An online scam targeted prominent women in India, telling them the Ivy League was calling.
Nidhi Razdan was all set to travel to Harvard University to start a new job, and a new life, when she received a stunning email.
A famous Indian news anchor at the apex of her career, Razdan believed she would soon start teaching at Harvard, a dream ticket out of an almost unbearably toxic media atmosphere in India.
She had told the world that she was leaving the news business for America and she had freely shared her most important personal information with her new employer — passport details, medical records, bank account numbers, everything.
But when she swiped open her phone in the middle of a January night, she read the following message, from an associate dean at Harvard:
"There is no record of, nor any knowledge of, your name or your appointment."
The email closed: "I wish you the best for your future."
Razdan felt dizzy and nauseated. She had thrown away a high-flying career in journalism and fallen into an intricate online hoax.
"I just couldn't believe it," Razdan said.
The hoax that ensnared Razdan exploited Harvard's prestige, the confusion caused by the pandemic, and her own digital naïveté. At the time she went public, what had happened to her seemed like a shocking but isolated incident. But it wasn't. Razdan was one of several prominent female journalists and media personalities in India who were targeted, even after one of the women alerted Harvard and the public about the unusual cyberoperation.
The incidents raised questions about why Harvard — despite its reputation for fiercely protecting its brand — did not act to stop the scam, even after being explicitly warned about it. They also revealed how easy it is for wrongdoers to hide their identities on the internet, a risk that is likely to get worse as the technology used in digital fakery continues to improve.
The people — or person — behind the hoax were relentless. They created a constellation of interlocking personas across Twitter, Facebook, Gmail and WhatsApp to pursue the women for months at a time. Unlike typical online fraudsters, they did not appear to use the personal information they extracted to steal money or to extort the women, leaving their ultimate goal a mystery.
Nearly a year later, it is still uncertain why Razdan and the other women were targeted. Although the scammers expressed support online for the Hindu nationalist movement in India, they shed little light on their decision to trick reporters.
The perpetrators have successfully covered their tracks — at least, most of them. The New York Times reviewed private messages, emails and metadata the scammers sent to the women as well as archives of the scammers' tweets and photos that the scammers claimed were of themselves. The Times also relied on analysis from researchers at Stanford University and the University of Toronto who study online abuse, and from a cybersecurity expert who examined Razdan's computer.
The identities of the scammers remain a secret.
"It's not like anything I've ever seen," said Bill Marczak, a senior research fellow at Citizen Lab, an institute at the University of Toronto that investigates cyberattacks on journalists. "It's a huge amount of effort and no payoff that we've identified."
'This hotel fine for you?'
One at a time, the scammers selected their prey.
The first known target: Rohini Singh, an outspoken female journalist who had broken some big stories that powerful men in India did not like.Singh delivered a blockbuster article in 2017 about the business fortunes of the son of India's current minister of home affairs. She is a freelance contributor to an online publication called The Wire that is among the most critical of the Hindu nationalist government in India. She has also amassed nearly 796,000 Twitter followers.In mid-August 2019, Singh received a Twitter message from someone calling himself Tauseef Ahmad, who said he was a master's student at the Harvard Kennedy School and from Singh's hometown, Lucknow. They chitchatted about Lucknow and then he invited her to participate in a high-powered media conference. Harvard would pick up all expenses.She was intrigued. But she grew suspicious after Ahmad connected her to a colleague, introduced as Alex Hirschman, who wrote to her August 19 from a Gmail account rather than an official Harvard.edu email address. On top of that, both Ahmad and Hirschman had telephone numbers that were not based in the United States.Hirschman and Ahmad then asked her for passport details and some photos, which were to be used for promotional purposes.A few days later, convinced their entreaty was a scam, Singh ceased communication.
The next target was another female journalist, Zainab Sikander. An up-and-coming political commentator, Sikander campaigns against discrimination toward Muslims, a growing problem under the Hindu nationalist government. She has also written and posted many critical observations of the administration of Prime Minister Narendra Modi.
On August 22, 2019, Sikander, too, received a Twitter message from Ahmad, inviting her to participate in a high-powered media conference at Harvard. It was the same message sent to Singh, though neither woman knew the other had been targeted.
Flattered and curious, Sikander began chatting with Ahmad on the WhatsApp instant messaging and calling app. She was not thrown off by the fact that his phone number started with the country code of the United Arab Emirates, although he claimed to be in the Boston area. Maybe he was a foreign student with Dubai connections, she thought. She remembers his voice: young, with a South Asian accent, which she believed sounded Pakistani.
Just like in Singh's case, Ahmad connected her to Hirschman. What she did not know was that Hirschman and Ahmad were likely fake personas — a search of Harvard's student directory showed no students by either name.
Sikander also did not know that Ahmad's Twitter account was one of several online personas that were interlinked. Ahmad and Hirschman seemed so friendly, sending her compliments — and confirmations for the flights and hotels they claimed to have booked.
"This room and this hotel fine for you?" one of their messages said.
Still, something told her to beware. When she asked for a formal invite from a dean, it never came. Sikander then broke off contact as well.
At the time, India was dominated by a seismic news event: Kashmir. The Indian government had suddenly wiped away the autonomy of the Kashmir region, a restive, Muslim-majority territory that has been the source of a never-ending feud between India and Pakistan.
The Indian government was extremely sensitive about criticism of its move. It severed internet service to Kashmir and preemptively cracked down on critics and potential critics, throwing more than 2,000 Kashmiris in jail, including the region's top politicians.
Sikander had written critical pieces and posts about the government's action in Kashmir. Some analysts believe the scammers may have gone after her because of her trenchant views.
The next target was another female journalist working at a prominent Indian publication, who spoke with the Times on the condition that she was not identified. Suspicious about the scammer's UAE phone number, she quickly broke off contact too. But the scammers did not give up. By the time they communicated in November 2019 with Nighat Abbass, a spokeswoman for India's ruling political party, known by its acronym, the BJP, they had copied email signatures from real Harvard employees and swiped official letterhead from the university's website.
Around the same time, they opened a new Twitter account under the name Seema Singh, who identified herself as a "coder" and claimed she was based in Bharat, another name for India that is preferred by nationalists who see "India" as a colonial term. She sent sexually aggressive messages, tagging Sikander and some of the other women targeted in the scam.
"You look so hot," she said in one tweet. "Can I join you in your shower?" said another.
Singh later updated her profile, claiming to be a bisexual Deutsche Bank employee living in Frankfurt, Germany. (A Deutsche Bank spokesman said the bank had no employees by that name.) She seemed intimately familiar with Indian politics, constantly commenting on the often raw divide between India's majority Hindus and minority Muslims and calling out personal connections that the women targeted in the scam had with Kashmir.
Abbass did not notice the raunchy tweets from Singh's account. Excited about making her first trip to America, she focused on exchanging emails and messages with Ahmad.
It was only after the scammers pushed for passport details and other personal information that Abbass decided she should check directly with one of the Harvard administrators included on the emails.
That administrator, Bailey Payne, a program coordinator in the office of Harvard's vice provost for international affairs, responded, saying the official invitation that appeared to have been sent from her Harvard.edu email address was fake. When Payne asked Abbass if she would like to share more information, Abbass eagerly cooperated. She sent in a trove — the phone number from the UAE, the emails, screenshots of the fake Harvard documents and hotel booking records.
But it is not clear what action, if any, Harvard took. Payne did not respond to requests for comment. Jason Newton, a Harvard spokesman, declined to comment on what the university did with the information Abbass provided.
By the time the hacker or hackers reached out to Razdan that same month, in late November 2019, they were well practiced.
But they were also attracting attention. That same month, Abbass tweeted a passionate video warning others to watch out for Ahmad and the scam. And in December 2019, Twitter users in India accused Singh of faking her online persona. She responded by claiming to be a civil servant with the Indian Police Service and threatened to file complaints against her accusers.
Despite the accusations, the account under that name regularly posted photos it claimed were of her. It is unclear whether the photos actually depicted her or were stolen — reverse image searches for them turned up no results.
'Our No. 1'
Razdan, now 44, was one of the most prominent female Indian journalists of her generation.
Over a career spanning more than 20 years, she had covered India's biggest stories as the country transformed itself into an economic powerhouse. She was polite but fearless, the anchor of the 9 o'clock news program on NDTV, one of India's most prominent independent news channels, a familiar face across a nation of 1.4 billion people.
"She was our No. 1," said her former boss, Prannoy Roy, NDTV's founder.
But by 2019, she was fried.
"It was a mad year," Razdan said, citing the string of huge stories that broke, from a conflict between India and Pakistan and national elections to the profound reorganisation of Kashmir. "I was mentally and physically exhausted."
She was also mercilessly trolled by India's right wing, like many independent journalists are, and said to herself, "If I don't try something new now, I never will."
It was as if the scammers read her mind.
The first email arrived November 14, 2019, from an earnest sounding student — Melissa Reeve — inviting her to a Harvard media seminar. She was then introduced, by email, to another student, Ahmad. When he said there might be a journalism job available at Harvard, Razdan let her hopes soar.
"I thought it would be the opening to a new world," she said.
The next thing Razdan knew, she was interviewing with someone claiming to be Bharat Anand, the name of a real vice provost at Harvard. She never saw him, though. The interview was by phone.
"This is where I feel I really messed up," she said. "I should have insisted it be a video call."
The scammers were taking bolder steps to impersonate Harvard. They bought a website from GoDaddy, HarvardCareer.com, in January 2020 and set up a Microsoft email server that would soon allow them to send messages stamped with Harvard's name. Unlike earlier owners of the domain, they opted for privacy protection that obscured their names from public registries of website owners.
She was then asked for references. Each of the people Razdan enlisted received an official looking email from HarvardCareer.com with a web link to upload a recommendation.
"There was a lovely Harvard shield," Roy remembered. "I didn't have the slightest doubt."
Harvard says it fiercely protects its trademark, employing software to detect new websites that infringe on its brand, but Newton, the university spokesman, declined to say if it had detected HarvardCareer.com. The scammers continued to use it to send emails, capitalising on Harvard's reputation. They also copied employment documents from Harvard's official website, using them as fodder as the scam advanced.
In February 2020, right before Covid-19 exploded across the world, Razdan was told the job was hers. It paid US$151,000 a year, far more than she was making at NDTV. She received a lengthy contract that included everything from arbitration clauses to details about dental insurance. She was even sent information about how her new Harvard faculty ID would get her discounts at Boston-area museums. She could barely contain her excitement. In June 2020, she announced to the world, via Twitter: "I am changing direction and moving on. Later this year, I start as an Associate Professor teaching journalism as part of Harvard University's Faculty of Arts and Sciences."
Congratulations poured in, from some of India's biggest names, spreading the news even farther. Shashi Tharoor, an erudite opposition politician with millions of Twitter followers, lamented, "Will miss you, @Nidhi."
No one at Harvard — which has many students and professors from India or who follow India closely — seemed to put two and two together: that Nidhi Razdan, the famous journalist, was announcing that she had a job at Harvard when there was no such job.
'My pride'
Online classes were supposed to start in September. Razdan was sent a sheaf of forms, all on Harvard letterhead, for her visa application, salary payments and medical insurance. The documents were stolen from Harvard's website, where the university made them publicly available.Right before classes were to begin, she received an email saying there was a delay because of Covid-19. The scammers would use the pandemic many times as an excuse for delays or slip-ups.
They also asked her to install Team Viewer, which is software that enables computers to connect to each other. Team Viewer would allow the scammers to access files on her laptop, but Razdan did not know that. Trying to be helpful, she downloaded the software.
The scammers played off Razdan's eagerness to connect with faculty members. Several times they invited her to do a video call with Emma Dench, a real dean at Harvard.
But the calls kept getting canceled at the last minute, each with a more fantastic excuse. Once she was told that the dean had to rush out to deal with a faculty suicide.
By December, Razdan began to get annoyed at what she thought was flakiness. She was also a bit peeved that she had not been paid yet. She reached out to officials in Harvard's human resources department. They did not write back. She then emailed Dench's office directly, asking about the canceled video calls.
Dench's assistant wrote back that Razdan was never on the dean's schedule.
The assistant then asked: Who were you talking to?
Razdan sent in a flurry of correspondence, including her signed contract.
By this point, she said, she knew something was wrong but she still had no idea she was being fooled.
"I just thought these were bureaucratic snags," she said. "Or delays because of the pandemic."
That is when she received the shocking email in the middle of the night. She never went back to sleep.
She turned to Jiten Jain, the director of a cybersecurity firm in India called Voyager Infosec, to perform a forensic analysis of her laptop and devices. Jain, who shared his findings with The New York Times, said Razdan's email account had likely been hacked. Worse, Jain found remnants of a suspicious installer file on her computer, a sign that malware may have been installed.
Razdan went public, saying on Twitter and in a confessional article on NDTV's website that she had been scammed. Her disclosure ignited speculation about who could have been behind the attack. Other victims of the scam believed that they might have been targeted by a foreign government, or even their own.
"No other government would invest so much to embarrass Indian journalists," said Rohini Singh, the first reporter the scammers tried to ensnare. "This government does it." Singh pointed to her previous experience being targeted by malware widely believed to have been purchased by the Indian government as evidence of its willingness to tamper with the press. Government officials, including the Ministry of Home Affairs, did not respond to requests to comment.
Jain believed foreign governments might have played a role. The suspicious file he uncovered on Razdan's computer contained an IP address that had once been linked to a hacking group believed to be associated with Pakistani intelligence.
Jain also discovered several other suspicious websites that purported to be career pages for other Ivy League universities, but were registered in China, making him believe the scam that targeted Razdan was part of a broader operation.
"After looking at all the evidence and technical analysis of the devices," Jain said, "it appears to be a group of sophisticated actors running a targeted surveillance campaign."
But the tech companies whose platforms were exploited said government agencies had not played a role.
In January, Twitter suspended Ahmad and Seema Singh's accounts, as well as four others that the company said were connected to them. The company said it could not publicly identify the other accounts because it does not share user data unless it can determine that the users were participating in a state-backed campaign.
"We permanently suspended six accounts as fake based on our platform manipulation and spam policy. There were no signs of the accounts being state-backed," a spokeswoman said.
A Facebook spokeswoman said accounts set up by the scammers had been suspended. Facebook, too, found no evidence that this was a state-sponsored campaign. A Microsoft spokesman said that the email server used by the scammers had been purchased through GoDaddy, and that it, therefore, did not have payment details that could identify the person running the email server. GoDaddy also declined to identify the customer.
"We take customer privacy very seriously and don't discuss customers' account details unless provided with a court order," said Dan Race, a GoDaddy spokesman.
Another theory emerged: Perhaps the women were targeted by an individual, someone ideologically aligned with the Hindu nationalist ruling party in India and willing to go to great lengths to humiliate critics of the government's intervention in Kashmir and those who spoke out against the divide between Hindus and Muslims. On Twitter, the scammers' Singh account, which was like an alter ego to the more mild Ahmad account, frequently ranted about these issues.
Miles McCain, a researcher at the Stanford Internet Observatory, a policy centre focused on abuses of the internet, analysed the messages and discovered that Hirschman and Ahmad's Gmail addresses were connected to a Samsung Galaxy S8 phone. That small detail could puncture theories that the women were targeted by a group of people, McCain noted — it might be a sign that a single individual was operating both accounts from the cellphone.
A Google spokeswoman declined to comment on the specific Gmail accounts. "When we detect that a user is the target of a government-backed attack," she said, "we send them a prominent warning alerting them that they are at risk."
An analysis of the scammers' emails conducted by Citizen Lab revealed that the messages were sent from internet addresses in the UAE, not Boston — a clue that seemed to fit with the UAE phone number that Ahmad used.
But the IP addresses and Jain's findings raised more questions. Were the scammers operating from the UAE, Pakistan, China, or from within India? Strangely, the emails did not contain so-called phishing links — a clue that might have revealed more about how the reporters' information was obtained and who was behind the intrusions
After learning she had been tricked, Razdan retreated from public view. She lost weight. She avoided friends. She turned to the Indian police, who have begun their own investigation but have not made any findings public.
Just like Abbass, she urged Harvard to investigate, emailing the university that "Someone/group of people have been impersonating senior Harvard officials and forging their signatures, and must be brought to book."
She said Harvard never wrote back.
In the past few months, Razdan has quietly begun to rebuild her life. She found a job teaching public policy at an Indian university and writes a weekly column for Gulf News, a big paper in the Middle East.
Still, she spends a lot of time by herself, rotating through feelings of anger, regret and shame.
And she keeps asking herself the same question: "How could I be so stupid?"
This article originally appeared in The New York Times.
Written by: Jeffrey Gettleman, Kate Conger and Suhasini Raj
Photographs by: Rebecca Conway and Tony Luong
© 2021 THE NEW YORK TIMES
