Tuesday, January 18, 2022

Diary of a hacker has cops confounded

Three months after the arrest of Sharif Khan, police are still to crack his codes.

Mumbai |
April 22, 2015 1:18:59 am
Sharif Khan, hacker, cyber attack, cyber attack diary,  facebook ID, passwords, mumbai news, city news, local news, mumbai newsline (Illustration: C R Sasikumar)

By: Rohit Alok

Nearly three months after Sharif Khan was arrested and a month since he was chargesheeted, a simple green diary belonging to him that detailed a conspiracy to mount a cyber attack continues to befuddle the Mumbai Police.

Khan (26) filled only 28 of the hardbound diary’s pages in Roman text, writing and cancelling words, committing several misspellings — ‘Indonasia’ for Indonesia, being one such example.

The diary is filled with email IDs — possibly of foreign nationals as well, Facebook IDs and passwords, notes in a computer programming language and hacking codes.


The police arrested Trombay resident Khan on January 29 and seized from him 12 cellphones, 1,777 activated SIM cards and 292 deactivated SIM cards belonging to six different telecom companies, apart from Rs 24,500 in cash from his 12×12 feet home. The police also seized his personal computer, a laptop, five printers, a large bundle of forged photo identification documents, 800 customer acquisition forms belonging to telecom companies and the green diary.

The diary is an important piece of case evidence, which otherwise comprises technical findings from Khan’s cellphones, correspondence with telecom companies about the SIM cards he had illegally acquired, details of Internet activity at his home and his cellphone shop.

The police arrested nine more persons after Khan, two of them territory channel sales managers at leading telecom companies, a telecom company salesman and the owner of a PCO in Byculla. The other five accused had all procured SIM cards from Khan and sold them. The Trombay police filed a 1,233-page chargesheet against the accused in the Kurla Court on March 27.


The police say that the pocket diary was found in a table drawer in Khan’s home. Its first page bears a few words in the Devanagari script that translate to ‘In the name of Allah.’

“This diary evidently has hacking and cracking codes that we are studying and attempting to decipher,” said the investigating officer.
Number 15 of the diary’s 28 pages written in English is filled by Khan’s second wife, Yasmeen. She has made at least seven-point severe checklist for Khan that reads — do not smoke, do not drink or indulge in any bad habit and pray five times a day.

But above all, Yasmeen has reminded Khan to rent a home in Cheetah Camp before June 30, 2013. The police are still befuddled with this deadline. Several rounds of questioning Yasmeen hasn’t given any answers.

Khan’s diary also contains numerous 10 digit numbers, which appear to be cellphone numbers. The diary also makes note of the name and contact number of a Mahim resident, whom Khan tracked down following a request from a Facebook friend in 2012. According to the police, Khan tracked down the person using nothing more than his name and date of birth. Interrogation has revealed nothing more about the Mahim resident, the police have said in the chargesheet.

Throughout, the words ‘Indonesia’, ‘Operation Lolokaust’, ‘Danger Hackers’ and various variations of email addresses made from the name Aliya have been repeated on several occasions.

For the police though, the mystery lies in the diary’s final two pages.

The second last page bears the date August 31, 2012. The left page, the second last page of the diary, has an entry date — August 31, 2012 — marked on it. On this page, Khan has set himself a cryptic reminder to create a news template using a computer code. The page bears only six other words, or one word — active — written six times one below the other, with the handwriting slanting diagonally to the left. In each variation, Khan has turned the lowercase alphabet to upper case so that it reads — Active, ACtive, ACTive, ACTIve, ACTIVe, ACTIVE.

On the adjoining page, Khan has listed 10 countries one below the other, in the following order: Indonesia, Malaysia, Pakistan, Myanmar, Bangladesh, Nigeria, India, Iran, Tunisia, Afghanistan. He has made a tick mark against India and Afghanistan and written 1 alongside Indonesia, Malaysia, Pakistan, Myanmar, Bangladesh. Alongside this list, Khan has written the word ‘active’ again but completely in the uppercase.

This time, the alphabet stands for a different word: A – Alpha, C – Cyber, T – Team, I – Internet, V – Voice, E – Effect, and is written vertically downwards. This is topped with the title ‘team alpha’, with the words underlined. Towards the bottom of this page, the word makes another appearance, but in a different design. The letters are in upper case and written horizontally, with lines connecting each alphabet to its full forms.

The police continue to probe the details in the diary and have informed the court that a supplementary chargesheet will be added once the diary is decoded.


Khan is a Class VII dropout of an Urdu medium school in Mankhurd. Between 2009-12 he worked with a firm that installed CVM coupon machines at railway stations. Trombay apart, Khan’s criminal record comprises two robberies at Kalamboli in Navi Mumbai and Bandra.

Hailing from a low income family and operating a shop in Cheetah Camp’s Sector A 1 named after his daughter, where he repaired cell phones and sold SIM cards since 2012, the police say that the Rs 64 lakh spread across four bank accounts is disproportionate to his known sources of income.

Khan, the chargesheet explains tapped sales managers employed with telecom companies and offered them unscrupulous means of meeting their sales targets, all to acquire SIM cards for an, as yet unexplained, purpose.

Proficient in the image editing software CorelDraw, Khan allegedly gained data of holders of Aaadhaar cards and voter ID cards, creating unique forged cards that used numerous combinations of names, pictures and addresses. “While submitting the forms, Khan would fill up names and address in slight variations,” said a police officer.

Khan claims that he stared manufacturing the documents from the month of June 2014 and has reportedly obtained nearly 8,000 SIM cards since.

“I learnt loopholes in the system in a span of less than two years. I knew all the sales managers, distributors and territory managers in the the area and roped them in and together we benefited from the weak process of obtaining a SIM cards,” Khan is believed to have told investigators during his interrogation.


On Facebook, Khan is the administrator of a group called ‘Danger Hackers’ that has 637 members. On his own profile page, however, claims to be a native of Jerusalem and wants to live in Gaza. He had shared various hacking software tools, links to news related to Israel and Palestine, images of websites that the group claimed to have hacked, and security tips to his fellow group members.

The group, the police said, ‘hack whatever they feel needs to be hacked’, but their ‘Operations against other countries are focused on government, not the people’. The police said that Danger Hackers had launched a cyber assault called #OpMyanmar, targeting the website of the Myanmar government those of several banks there. A member of Danger Hackers, who participated in #OpMyanmar admitted that he was unaware of Khan’s arrest.

“I never knew of his arrest by the Trombay police. He lied to everyone in the group of his whereabouts. He told me that he lived in Ghatkopar, told another member that he was in Navi Mumbai, and a third that he was from West Bengal. Most of us believed that he was based out of Gaza,” he said.

In a video uploaded on Youtube by Danger Hackers on December 31, 2012, the group blames the Union Ministry Communications and Information Technology and its then minister Kapil Sibal for imposing the Information Technology Act, 2008.

In the video, the group also claimed to have disabled websites of many government agencies and private firms and listed out 20 government websites that it was going to target next.


Start your day the best way
with the Express Morning Briefing

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines

For all the latest Mumbai News, download Indian Express App.

  • Newsguard
  • The Indian Express website has been rated GREEN for its credibility and trustworthiness by Newsguard, a global service that rates news sources for their journalistic standards.
  • Newsguard