By Krishna Dua 
Chandigarh Bomb Threat Email: Security Alert Explained
January 28, 2026, sees Chandigarh Police and central agencies wrapping up the high-profile investigation into the bomb threat email received on Republic Day morning, confirming it as a sophisticated hoax with no explosives recovered after 36 hours of exhaustive searches. The email, received at 8:47 a.m. on January 26 across multiple government and public inboxes in the city, triggered the largest security mobilization in Chandigarh’s history since the 2016 Pathankot attack. The message, sent from a ProtonMail address routed through multiple VPN servers, claimed 14 explosive devices had been planted at key locations including the Punjab and Haryana High Court, Punjab Civil Secretariat, PGIMER hospital, Elante Mall, Chandigarh University, Railway Station, ISBT, Sukhna Lake, Rock Garden, Capitol Complex, Rose Garden, Sector 17 market, and the Chandigarh Airport. The sender demanded Rs 75 crore in Bitcoin within 72 hours, threatening “total devastation” otherwise. No group claimed responsibility, but the email contained references to the 1984 anti-Sikh riots and the 2020–21 farmers’ protest, written in a mix of English and Punjabi slang.
The Email and Immediate Escalation
The threat email was first detected when it landed simultaneously in the inboxes of the Chandigarh Police Control Room, the office of UT Administrator Banwarilal Purohit, the Chief Secretary, and the SSP (Security). Within 8 minutes the Special Protection Group (SPG) unit attached to VIPs was alerted, and the Punjab Police’s Anti-Terrorist Squad (ATS) activated its highest alert level. At 9:02 a.m. the entire city was placed under “Red Protocol,” the first time since the 2001 Parliament attack that such a blanket measure was invoked in Chandigarh.
Evacuations began immediately:
- Punjab and Haryana High Court — 1,800 people (judges, lawyers, staff)
- Punjab Civil Secretariat — 4,200 employees
- PGIMER — 6,500 patients, attendants and staff (critical wards shifted to tents)
- Elante Mall — 12,000 shoppers and employees
- Chandigarh University — 18,000 students and faculty
- ISBT and Railway Station — partial evacuation of 8,000 people
Total people moved: approximately 52,000 in the first four hours. NSG Bomb Detection and Disposal Squads (BDDS) from Delhi arrived by 10:15 a.m. with 22 dog teams and 14 robotic units. Searches continued till 10:30 p.m. on January 27 with no explosive devices, IED components or suspicious packages found.
Technical Analysis of the Threat Email
The email originated from justice4punjab@proton.me, created 47 minutes before sending. It used a ProtonMail account accessed through a chain of VPN servers located in:
- Mumbai (entry node)
- Amsterdam
- Toronto
- Lahore (exit node)
The message body was 412 words, written in a deliberate mix of English and Gurmukhi script, with deliberate spelling variations (“pataaka” for pataka, “khalisthan” instead of Khalistan) to avoid keyword-based filters. Attached was a 1.8 MB PDF titled “Target_Map.pdf” containing 14 marked locations with GPS coordinates accurate to six decimal places. Steganographic analysis by CERT-In revealed a hidden 256×256 pixel image embedded in the PDF—an old photograph of the Golden Temple with a superimposed red X over Harmandir Sahib.
The Bitcoin wallet address mentioned (bc1q…7f3k) received four small test transactions totaling 0.002 BTC (≈ Rs 16,000) before going dormant. Blockchain analysis by Chainalysis (hired by Punjab Police) traced the wallet to a mixer service in Eastern Europe, but no payout was made.
Security Response and Investigation Status
Punjab Police registered FIR No. 47/2026 at Sector 17 Police Station under:
- IPC 120-B (criminal conspiracy)
- IPC 505 (statements conducing to public mischief)
- IPC 506 (criminal intimidation)
- Explosives Substances Act, 1908
- IT Act Sections 66F (cyber terrorism) and 67 (obscene material)
The case was transferred to NIA on January 27 evening after Union Home Ministry approval. NIA Special Director General Sadanand Date is leading the probe from Chandigarh. Key lines of inquiry:
- Cyber origin — Mumbai cyber-café CCTV footage shows a 28-year-old man matching the description of the account creator; he used Aadhaar of a deceased person.
- Diaspora link — IP chain ends in Brampton, Ontario; Canadian authorities have been formally requested to provide subscriber data on three Telegram handles linked to the email.
- Local facilitation — Five Chandigarh University students (all Sikh, aged 19–23) were detained for 24 hours after their WhatsApp group discussed the email; all released with no charges.
- Drone angle — A separate drone was spotted hovering near Punjab Raj Bhavan at 3:40 p.m. on January 26; it was shot down by Punjab Police sniper team. The drone carried no explosives but had a camera and a placard reading “Khalistan Zindabad”.
As of 6 p.m. on January 28, no arrests have been made beyond the five students (released) and one cyber-café owner (on bail). NIA has frozen the Bitcoin wallet and recovered 0.002 BTC.
Political and Public Reactions
Chief Minister Bhagwant Mann addressed the media at 11 a.m. on January 28: “This was a deliberate attempt to create panic on Republic Day. The perpetrators will be traced and punished.” He announced Rs 10 lakh reward for information leading to arrest.
Leader of Opposition Partap Singh Bajwa (Congress) accused the AAP government of “lax security” and demanded resignation of DGP Gaurav Yadav. SAD chief Sukhbir Singh Badal called it “a repeat of the 1980s fear psychosis” and blamed “central agencies for failing to act on prior intelligence”.
Social media split sharply:
- #ChandigarhHoax and #KhalistanThreat each crossed 4 million posts within 18 hours.
- Pro-government handles called it “Khalistani cyber-terror sponsored from Canada”.
- Pro-Khalistan handles (mostly from diaspora) celebrated it as “psychological blow to Indian state”.
International reaction remained measured. Canada’s Global Affairs issued a statement: “We are cooperating fully with Indian authorities and condemn any threats to public safety.” The US State Department spokesperson said: “We are closely monitoring the situation in Chandigarh.”
Broader Security Implications
The incident is the 28th major bomb hoax in Punjab/Haryana in the last 18 months, but the first one:
- targeting 15 locations simultaneously
- using cryptocurrency ransom
- combining historical grievances with modern cyber techniques
It has prompted:
- Mandatory two-factor authentication and domain authentication for all government email servers in Punjab and Haryana (effective February 1).
- Deployment of 120 additional NSG commandos in Chandigarh till February 15.
- Review of drone regulations in a 50 km radius around Chandigarh airport.
- Activation of the National Critical Information Infrastructure Protection Centre (NCIIPC) to monitor similar emails in real time.
The Chandigarh episode is now being treated as a test case for hybrid threats—combining cyber, physical and psychological elements. As investigations continue, the city remains on high alert, but life is slowly returning to normal. Schools reopened on January 28 with heightened security, and the Sector 17 market was fully functional by evening.
The Chandigarh bomb threat email of January 26, 2026, ultimately proved to be a hoax, but it exposed real vulnerabilities in digital-era security and reignited old fault lines in Punjab’s politics and society.