Citizen sleuths in India unmask perpetrators behind JNU attack

In face of police inaction, Indian users used open-source techniques to uncover the assailants responsible for university attack

Citizen sleuths in India unmask perpetrators behind JNU attack

Share this story

In face of police inaction, Indian users used open-source techniques to uncover the assailants responsible for university attack

(Source: @oddbench)

After Delhi police failed to intervene to stop an attack on the student body of Jawaharlal Nehru University (JNU) and similarly failed to identify or arrest the perpetrators, members of the public took to the internet to perform digital forensics as a means of forcing the authorities to take responsibility.

JNU’s student body is known for its leftist political views, which often brings it into conflict with members of the far-right in India, including supporters of Prime Minister Narendra Modi and his ruling Bharatiya Janata Party (BJP). India’s far-right, for example, has accused the school of serving as a breeding ground for “antinational activists.” In late 2019, JNU announced an increase in the university’s room and board fees that would fundamentally alter the composition of JNU’s student body by pricing out the historically lower income student body. This change led to the start of an ongoing standoff, with JNU’s leftist students and faculty refusing to attend classes in order to protest the fee hike instead. These protests have, in turn, led to counter-protests by the far-right coordinated via private WhatsApp groups.

It is in this setting that a violent insurgent attack on JNU students took place on January 6, 2020, culminating in an online campaign to identify the perpetrators. The attack came after another high-profile attack on December 13‑15, 2019, on another Delhi-based university, Jamia Milia Islamia (JMU). The two attacks struck a wider chord with opponents of the government, with the behavior of the police in both incidents highlighted critics as evidence of thir acquisence to the BJP-led central governments adoption of increasingly repressive measures to silence dissenting voices.

The attack on JNU

On January 6, a mob of masked assailants wielding sticks, rods, and other weapons attacked students and staff on the campus of the prestigious JNU located in the Indian capital. Delhi police were already on the scene as a means of containing students protesting the recent and dramatic tuition fee increase, though they did not intervene to stop the attack.

Despite the large police presence at the main gate of the university, the assailants were able to move — and attack — freely inside the campus for three hours without any intervention by the Indian authorities, before escaping at around 2100 hours local time. Subsequent videos uploaded to social media by users present at the scene showed the mob sauntering away from the campus and disappearing into the night. Consequently, critics have questioned the culpability of the government-controlled Delhi police in facilitating the violence, accusing the local authorities of turning a deaf ear to phone calls and text messages sent by students and staff who had barricaded themselves inside three student residences in order to escape the violent mob outside.

The attack appeared to have been coordinated by via two closed WhatsApp groups. The members of the groups had direct ties to Akhil Bharatiya Vidya Parishad (ABVP), a right-wing student group affiliated with Hindu-nationalist organization Rashtriya Swayamsevak Sangh (RSS), which itself has close ties to the BJP. The ABVP, however, has categorically denied that its members were involved in the violence on campus, accusing “leftist political parties” of orchestrating the attack.

In the attack’s aftermath, incensed by the local authorities reluctance to intervene for the duration of the attack nor to arrest any of the masked perpetrators responsible for it, Indian internet users applied simple open-source investigative techniques to uncover the perpetrators behind a recent attack that left 36 students and faculty injured at JNU.

Citizen sleuths identify some of the perpetrators

By analyzing footage of the attack uploaded to social media and as well as employing contact directory app Truecaller, social media users were able to identify members of the two WhatsApp groups used to coordinate the assault. The DFRLab replicated part of the investigation to show that the techniques employed by digital sleuths in India to check the veracity of the claims.

In the hours before the assault at JNU, sceenshots of chat logs from two WhatsApp groups, “Friends of RSS” and “Unity against Left,” went viral on social media after being leaked by students who had infiltrated them. Social media users then used the leaked screenshots to identify the administrators of both groups, as well as users who had sent messages tying themselves to the violence that night.

BJP in Unusual Places, a political satire community on Facebook, uploaded a post listing the administrators of the “Unity against Left” group allegedly used to coordinate the attack. Image purposefully obscured. (Source: BJP in Unusual Places)

After compiling a list of suspects, the users employed Truecaller, a free caller ID mobile application, to reveal further identifying details. Many in India use Truecaller as a means of identifying spam calls, for which there is no regulation in the country. The app combines crowdsourced contact data from its userbase with data provided by phone directory providers and social networks to create a large online repository of phone contacts. This provides a robust phonebook, essentially, for identifying reputable phone numbers.

(This practice, however, also presents significant privacy concerns. While the database is only available to those who have signed up for the service — it is not a publicly searchable resource — the repository is nonetheless available to anyone who downloads the app. Even if a person has not signed up for the app, their private data may nevertheless be available on the database if any of their contacts has installed it. Because of these concerns, the app is not directly linked within this report.)

Truecaller profiles of two administrators from the “Unity against Left” group. (Source: Truecaller)

Those investigating the attacks then cross-referenced the identities uncovered via Truecaller with open-source social media databases, allowing them to identify the social media profiles of the suspected attackers. The DFRLab replicated the research and was able to identify two administrators from the WhatsApp group with overt links to the right-wing ABVP student organization.

Photograph (top left) posted by one of the suspects to his Facebook profile with ABVP student logo. The user’s bio (middle right) indicated he was former vice president of the JNU’s ABVP chapter. A photograph (bottom) uploaded in 2015 by the Facebook page of JNU’s ABVP chapter, showing the same individual participating in the group’s undergraduate orientation welcome event. (Source: Facebook, top left and top right; ABVP JNU, bottom)
Cover photo (top) of the second suspect’s profile listing him as president of JNU’s ABVP student chapter. Profile information (bottom left) on his Facebook profile showing his history of involvement with the ABVP. Photographs (bottom right) uploaded in May 2019 by ABVP JNU page showing the individual at an electoral canvassing rally for the ruling BJP party. (Source: Facebook, top and bottom left; ABVPJNU, bottom right)

Other users applied simple imagery analysis to identify some of the masked attackers as ABVP members. In particular, the digital sleuths zeroed in on a masked woman seen in one of the viral videos. Using photographs and information from her now-deactivated Facebook profile, combined with some crude MS Paint editing skills to add in the scarf she wore in the video, users were able to identify a woman as a member of the ABVP and participant in the attacks.

One Facebook user uploaded a comprehensive post outlining the methods used to unveil the identity of the masked female attacker.

A post (left) highlighting the investigation into the masked female assailant. FekuExpress2.0 (right), a political satire page, uploaded a post comparing photos of the woman. (Source: Facebook, left and right)

While such photographic forensics might appear to lead to a result, without secondary evidence, there is a real risk of ascribing too much weight to such methodology. In such instances, with only a single attempt to verify a person’s identity, the potential for a false positive is high.

In this case, the findings of the open-source investigation were subsequently corroborated by local fact-checking outlet AltNews as well as by a subsequent sting operation carried out by India Today, a local media outlet, which captured one of the main organizers of the attack declaring the masked woman’s participation.

Local outlet Newslaundry also infiltrated the WhatsApp group used by the assailants and conducted its own investigation, which arrived at similar conclusions. Furthermore, the Indian Express published its own investigation into the incident, concluding that at least eight officers of the ABVP student chapter, including the chief proctor of the university, two PhD scholars, and a professor at an affiliated university, belonged to the “Friends of RSS” WhatsApp group.


As the evidence uncovered by social media users began to mount, the Delhi Police decided to form a Special Investigation Team on January 11 to investigate the “Unity against Left” WhatsApp group. The police stopped short of naming the perpetrators as members of the ABVP organization, however.

Shortly after, the Delhi High Court directed the local authorities to summon all the members of the “Friends of RSS” and “Unity against Left” groups to further investigate their role in the attack. The judiciary also requested Facebook-owned WhatsApp to comply with a plea issued by three professors at the university requesting that the companies preserve photographs and videos uploaded onto their platforms during the incident. More than a month after the incident, the Delhi Police, however, have yet to make an arrest related to the assault on the JNU students and faculty.

In situations where authorities — local or national — are reluctant to take (or outrightly avoiding) responsibility for an investigation, untrained citizens might feel compelled to act in the face of an absence of official action, but there are real risks in acting on citizen-led investigations, especially in high-profile cases. Such exposure often leads the people identified to be the target of extreme public scrutiny, if not actual physical retaliation. Such investigations can be useful when properly executed, as with Bellingcat’s exposure of the Skripal poisoners, but they also have ugly relatives in the form of such online harassment campaigns as gamergate or the targeting of Myanmar’s persecuted Rohingya population.

In this case, by uncovering the identities of the alleged perpetrators, mainstream journalists and debunking websites were able to corroborate the findings, allowing for the establishment of a basic set of facts. Although the compulsion to act in the face of official inaction is commendable, in the end, formal attribution can only be provided by a thorough and robust investigation by a country’s law enforcement authorities.

Follow along on Twitter for more in-depth analysis from our #DigitalSherlocks.