Suspected Chinese and Indian Spies Both Targeted Pakistani Police, Researchers Say
A two-year campaign hit Balochistan Police and other law enforcement bodies, with servers holding criminal records among the compromised assets.

Key points
- Researchers say Pakistani law enforcement bodies were targeted in a sustained spying campaign that ran from February 2024 to April 2026.
- Balochistan Police servers holding criminal and citizen data were among the systems broken into.
- Two separate clusters of hackers, one linked to China and one linked to India, appear to have hit the same victims.
- Attribution remains at medium confidence, with overlapping targeting rather than shared tooling.
Security researchers have pieced together a long-running spying operation aimed at police forces in Pakistan, and the picture is unusual. Two different sets of hackers, one lining up with Chinese interests and one lining up with Indian interests, appear to have gone after the same targets over roughly two years.
The activity ran from February 2024 into April 2026, according to the report first surfaced by The Hacker News.
One of the clearest hits was on Balochistan Police. The hackers reached servers that run the force's web applications, the online tools officers use to look up criminal records and manage information on citizens. That is the kind of data a foreign intelligence service would very much like to read.
Who was behind the attacks?
Researchers are pointing at two separate groups, and they are careful about it. One cluster is described as China-aligned, meaning its targeting and tools fit patterns previously seen from Chinese state-linked crews such as Mustang Panda (the naming convention used by CrowdStrike). The other is described as India-aligned, with behaviour that overlaps with groups often tracked under names like SideWinder or Patchwork.
Neither government has claimed the work. Neither has been formally accused by Pakistan. The assessment sits at medium confidence, which in threat intelligence language means the evidence is consistent but not conclusive. Overlapping victim lists are not the same as shared infrastructure or shared malware.
What makes this case interesting is the overlap itself. Two rival services, on opposite sides of a long-standing regional dispute, appear to have quietly agreed that Pakistani police networks were worth the effort.
What did the hackers actually take?
The report describes access to servers that host police web applications. In plain terms, those are the internal websites and databases officers use day to day. Criminal case files, citizen records, and internal police communications all tend to live on systems like these.
The researchers have not published a full list of what was copied out. That is common in cases where the victim is a government body and the investigation is still live.
The techniques described match what both Chinese and Indian state-linked groups have used elsewhere in South Asia. Spear-phishing, where an attacker sends a carefully written email to a specific person to trick them into opening a booby-trapped file, is a staple for both. So is exploiting internet-facing web applications that have not been patched.
Should ordinary people be worried?
If you are a Pakistani citizen whose details sit in a police database, the honest answer is: your information may have been read by a foreign intelligence service, and there is nothing you can personally do about that. This is a government-to-government problem, not a consumer one.
For everyone else, the story is a useful reminder of something CTI analysts repeat often. Capability is not the same as intent. Both of these groups have long had the capability to break into police networks. What this campaign shows is the intent, sustained over two years, from two directions at once.
Expect more detail as researchers publish indicators of compromise and Pakistani authorities respond. Attribution may firm up or shift. In this corner of the threat landscape, the first report is rarely the last word.



