From a solar-powered spy camera concealed at a Delhi military station to a hawala-funded lawyer in Haryana, from foreign mercenaries intercepted simultaneously at three airports to a naval sailor honey-trapped on social media for three years, India’s counter-intelligence apparatus has had a remarkable run. The four cases share a common connection through two factors and their investigation required advanced methods to decode the threats they posed. The new espionage war is being fought on an unfamiliar front. India is ahead of the fight back curve. India’s intelligence architecture is quietly evolving into something formidable.
Dissecting Ghaziabad’s espionage case
A tip-off about a group of young men filming public places in Bhowapur, Ghaziabad. A routine Arms Act investigation. A single phone number was placed under surveillance. What Ghaziabad Police uncovered when they pulled that thread was not a gang of petty criminals. It was a meticulously engineered spy ring running real-time surveillance on some of the most sensitive military infrastructure in the country, on behalf of Pakistan’s Inter-Services Intelligence(ISI).
Six arrests followed. The group of suspects contained Suhail Malik, Ritik Gangwar, Sane Iram who went by the name Mehek, Raj Valmiki, Shiva Valmiki and Praveen. The group included members who practiced various religions. None fit the profile of a trained foreign agent. That, precisely, was the entire point.
Modus Operandi
What made this case exceptional was the sophistication of the infrastructure that the ISI had raised through these ordinary recruits. At the Delhi Cantonment railway station, a transit node that feeds troop movements across the National Capital Region, the suspects had installed a concealed high definition camera powered by a solar panel. The device ran autonomously, without requiring any operative to be physically present. A live feed of security personnel movements, logistics patterns and military deployment schedules streamed directly to handlers across the border, in real time. For seven to eight months, this window into one of India’s most guarded corridors remained open and undetected. The ISI did not send trained agents. It sent invoice-raisers, young men treating espionage as gig work.
Fundamental security weakness
The target zone demands a moment of reflection. The Delhi Cantonment Board controls a territory that exceeds 10,000 acres in southwestern Delhi which contains Army Headquarters and residential quarters and essential defence installations. The ability of civilian operatives to enter this area and establish surveillance systems through social media recruitment for payments of Rs 10,000 to Rs 15,000 per task demonstrates a fundamental security weakness that goes beyond this particular event.
The communication architecture was equally instructive. The WhatsApp group through which data was transmitted bore the name ‘Lawrence Bishnoi 007’, a deliberate misdirection designed to suggest gang activity rather than state-sponsored espionage. Ten videos and twelve suspicious images were traced back to one suspect’s number alone. The choice of an encrypted consumer platform for operational communication reflects the ISI’s broader tactical pivot: using the infrastructure of everyday digital life as cover for intelligence operations.
Extending beyond Delhi
The network’s reach extended well beyond Delhi. Suspects had travelled to Mumbai and multiple cities, recording Government offices, public infrastructure and restricted defence installations. The intelligence package assembled for handlers included topographical data, entry and exit protocols and deployment patterns of railway security forces across the NCR, a comprehensive map of vulnerability.
What should alarm analysts most is not merely what was found, but what it represents. This is the ISI’s “hybrid espionage model”: decentralised, transactional and demographically agnostic. By recruiting across religious and economic lines, handlers eliminate the traditional signatures counter-intelligence is trained to detect. There is no ideology to trace, no radicalisation pathway to map. The recruits are, in the most unsettling sense, simply employees.
The Ghaziabad operation reflects what analysts call second-generation espionage cells. Where the first generation required years of ideological cultivation, this model outsources reconnaissance to local youth treating it as low-risk freelance work. The entry barrier is a smartphone. The exit cost, evidently, had not been made clear enough.
Ghaziabad police’s investigative skills
Credit for unravelling this network belongs, in the first instance, to the investigative instincts of the Ghaziabad Police. It refused to regard the initial Arms Act violation as a concluded case. By tracing a single phone number to the WhatsApp group and then forensically analysing seized devices, it uncovered a complete operational structure. This validates the case for investment in digital forensics at the district police level, a recommendation India’s security community has long made but implemented unevenly.
The Ghaziabad case is also, notably, the second exposure this year of local law enforcement assisting national intelligence in countering ISI-linked espionage, following the Faridabad doctor-terror module uncovered by Jammu and Kashmir Police. A pattern is emerging: front-line policing, when equipped and alert, constitutes India’s most effective early-warning layer.
Gurugram Lawyer: Chasing green notes
If the Ghaziabad case revealed the operational face of modern espionage, the arrest of Rizwan, a practising lawyer from Nuh district, Haryana, revealed its financial backbone. Nuh police, acting on inputs from a Central Investigative Agency, apprehended him on charges of passing sensitive information to the ISI and channelling crores of rupees through hawala networks linked to Pakistani handlers, allegedly for terrorism financing, espionage support and drug smuggling.
What this case demonstrates is the value of financial intelligence, FININT, as a counter-intelligence instrument. Suspicious banking transactions revealed undisclosed travel movements. The authorities froze the account after they conducted multiple raids to dismantle the entire network which operated through a method that targeted specific nodes to map criminal networks instead of eliminating their members. The three arrests which occurred this year in the Mewat region demonstrate law enforcement agencies which conduct dedicated investigations instead of using random policing methods.
Airport Gambit: Seven arrests, three airports, one night
The most operationally complex of these cases unfolded on the night of March 13, 2026. The National Investigation Agency(NIA) arrested seven foreign nationals including American citizen Matthew Aaron Van Dyke and six Ukrainians at three different airports in Delhi, Lucknow and Kolkata. The coordinated arrests of three cities which are located hundreds of kilometers apart throughout the night show that sustained intelligence operation work leads to these results instead of a situation that needs immediate reaction.
Van Dyke is the founder of Sons of Liberty International, a military contracting firm with a documented history of training armed groups across conflict zones globally. The NIA alleges that the group entered India on tourist visas, travelled to Mizoram without the requisite Protected Area Permits, crossed illegally into Myanmar, and conducted training for ethnic armed organisations linked to insurgent groups operating within India. The alleged curriculum covered drone warfare, weapons handling, and jamming technology. Seven foreign nationals arrested at three airports in a single night, India’s intelligence apparatus had been watching, and waiting, for months.
Two factors made this operation possible. Russian authorities provided actionable intelligence, a reminder that great-power competition can create unexpected intelligence partnerships. The Home Ministry reinstated Protected Area Permits in December 2024 for Mizoram Manipur and Nagaland because intelligence showed that foreigners were misusing the relaxed guidelines which created a legal framework for the arrests. Chief Minister Lalduhoma warned about Ukraine war veterans using his State as a transit corridor because he had already made this statement in March 2025.
Kochi Case: Honey trap in warship
Not every breach of national security begins with ideology or money. People receive friend requests which begin the process. On March 10, 2026, the Uttar Pradesh Anti-Terrorism Squad arrested Adarsh Kumar, alias Lucky, who worked as a leading seaman at the Southern Naval Command in Kochi because it accused him of spying for Pakistan’s ISI.
Investigators allege that approximately three years earlier an ISI-linked handler operating as a fictitious woman’s profile on social media initiated contact with Kumar. Over time they cultivated a relationship that eventually yielded photographs of warships and sensitive naval assets. Financial transactions between Kumar and his handler further cemented the prosecution’s case.
The ATS developed its leads through electronic surveillance, technical monitoring, and physical verification before making the arrest. The case is a textbook illustration of the honey-trap as a strategic instrument: patient, low-cost and capable of penetrating institutions that maintain the most stringent physical security precisely because the vulnerability resides not in perimeters, but in people.
Architecture of success & its limits
Read together, these four cases sketch an encouraging portrait of India’s counter-intelligence capacity. Local police investigations feeding into national agency mandates. Financial forensics dismantling support networks. Long-term surveillance enables precisely timed arrests. International intelligence partnerships yielding actionable leads. Investigators demonstrate their dedication to discovering the complete criminal conspiracy by showing their ability to investigate beyond the immediate criminal activity.
And yet these successes carry a warning. Similar hybrid modules may be operating undetected in other cities. The solar-powered camera at the Delhi Cantonment ran for the better part of a year before discovery. The foreign nationals have made Myanmar runs since 2024. An ISI honey-trap handler ran a naval source for three years before arrest. In each case, India connected the dots, but the dots existed longer than any proactive timeline would allow.
The adversary is adapting faster than the conventional security playbook allows. Espionage today does not look like a trench coat and a dead drop. It looks like a group of young men taking videos for pocket money, a lawyer with a bank account, a tourist visa stamped at Indira Gandhi International Airport and a social media friend request accepted by a navy sailor far from home. India’s intelligence apparatus operates with sufficient ability to detect and disrupt all existing threats. The harder question, the one these cases force us to confront, is whether it can do so faster. Because in the new spy war, resources and mediums may change frequently, but time is the only battlefield that matters.
