When the news broke about the car explosion near Delhi’s Red Fort on November 10, it felt like another tragic headline. But as investigators have dug deeper, a far more chilling story has emerged. This wasn't just an attack; it was a window into the evolution of modern terrorism, where highly educated professionals are using advanced digital spycraft to coordinate devastating plots. The probe has uncovered a web of encrypted apps, secret communication methods, and foreign handlers guiding a terror cell of doctors right from Faridabad.
Key Highlights
- ✓ A foreign handler sent 42 bomb-making videos to one of the accused doctors via encrypted apps.
- ✓ The module used a spy-style "dead-drop email" technique, saving messages as drafts to avoid a digital trail.
- ✓ Suspects communicated on the highly secure Swiss app Threema, possibly using their own private server.
- ✓ Authorities are searching for 19 women allegedly radicalized by doctor and accused JeM operative, Dr. Research findings show that Shaheen Shahid.
- ✓ Investigators believe the plot is linked to other DIY bombings in Coimbatore, Mangaluru, and the Rameshwaram Cafe blast.
Anatomy of a High-Tech Terror Plot
The blast, which killed at least 15 people and injured over 30 near the Red Fort Metro Station, was quickly handed over to the National Investigation Agency (NIA). At the center of this terrifying plot are three doctors connected to the Al Falah University in Faridabad: Dr. Umar Un Nabi, Dr. Muzammil Ganaie, and Dr. Shaheen Shahid. These weren't just peripheral figures; investigators believe they were deeply involved in the planning and execution of the attack.
What’s really staggering is how they were guided. One of three alleged foreign handlers, using the pseudonym Hanzullah, reportedly sent a staggering 42 videos on bomb-making to Dr. Ganaie. These weren't vague instructions; they were detailed do-it-yourself guides. Dr. Ganaie, in turn, is accused of arranging storage for the explosives, including a massive haul of over 2,500 kg of material, with 350 kg of it being ammonium nitrate, a powerful industrial explosive. The module even conducted multiple reconnaissance missions in Delhi, using a familiar red EcoSport to stockpile their ammunition without raising suspicion.
Digital Ghosts and Invisible Communication
Here’s where the story takes a turn into a spy thriller. The module’s operational security was incredibly sophisticated. They allegedly used the Swiss messaging app Threema, a platform famous for its hardcore privacy. You don't even need a phone number or email to sign up—it just gives you a random ID. This makes it a nightmare for law enforcement trying to trace users.
Investigators suspect they took it a step further by setting up their own private Threema server. This would have created a completely closed-off, isolated network where they could share maps, documents, and instructions without ever touching a public server that authorities might monitor. It’s like building your own secret post office that no one else knows exists. This level of digital tradecraft shows a cell that prioritized stealth above all else.
Their discipline was also on display after the fact. Dr. Umar, who was reportedly driving the car that exploded, allegedly "switched off his phones" and cut all digital ties right after his associates were arrested. This wasn't an act of panic; it was a calculated move to limit exposure and break the chain of evidence. It's a clear sign they were well-trained and understood how to evade surveillance in the digital age. This brings us to
The Shadowy Network of Handlers
The foreign handlers—identified by pseudonyms like Hanzullah, Nisar, and Ukasa—are a key focus. But another name has popped up that connects this Delhi attack to a string of others across South India: Mohammed Shahid Faisal. Known by aliases like 'Colonel' and 'Laptop Bhai', Faisal is an engineering graduate from Bengaluru who vanished in 2012 after being linked to a Lashkar-e-Taiba plot. One key aspect to consider is He’s believed to have fled to Pakistan and more recently moved to the Syria-Turkey border.
Faisal is a person of interest in the Coimbatore car suicide bomb blast of October 2022, the accidental Mangaluru autorickshaw blast of November 2022, and the Bengaluru Rameshwaram Cafe blast from March 2024. The modus operandi is strikingly similar across these incidents: remote handlers using encrypted platforms to radicalize local youths and teach them to build IEDs from everyday materials. In the Rameshwaram Cafe case, Faisal allegedly sent dozens of DIY bomb videos and thousands of rupees via cryptocurrencies to his operatives.
The Professor and Her Web of Influence
One of the most disturbing threads of this investigation leads to Dr. Shaheen Shahid, a former faculty member at Al-Falah University who was apprehended in Lucknow. Investigators from the Uttar Pradesh Anti-Terrorist Squad (ATS) are now in a frantic search for 19 women from Kanpur and nearby districts who were reportedly in contact with her. Authorities believe she used her position and identity to build a structured outreach network, targeting vulnerable women who were isolated or distressed.
Digital evidence recovered—voice notes, videos, and contact lists—suggests she delivered provocative and manipulative speeches to radicalize her followers. Many of these women have now switched off their phones, making it incredibly difficult to track them. Sources say Dr. Shaheen used her identity as a woman to create a "safe" entry point, slowly introducing them to radical content. This wasn't just casual conversation; it was a calculated recruitment strategy. Industry experts suggest that
Her professional history paints a picture of someone operating outside the lines for years. Faculty members at her previous job at GSVM Medical College in Kanpur recalled her rigid insistence on wearing a hijab despite institutional dress codes. Her tenure was also marked by frequent, unexplained absences and abrupt foreign travel, which eventually led to her termination in 2021. Locating these 19 women is now crucial to mapping the full extent of her network and the influence of the Jaish-e-Mohammed (JeM) inspired module.
The New Frontier of Counter-Terrorism
This case is a massive wake-up call. As terror modules increasingly adopt these privacy-preserving technologies, traditional surveillance methods like phone tapping and email intercepts are becoming less and less effective. The fact that the suspects used Threema, an app reportedly banned in India, by routing through VPNs and foreign proxies shows that simple bans aren't enough.
Experts and officials are now stressing the need to adapt. This means building dedicated digital forensics teams that can handle encrypted platforms and trace private servers. It also calls for updated legal frameworks that can address threats from decentralized communication and new regulations for self-hosted communication infrastructure. And with highly educated professionals like doctors becoming radicalized, counter-radicalization programs need to be tailored for these less-visible, but more sophisticated, recruits.
Conclusion
The Red Fort blast investigation is peeling back the layers on a new and unnerving form of terrorism. It's a blend of old-school spycraft and cutting-edge technology, carried out by individuals you'd least expect. The days of relying solely on mass propaganda are over; today's terror cells are integrating advanced digital tradecraft with their operational planning, making them harder to track and stop.
This case serves as a sobering reminder that the battlefield has shifted. The fight against terrorism is no longer just on our streets and borders, but also on servers, in encrypted code, and within the deeply private digital spaces we all inhabit. To keep our societies safe, our defenses must evolve just as quickly as the threats do. A notable point here is
