4 min readJun 22, 2026 10:50 AM IST
When the Brihanmumbai Municipal Corporation (BMC) received a series of threat emails last week warning of blasts at government offices, including the Chief Minister’s Office, investigators found digital trails leading to five different locations across the world, from the European Union and the United States to India.
Police officials say those locations were almost certainly a smokescreen.
The IP addresses traced during the investigation are believed to have been masked using Virtual Private Networks (VPNs), making it increasingly difficult for law enforcement agencies to identify the actual sender.
The challenge is not new. In 2024, when a Facebook post claimed responsibility for the firing outside actor Salman Khan’s residence in Bandra, investigators traced the IP address to Portugal. Officials later suspected that the original source had been concealed through similar methods.
The growing use of VPNs and encrypted communication platforms has emerged as one of the biggest hurdles in cyber investigations involving threat emails.
The problem, according to investigators, begins once the trail reaches the VPN provider.
“We send emails on the IDs mentioned on their websites but we never receive a response,” an officer said.
Story continues below this ad
Another officer explained why such investigations often hit a dead end.
“For most of these VPN companies, anonymity is their USP. Requests coming from another country’s police, can easily be stonewalled. Going through legal channels via the government using the Mutual Legal Assistance Treaty (MLAT) is a time-consuming process that could take years.”
As a result, several investigations stall at the VPN level itself.
Sources said only those cases where the sender lacks the technical expertise to properly conceal their identity are eventually solved.
One such instance involved threat emails sent to the Ambani family in 2024. Investigators were able to trace the messages to a 24-year-old accused after a brief glitch in the free VPNservice he was using exposed his actual IP address.
Story continues below this ad
“In the absence of any such glitches, it becomes difficult to track the sender or even find the country from which the email is sent. Sometimes the IP address is so well masked we suspected some foreign agency may be behind it,” an officer said.
The inability to identify senders has also affected the way police register such complaints.
“Now in most of these threat cases, we take a Non-Cognisable offence as most of these cases go unsolved, increasing our count of unsolved FIRs,” the officer said.
Officials said VPNs are only part of the challenge. Many senders now rely on encrypted email services such as Proton Mail, which provide another layer of anonymity.
“Apart from VPNs, some accused use secure mail services like Proton Mail, due to which there is no way to track perpetrators. Every time a threat mail is received, we carry out basic searches because we cannot ignore the possibility of a genuine threat. But it leads to a loss of resources every time such mail is received,” an official said.
Recent threat emails
Story continues below this ad
On June 14, the Chhatrapati Shivaji Maharaj International Airport received a threat claiming bombs had been planted at multiple locations across Mumbai and would explode shortly. The email was signed “HAIL SWAT TERROR X SWAT KATS”.
On June 10, the BMC received emails warning of explosions at multiple locations, including the Mayor’s office, the Chief Minister’s Office, the BSE building and civic offices. The messages, sent to several official email IDs, contained references to Khalistan and included inflammatory and threatening content.
Earlier, on March 12, the National Stock Exchange office in Kurla received a threat email warning of missile and bomb attacks at key locations in Mumbai. The message claimed that “Mumbai will echo Khalistan” and threatened blasts across the city.
Stay updated with the latest – Click here to follow us on Instagram
