Why Legion may never get caught

Ramarko Sengupta December 20, 2016 4 min

Story Highlights

  • Free software like Tor and and two-way VPNs make it very difficult to trace hackers
  • India's IT act deals with cybercrime but enforcement is weak
  • Only 3.6% of people arrested for cyber crime were professional hackers

Hacker group Legion seems to have gone cold for now. Or, if you buy into their spiel, they’re just kicking back, doing drugs and listening to progressive house music — till the next hack.

They may be quiet for now, but they have certainly exposed the chinks in the system when it comes to cyber security. While the Indian government is believed to be taking steps to armour up, the question that remains is — will Legion ever be caught?

Experts believe it is highly unlikely we will ever know who they are. And even if they were caught, they would most likely get away fairly easy because of the lack of “right law enforcement mechanism and policies”  

Experts believe it is highly unlikely we will ever know who they are. And even if they were caught, they would most likely get away fairly easy because of the lack of “right law enforcement mechanism and policies.”

“I (the hacker) might be sitting right next to you and you would never find out. I can hop between five continents in five seconds and then send a request to you. You will only see the last IP address of the location I touched,” says ethical hacker Saket Modi.

Modi goes on to add that this is perhaps the reason why despite international police and some of the seniormost cybercrime authorities being on the case, the hacker who sniffed out $81 million from Bangladesh Bank is yet to be caught, nearly a year after the hack.

“I (the hacker) might be sitting right next to you and you would never find out. I can hop between five continents in five seconds and then send a request to you. You will only see the last IP address of the location I touched” — Saket Modi, ethical hacker   

“The way you look at physical crime, you can’t look at cybercrime the same way. Not just in India, but globally we are still not equipped with the right law enforcement mechanism and the policies,” he says.

The existence of free software like Tor and and two-way VPNs (virtual private networks) make it very difficult for the authorities to trace back hackers. Tor enables anonymous communication by redirecting internet traffic through a free, worldwide, peer network, while concealing the user’s location; two-way VPNs allow hackers to connect with one country and come out of another, making it almost impossible to trace their origin.

The existence of free software like Tor and and two-way VPNs make it very difficult for the authorities to trace back hackers  

“Tracing the trail of a hacker is indeed quite difficult. Never know whether he’s sitting in the US, in Italy, or right here,” concurs ethical hacker and cyber security expert Trishneet Arora. He believes that what Legion is doing is “nothing wrong” and merely “alerting the people”.

The unspoken code of honour in every underworld is that you don’t tell on your own kind. There are exceptions, of course. ‘Sabu’, a member of the hacker group LulzSec is believed to have been outed by a former member of the group following which he became an informant to the Federal Bureau of Investigation.

As far as the law goes, there is definitely “illegality” in the Legion’s actions so far, says Supreme Court lawyer and member of the Internet Freedom Foundation Apar Gupta. “But they may be inadequate in terms of how the process functions, how enforcement happens, and how this law is ultimately applied,” he says.

Section 43 of the Information Technology Act prohibits people from gaining unauthorised access to any computer resource (including emails and Twitter accounts.) If the culprit is nabbed, the guilty party may have to pay up to Rs 1 crore in fine, says Gupta.

As far as the law goes, there is definitely “illegality” in the Legion’s actions so far, says Supreme Court lawyer and member of the Internet Freedom Foundation Apar Gupta  

There are also provisions that criminalise such acts under Section 66 and Section 72 of the Information Technology Act. Section 66 prescribes jail time of up to three years or a fine up to Rs 5 lakh or both. Section 72 criminalises breaking the confidentiality and privacy of a user and gaining access to a computer resource without due permission.

According to National Crime Records Bureau data from 2014, 9,622 cases of cyber crime were registered in India and 5,722 arrests were made. These are mostly perpetrators of phishing scams or “neighbours or friends and relatives” and only 3.6% of them claimed to be professional hackers.

Legion made international headlines for an entire week after they hacked into the high-profile public figures from India — Congress vice president Rahul Gandhi, fugitive Indian tycoon Vijay Mallya, and senior NDTV journalists Barkha Dutt and Ravish Kumar.