Investigators say highly educated doctors used ghost SIM cards, dual phones and encrypted apps to coordinate with handlers in Pakistan and PoK.
The module exploited SIM-free app features to learn IED-making online and plan hinterland attacks, including the Red Fort blast case.
The Centre has tightened telecom rules, mandating active SIMs for messaging apps to curb terror and cyber misuse.
Investigations into the "white-collar" terror module linked to the blast near Delhi's Red Fort on November 10 last year show that highly educated doctors used a sophisticated web of "ghost" SIM cards and encrypted apps to coordinate with Pakistani handlers, officials claimed on Sunday.
The Department of Telecommunications (DoT) issued a broad directive on November 28 of last year that required app-based communication services like WhatsApp, Telegram, and Signal to be constantly connected to an active, physical SIM card within the device. This directive was essentially based on the findings of the investigations.
The investigation into the "white-collar" terror module and the explosion, according to the officials, resulted in a network of "ghost" SIM cards being used by the doctors who were arrested, including Muzammil Ganaie, Adeel Rather, and others, as part of a tactical "dual-phone" strategy to avoid security agencies.
They claimed that two or three cell phones were carried by each accused, including Dr Umar-un-Nabi, who was killed while operating the truck carrying explosives close to the Red Fort.
In order to avoid suspicion, the accused carried one "clean" phone registered in their own names for regular personal and professional use. The other was a "terror phone" that they used only to communicate with their handlers in Pakistan via Telegram and WhatsApp (identified by codenames "Ukasa," "Faizan," and "Hashmi").
According to the officials, the SIM cards for these secondary devices were provided in the names of unsuspecting citizens whose Aadhaar information was exploited.
Additionally, Jammu and Kashmir Police discovered a different scheme in which phoney Aadhaar cards were used to provide SIM cards.
The officials stated that the security agencies observed a troubling pattern in which these compromised SIMs continued to be active on messaging platforms in Pakistan or Pakistan-occupied Kashmir (PoK).
Despite the recruits' initial desire to join conflict zones in Syria or Afghanistan, the managers were able to instruct the module to learn IED assembly via YouTube and arrange "hinterland" assaults by taking advantage of characteristics that allow messaging apps to operate without a physical SIM in the device.
To plug these security gaps, the Centre has invoked the Telecommunications Act, 2023, and Telecom Cyber Security Rules to "safeguard the integrity of the telecom ecosystem", which includes a rule that, within 90 days, all Telecommunication Identifier User Entities (TIUEs) must ensure their apps function only if an active SIM is installed in the device.
The order further directs the telecom operators to automatically log out users from apps like WhatsApp, Telegram and Signal in case of the absence of an active SIM, the officials said, adding that all service providers, including Snapchat, Sharechat and Jiochat, must submit compliance reports to the DoT.
This feature of using apps without a SIM is posing a challenge to telecom cyber security as it is being misused from outside the country to commit cyber frauds and terror activities, the DoT statement had said while explaining the reasoning behind the move.
In the Jammu and Kashmir telecom circle, the directive is being expedited. Although police acknowledge that deactivating all expired or fake SIMs will take time, the action is viewed as a significant setback to the digital infrastructure that terror networks employ to manage and radicalise "white-collar" operatives.
According to the officials, noncompliance with these standards would result in severe consequences under the Telecom Cyber Security Rules and other relevant legislation.
On the intervening night of October 18–19, 2025, posters of the outlawed Jaish-e-Mohammad (JeM) appeared on walls outside Srinagar city, and the "white-collar" terror module started to fall apart. The posters alerted people to potential attacks on the valley's security and law enforcement personnel.
Senior Superintendent of Police, Srinagar, G V Sundeep Chakravarthy, took it seriously and assembled multiple squads to investigate the issue thoroughly.
Two doctors, Ganaie of Koil in Pulwama, south Kashmir, and Shaheen Sayeed of Lucknow, were detained at Al Falah University in Faridabad, Haryana, after the Srinagar police pieced together the statements of the detained suspects. A massive amount of weapons and ammunition, including 2,900 kg of sulphur, potassium nitrate, and ammonium nitrate, were also confiscated.
The National Investigation Agency is looking into the car explosion case near the Red Fort, which resulted in 15 fatalities.
