Ahmedabad, March 5 – The Ahmedabad police have arrested an illegal immigrant from West Bengal for his alleged involvement in a network that sent bomb threat emails to schools, courts, airports, and government institutions across several states, including several incidents reported in Gujarat over the past year.
The accused, identified as Sourav Biswas (30), whose real name is Michael Biswas, was detained from the Gopalnagar village in North 24 Parganas district of West Bengal as part of a joint operation by the Ahmedabad Cyber Crime Branch and the Crime Branch.
Police stated that the accused entered India in 2021 during the Covid-19 period and had been residing illegally in West Bengal since then.
The accused was brought to Ahmedabad on transit remand and presented before a court, which granted investigators 10 days of police custody for questioning.
This arrest follows an investigation into a series of threatening emails warning of bomb blasts at schools, courts, airports, post offices, and other government institutions.
Several such emails had been reported in Ahmedabad, while similar threats were also recorded in Surat, Vadodara, and Rajkot, as well as in other states including Delhi, Punjab, Maharashtra, Assam, and Uttar Pradesh.
Sharad Singhal, Joint Commissioner of Police (Crime Branch) of Ahmedabad, said that these threats had been circulating for nearly a year and were being investigated as part of a broader cyber terror investigation.
"For nearly a year, bomb threat emails targeting schools and other institutions were being received in Gujarat. Some of the messages referred to Khalistan sympathizers, while others mentioned political issues related to Tamil Nadu. During the investigation, we arrested this man from West Bengal," Singhal said.
He added that the Ahmedabad Police Crime Branch secured a fast transit remand, and the city's Cyber Crime team has started questioning the accused.
"This was a major joint operation by the Ahmedabad Crime Branch and the Cyber Crime unit. The person who sent bomb threat messages to several places, including Ahmedabad, has been apprehended. He is currently on police remand, and further investigation is underway as we examine the role of other accused," Singhal added.
According to investigators, the accused was involved in illegally selling digital services and compromised online accounts through online platforms and the dark web.
Police stated that the accused used leaked or hacked email and social media accounts, altered their credentials, and sold them through a website named expetseller.shop (F5gitServices).
The website offered various digital services, including Gmail accounts, bank accounts, Cash App accounts, Google Voice numbers, TextNow accounts, VPN and proxy services, premium subscriptions, social media accounts such as Facebook, Instagram, WhatsApp, and Telegram, phone numbers, and Remote Desktop Protocol or Virtual Private Server services.
Police stated that the accused sold email accounts for between one and five dollars each and accepted payments in cryptocurrency.
Investigators said that the accused used Virtual Private Network services and other technical tools to hide identities and track inactive or compromised email accounts.
After taking control of such accounts by changing usernames, passwords, and recovery details, the credentials were allegedly passed to handlers believed to be based in Bangladesh, who used them to send bomb threat emails.
Police stated that around 50 to 60 email IDs were used in the threatening messages, and the accused allegedly received about 50 USDT cryptocurrency for each account supplied.
The financial trail of the USDT transactions is now under investigation.
During searches at the accused's residence, officers seized three CPUs, five computer hard disks, three mobile phones, and an internet router.
Investigators also recovered data containing around 200 Gmail IDs along with passwords and recovery email details, as well as several Hotmail accounts that were allegedly used in the threat emails.
Officials said that the accused had previously worked at a cybercafe before moving into digital marketing and online digital services.
"He (the accused) was living in the largest house in his locality, which is being examined as part of the financial investigation," officials added.
The investigation has linked the accused to at least seven cases registered in Ahmedabad between December 2025 and February 2026, while other incidents in Surat, Vadodara, and Rajkot are also under examination.
Police stated that investigators conducted a covert operation through Telegram, during which officers contacted the accused and transferred cryptocurrency as part of a controlled interaction.
After a bomb threat message was subsequently sent to a location in Maharashtra, investigators were able to trace the digital trail and identify the accused.
Authorities said that police teams from Delhi, Maharashtra, Punjab, and Uttar Pradesh, along with central agencies, are expected to arrive in Ahmedabad to question the accused in connection with similar cases reported in their jurisdictions.
Joint CP Singhal said that investigators were also probing possible links with other modules.
"We are examining the larger network behind these emails, including handlers outside India. The role of other associates is being investigated," he added.
Police stated that the accused's sister, Sarista Biswas, may also have been involved in the activities, and further inquiries are underway.
Investigators are also examining a suspected module linked to Chennai, though officials said the IP trails so far appear different.
The offences were registered under Sections 351(3), 351(4), 353(1)(B), 61(2) of the Bharatiya Nyaya Sanhita-2023 and Section 66(C) and of the IT Act.
Since hacked email accounts were used for these criminal activities, additional Sections 43 read with 66, 66(C), and 66F(2) of the IT Act-2000 have been added to the case.
Authorities said that the probe is continuing as officials analyse digital evidence, cryptocurrency transactions, and potential cross-border links connected to the case.
