe that after some module members were detained, he disconnected from regular communication networks and relied solely on covert channels to maintain contact with associates.
The group had reportedly surveyed various parts of Delhi multiple times and was preparing for a broader series of coordinated attacks before the plot was interrupted.
How the accused communicated using Threema
Investigators believe the accused constructed an isolated communications system using Threema’s architecture, which is designed to operate with minimal data exposure. The platform’s registration system does not require personal identifiers at the outset.
Instead of a phone number or email, users receive a randomly generated ID that becomes the anchor for all interactions. This element of anonymity was a critical factor in the group’s ability to communicate without drawing attention, according to those handling the case.
Unlike conventional messaging platforms, Threema does not require a phone number or email ID for registration, making it extremely difficult to trace the users.
Officials examining the incident believe the accused set up a private Threema server, enabling them to exchange files and instructions through a network that was inaccessible to anyone outside the group.
Detailed planning, including location sharing and task allocation, is believed to have been conducted through this private network, a police source told PTI.
Police suspect the trio used the app for an array of communication tasks: text messaging, voice interactions, sharing of diagrams, and circulating reference material relevant to the conspiracy.
Because the platform allows messages to be erased on both ends and avoids retaining metadata, investigative teams say retrieving communications has been extremely challenging.
The app’s design, which restricts access to message histories and avoids conventional data storage, further complicates efforts to fully reconstruct the chain of events.
Authorities are still evaluating whether the server was hosted domestically or abroad. Early assessments indicate the platform served as a medium for transmitting coded instructions and controlled documents among members of the module.
Forensic analysis of the seized devices is ongoing to determine the full extent of the network and whether additional participants were involved.
How the probe uncovered the link to Threema
The discovery of the Threema network came soon after agencies uncovered two Telegram groups linked to the same module.
The metadata extracted from Threema chats among Umar, Shaheen, and Muzammil is currently being examined, though the nature of the platform means that limited information is available compared with other communication services.
Threema was included in a list of several apps blocked in India in May 2023 under Section 69A of the IT Act.
Authorities recommended restrictions on these apps after determining that certain Pakistan-based factions were using them to move propaganda and guide their operatives inside India.
The list included names such as Zangi, Briar, Nandbox, Safeswiss, BChat, Element, Second Line, MediaFire, and IMO.
Despite being restricted in India, investigators believe the accused circumvented these constraints through VPN services that masked their location.
Reports also suggest that the group used the app while travelling to foreign destinations, including Turkey and the UAE, providing them with additional freedom to access it outside India’s jurisdiction.
Threema’s payment structure — which allows individuals to purchase the app by mailing cash to its office in Churerstrasse, Switzerland, or by paying using Bitcoin — is another element that reduces traceability.
This structure, combined with its user-ID system and encrypted storage model, contributes to the difficulty faced by security agencies attempting to monitor or trace communications on the platform.
Why Threema appeals to criminal and terror networks
Threema belongs to a category of communication tools that promote strong privacy protections, which in turn has attracted individuals seeking secrecy for illegal purposes.
Several such apps, including those blocked in India, were originally designed with activists, journalists, or dissidents in mind, particularly those working in environments where they face surveillance by state authorities.
However, these applications have also become popular among criminal enterprises because they lack traditional identifiers and centralised storage systems.
Apps like Zangi, Safeswiss, Element, Briar, Nandbox, and others often generate virtual numbers or unique URLs instead of asking users to provide email addresses or verified phone numbers.
Some tools offer a randomly created ID, which becomes a user’s identity within the system. Zangi, for instance, assigns a ten-digit number to each new account without tying it to a real-world identifier.
Many of these applications advertise high-level encryption models designed to ensure that messages are only viewable by the sender and recipient. Threema and similar platforms handle encryption and decryption directly on users’ devices, preventing any intermediate server from accessing message content.
Several platforms delete messages immediately after they are received, and many avoid retaining logs or metadata.
These structural decisions are presented by developers as a safeguard for privacy, but they significantly hinder law-enforcement efforts, especially in cases involving organised networks.
Investigators have noted that the absence of traceable data makes such tools difficult to monitor and complicates efforts to assemble legally admissible evidence.
The company’s servers are located in Switzerland and operate in accordance with the country’s federal data-protection laws.
According to police findings, approximately 32 cars were readied as potential carriers of explosive material.
Of these, one vehicle detonated near the Red Fort, while three others have been seized by authorities since the attack.
Officials stress that the disruption of the module may have averted a far larger tragedy. According to their assessment, the suspects were waiting for instructions from their handlers before launching a sequence of explosions across multiple sites.
With inputs from agencies