After 40 schools in the city received bomb threat emails on Friday morning, July 18, police said the messages were sent using an offshore platform called AtomicMail.io, which deletes all user data, including sender details, after just seven days.

Officials told The New Indian Express that they are also looking into whether the emails were sent directly through such services or if they were triggered by “automated bots”, some of which are reportedly sold freely on Telegram.

Since 2023, the services used in such threats have changed from Beeble to a Tor-based dark web mailer and now to AtomicMail, and they all don’t log IP addresses, keep no user records, and operate under jurisdictions that either reject legal cooperation or require treaties that India doesn’t have.

According to officials, AtomicMail is part of a growing network of offshore platforms designed for “privacy-first” communication but misused for hoaxes, fraud, and cyber threats.

What makes AtomicMail particularly difficult to trace, they say, is that it operates from a country with no direct legal cooperation agreement with India and is engineered to automatically delete any sender information, logs, or device fingerprints within days.

This isn’t the first instance of Bengaluru schools receiving such threats. Between 2022 and 2024, Bengaluru reported 133 such cases. In 2023, most emails were sent through Beeble, a lesser-known encrypted mail provider. Later, threat actors moved to Tor-based dark web services and, more recently, to AtomicMail, which has seen a rise in abuse cases globally due to its short data retention window and lack of oversight.

Telegram-based bots suspected

The department is looking into the possibility that the threats were sent via automation bots, which can be purchased or downloaded from Telegram-based cybercrime channels. These bots allow even low-skilled users to mass-send emails using anonymous relay services, according to the report by The New Indian Express.

Several Telegram groups offer tools that come preloaded with fake bomb threat templates and allow users to pick anonymous email services like AtomicMail or TorMail. These kits, sold under names like “MailStorm” or “AnonMailer Pro”, cost as little as Rs 300–500 and come with video tutorials. Some even allow scheduling or geofencing of threats, an official said.

Previous cases were identified through operational leakages

Between 2022 and 2024, 10 people were identified in such bomb hoax cases. In two cases, they were sent to judicial custody, while one of the cases is currently ongoing.

Explaining how they were traced, an official explained that in several past cases, perpetrators attempted to mask their identity using VPNs or offshore email platforms.

However, police were able to trace them due to operational mistakes, such as using the same device for personal logins, inconsistent VPN usage, or leaving behind browser and device fingerprints. In some cases, they reused email IDs, accessed accounts from traceable networks, or failed to isolate their activities across apps. These overlaps allowed investigators to identify them, even when the mail services themselves offered no cooperation.