According to information obtained by TechCrunch, two senior officers working in Bangladesh's counter-terrorism police are accused of collecting sensitive and personal information of citizens on Telegram and selling it to criminals.
According to the letter, signed by a senior Bangladeshi intelligence official and seen by TechCrunch, the data allegedly sold included identities of citizens, mobile phone call records and other “sensitive information.”
The letter, dated April 28, was written by Brigadier General Mohammed Baker, director of Bangladesh's electronic eavesdropping agency, the National Telecommunications Monitoring Centre (NTMC), who confirmed the legitimacy of the letter and its contents in an interview with TechCrunch.
“Authority investigations into both incidents are ongoing,” Baker said in an online chat, adding that Bangladesh's Home Ministry had ordered the affected police forces to take “necessary action against these officers.”
The letter, originally written in Bengali and addressed to a senior secretary in the Ministry of Home Affairs' Public Security Division, alleges that the two officers had accessed and passed on “highly sensitive information” of civilians over Telegram in exchange for money.
The police investigators made the arrests after investigators analyzed logs from NTMC's system and how frequently the two accessed it, according to the letter.
The letter reveals the identities of the officials. One of the defendants is a police chief attached to the Anti-Terrorist Unit (ATU). The other is an assistant police chief for the Rapid Action Battalion, also known as RAB6, a controversial paramilitary group sanctioned by the US government in 2021 for its alleged involvement in hundreds of disappearances and extrajudicial killings. TechCrunch is not publishing the names of the defendants as it is unclear whether they have been charged under the country's legal system.
The NTMC is a government intelligence agency under the Bangladesh Ministry of Home Affairs whose primary mission is to monitor all telecommunications traffic and intercept telephone and web communications to detect and prevent threats to national security.
Groups such as Human Rights Watch and Freedom House have criticized the NTMC for lacking safeguards against infringements on both freedom of speech and privacy. Over the years, the NTMC has sourced sophisticated technology from companies in Israel (which Bangladesh has not officially recognized) and other Western countries to carry out mass surveillance, primarily against opposition politicians, journalists, members of civil society and activists.
As part of its mission, the NTMC operates the National Information Platform (NIP), an internal government web portal that stores sensitive national information such as national identity details, mobile phone registrations and mobile phone data records, criminal profiles and other information.
Various law enforcement and intelligence agencies have user accounts on the NIP portal provided by NTMC.
NTMC's own investigation concluded that its agents used the NIP platform more frequently than others to access and gather information that did not pertain to them.
“Considering the circumstances, such extraneous access and unlawful handover of highly sensitive and classified data should be investigated to identify all those involved in the same and we demand that appropriate action be taken against all those identified/involved,” the letter said.
“There are a bunch of Telegram channels,” Baker told TechCrunch, adding that one of them was called “BD CYBER GANG.”
TechCrunch was unable to identify the specific channel on Telegram.
Contact Us Do you have more information about this or similar incidents? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device on Signal (+1 917 257 1382), Telegram, Keybase, Wire @lorenzofb, or email. You can also contact Zulkarnain Saer Khan on Signal (+36707723819), X @ZulkarnainSaer. You can also contact TechCrunch via SecureDrop.
Baker told TechCrunch that the two agents apparently sent the information to the administrator of at least one Telegram group, who then tried to sell it.
Baker said he has notified both investigators about the investigation.
The letter said that pending an investigation, access for all ATU and RAB6 NIP users has been suspended “until the personnel involved have been identified and appropriate action taken.”
Baker confirmed that access had been suspended, saying: “If investigators require information for investigative purposes they can collect it through police or RAB headquarters.”
Spokespeople for Bangladesh's Ministry of Home Affairs and the ATU did not respond to multiple requests for comment. A person who identified himself only as an “operations officer” for RAB6 told TechCrunch that the ministry was not able to comment.
Last year, security researchers discovered that NTMC was leaking people's personal information on insecure servers. According to Wired, the leaked data included real names, phone numbers, email addresses, locations, and exam results. Another Bangladeshi government agency, the Registrar General of Births and Deaths, also leaked sensitive citizen data last year, as TechCrunch reported at the time.
In both cases, the leaks were discovered by Viktor Markopoulos, a researcher working for Bitcrack Cyber Security.
While these were significant cases of data breaches, this case, which allegedly involved agents from the ATU and RAB 6, could be even more damaging given that the agents allegedly used their privileged access to sensitive personal information to sell the information online for profit.
The case remains under investigation, but a senior government source told TechCrunch that there are still officials offering to sell citizens' data.