Investigations into the car explosion near Delhi’s Red Fort have taken a concerning technological turn, with law-enforcement agencies saying the three primary suspects — all doctors associated with Al Falah University in Faridabad — relied on a Swiss encrypted messaging application to coordinate reconnaissance, share maps and exchange operational instructions. The probe, which has intensified following the deadly blast that killed multiple people and injured several others, paints a picture of a small, determined module that combined radicalisation with careful, clandestine use of secure communications and improvised explosives.

According to police sources, the three accused — identified as Dr. Umar Un Nabi, Dr. Muzammil Ganaie and Dr. Shaheen Shahid — were in near-constant contact through Threema, an end‑to‑end encrypted Swiss messaging platform. The app, which has repeatedly been highlighted for its privacy features, does not require a phone number or an email address to register. Instead, each user is assigned a unique ID that is not directly linked to a SIM card or traditional telecom identifiers, making conventional tracing much harder. Investigators believe the suspects exploited these features to erect a private, insulated channel for their planning.

The probe indicates the group used Threema not merely for casual exchanges but as a core operational tool. Officials allege the module set up a private Threema server — a step that, if confirmed, would have shielded metadata and server logs from easy scrutiny and could have allowed the conspirators to control where and how their communications were stored. Through this alleged private network, the suspects shared detailed documents, site maps, layouts and task allocations. Police contend that these exchanges included location coordinates, diagrams and other material that directly informed the planning of the attack near the Red Fort.

Umar, who is believed to have been behind the wheel of the vehicle that detonated on Monday evening, is described by investigators as the most radicalised member of the module and the central node linking the other doctors. Sources say that after the arrest of some associates in related investigations, Umar attempted to break digital traces — switching off his phones and deleting contacts. Despite those efforts, police have unearthed enough evidence to piece together a pattern of repeated reconnaissance and methodical preparation. The module is thought to have carried out several recce missions across Delhi, identifying targets and assessing security postures around high‑value locations.

Forensic teams are also probing the material means of the plot. Investigators suspect the suspects used a red Ford EcoSport — seized from Faridabad — to store and transport ammonium nitrate over time. Ammonium nitrate, a widely available industrial chemical, can be weaponised when combined with other fuels and has been implicated in multiple large‑scale explosions worldwide. Police say that while one vehicle detonated, at least three other cars have been seized so far, and preliminary inquiries have revealed preparations involving up to 32 vehicles that could have been intended to carry out coordinated blasts near historic and strategic landmarks across the national capital.

Authorities are treating the case as a broader terror conspiracy, with indications that the module was planning multiple serial blasts and was awaiting what they describe as “final orders” from handlers. Whether those handlers were operating domestically or from abroad remains a critical line of inquiry. The use of an app like Threema introduces complex forensic challenges: the platform’s design to delete messages from both sender and receiver, the limited metadata retention and the potential to host private servers all make tracing communication threads difficult for investigators relying on conventional telecom intercepts and metadata trails.

Agencies are now racing to determine the physical location of the alleged private Threema server that the suspects used. Officials are exploring whether the server was hosted within India’s jurisdiction — which would make legal access and seizure simpler — or abroad, which would necessitate international cooperation and could slow down retrieval of potentially crucial logs. At the same time, cyber units are analysing device backups, recovered hardware, and any remnants of cloud activity that might shed light on the timeline of planning, the extent of the module’s network, and whether additional conspirators were involved.

A further complication is Threema’s capacity for secure voice messages and document sharing, functions which the suspects reportedly used in lieu of standard mobile networks. Police say the trio exploited these features for encrypted text chats, voice communication and the exchange of blueprints and reconnaissance imagery. Investigating officers are now working with digital forensics specialists to recover deleted messages and reconstruct the communications where possible, including attempts to access server-side caches or backups, if any exist.

Beyond the technical aspects, the human and security consequences of the attack have been grave. The blast near the iconic Red Fort — an area of immense historic and symbolic significance — has left the capital reeling. The official death toll has risen as hospitals continue to treat the wounded; authorities have confirmed multiple fatalities and numerous injuries, with one more person succumbing to injuries at LNJP Hospital as investigations unfolded. The incident has sparked urgent questions about urban security, the vulnerability of heritage sites, and the efficacy of intelligence and surveillance systems in preempting such threats.

Security agencies have also broadened their net, tracing leads and interrogating associates to determine if the suspects had local logistical support, access to explosive-making materials beyond ammonium nitrate, or contacts within other institutions. The fact that the primary suspects held positions as medical practitioners has prompted public unease and raised alarms about insider radicalisation and the ease with which people in professional roles may blend into civic life while nurturing violent intent.

Official statements have emphasised the multi-agency nature of the probe. Law enforcement bodies are coordinating with cyber units, intelligence services and, where necessary, foreign agencies to map the full contours of the conspiracy. Investigators are also seeking to identify every vehicle and asset connected to the suspects, uncover supply chains for explosive precursors, and piece together the logistical timeline that led to the detonation.

The case has reignited discussions on the balance between privacy-protecting technologies and counterterrorism needs. Encrypted communication platforms offer vital privacy benefits for ordinary users, journalists, and activists. Yet, as this investigation highlights, the same technologies can be exploited by malicious actors to plan and execute attacks while evading interception. Policymakers and security officials now face renewed pressure to refine legal, technical and international mechanisms that can enable lawful access in terrorism investigations without unduly compromising legitimate privacy rights.

As the probe continues, authorities have urged citizens to remain calm but vigilant, report suspicious activity, and cooperate with security advisories. The unfolding inquiry promises to be complex, involving digital forensics, international legal assistance, and traditional investigative labor — all aimed at answering how a group of individuals within ostensibly ordinary professions could converge around a violent plot, and what measures can be taken to prevent similar conspiracies in future.