Scams, Blocks, and Sabotage? The link between NEET 2026, Internet architecture and alleged telegram's BGP Hijack
- Sathish Kumar

- 24 minutes ago
- 7 min read
In the world of modern communications, digital anonymity is a double-edged sword. On one hand, it stands as a shield for whistleblowers, activists, and privacy advocates worldwide. On the other hand, it can become a sanctuary for illicit networks operating entirely outside the reach of the law.
In mid-2026, this delicate balance shattered. What began as a massive national examination scandal in India quickly cascaded into a bizarre global routing crisis that knocked Telegram offline for millions of users across the Middle East and Europe. This is the inside story of how the 2026 NEET-UG paper leak triggered an aggressive regulatory crackdown, leading to a catastrophic Border Gateway Protocol (BGP) route leak by an Indian telecom giant that accidentally hijacked a chunk of the global internet.
Part 1: Anonymity and the 2026 NEET Leak Scandal
Telegram has long positioned itself as a bastion of absolute privacy. Historically, creating a Telegram account required a traditional SIM card. However, the platform significantly evolved its privacy ecosystem by integrating with Fragment—a decentralized platform built on The Open Network (TON) blockchain.
Through Fragment, anyone can purchase completely anonymous, blockchain-based phone numbers using cryptocurrency. These numbers allow individuals to sign up, verify, and use Telegram without ever revealing their real-world identity, physical SIM data, or location to a telecom provider.
The Dark Side of Untraceable Infrastructure
While celebrated by privacy purists, this untraceable architecture became the primary vehicle for the massive 2026 NEET-UG paper leak scandal in India. Ahead of the highly competitive medical entrance exam, organized cheating syndicates weaponized Telegram's anonymity.
According to investigative reports by India Today and CNN-News18, bad actors established transient Telegram channels (even boldly naming some "NTA Official Channel") to distribute leaked "guess papers" and actual question papers that shared highly fraudulent overlaps with the final test. The syndicates demanded exorbitant sums—ranging from ₹5,000 to ₹10,00,000—for advanced access to the exam.
Because the channel administrators were insulated behind anonymous blockchain numbers and utilized Telegram's self-destructing message features, law enforcement faced an uphill battle tracing the digital footprints. The scale of the compromise ultimately forced the National Testing Agency (NTA) to cancel the initial exam on May 12, 2026, ordering a massive re-test for millions of students.
The Government Crackdown
Faced with a systemic threat to national exam security, the Indian government launched an aggressive administrative assault on the platform ahead of the June 21, 2026, re-examination. Citing findings from digital policy think tanks like the Esya Centre, authorities targeted over 50 illicit channels.
Regulators didn't stop there. To prevent bad actors from using Telegram's post-editing feature to retrospectively alter timestamps and forge "evidence" of further leaks, the government mandated strict operational restrictions. Eventually, a temporary block on the app was initiated within India, setting the stage for a massive technical backfire that would soon ripple around the globe.
Part 2: The BGP Hijack—How a Regional Block Broke Global Routing
While Telegram was grappling with the Indian government's domestic restrictions, its global infrastructure suddenly faced an existential technical crisis. Millions of users outside of India—most notably in the UAE—abruptly lost access to the app.
Telegram CEO Pavel Durov publicly accused Indian telecom conglomerate Reliance of using a "rogue method" to intentionally sabotage Telegram’s global accessibility. While Durov framed it as corporate or political warfare, network security experts quickly identified the culprit: a massive BGP route leak originating from Reliance Communications (a distinct entity from the Meta-backed Reliance Jio). It wasn't intentional sabotage; it was an accidental routing nightmare.
To understand how a regional telecom error in India could pull the plug on Telegram users in Dubai, we have to look at the highway system of the internet.
1. How the Internet and Routers Move Data
The internet is not a single, centralized entity. Instead, it is a sprawling, decentralized web of tens of thousands of smaller, independent networks managed by ISPs, cloud providers, and tech enterprises.
When your device (the host) wants to send a message on Telegram, it wraps the data into a packet and sends it to a local device called a router. Routers do not know the entire path to the destination; they simply look at the destination IP address on the packet, consult an internal directory called a routing table, and pass the packet to the next optimal router in the chain.
2. The Golden Rule: Longest Prefix Match
To determine where to send a packet, routers follow a strict mathematical principle called the longest prefix match.
Networks are grouped into IP address blocks called prefixes. A shorter prefix represents a massive, broad network (e.g., 192.168.0.0/16), while a longer prefix represents a highly specific, smaller subnet within that network (e.g., 192.168.1.0/24). If a router has two conflicting entries in its table for the same destination, it will always prioritize the longest (most specific) prefix. The architecture assumes that a more specific path is a faster, more accurate shortcut.

3. Hierarchies and Autonomous System Numbers (ASNs)
To keep track of this chaotic web, the internet is organized into a hierarchy of Autonomous Systems (AS). An AS is a collection of IP networks under the control of a single administrative entity.
Every Autonomous System is assigned a unique identifier called an Autonomous System Number (ASN). For instance, Telegram controls its own proprietary ASNs, just as major telecom providers do.

4. How BGP Works and How Routers Peer

Note: Illustrative image based on AS18101 Reliance Communications Ltd.DAKC MUMBAI - bgp.tools
The protocol that allows these independent systems to talk to one another is the Border Gateway Protocol (BGP). BGP is the global postal directory of the internet.
Edge routers from different networks establish a trusted relationship known as peering. Through these peering sessions, external BGP (eBGP) speakers constantly announce to their neighbors: "Hey, I own these IP prefixes, and I can get your traffic to them in the fewest number of hops (AS-Path)."
BGP was designed in the Internet's infancy, and it operates entirely on implicit trust. Routers blindly assume that if a peer network announces a route, it has the legal authority to do so.
The Anatomy of the Telegram Hijack
When engineers attempted to enforce the government's mandate to block Telegram within India, a critical misconfiguration occurred on their edge routers.
Instead of silently dropping Telegram traffic within their own borders, RCOM routers mistakenly broadcasted an eBGP announcement to their global upstream providers (such as FLAG Telecom). This rogue announcement claimed that RCOM was the absolute best, most direct destination for Telegram's specific IP addresses.
Crucially, RCOM routers announced these routes using highly specific, longer prefixes than the broad ones Telegram usually advertised globally.

Because of the longest prefix match rule, global routers checked their updated BGP tables, saw RCOM's more specific /23 announcement, and preferred it over Telegram's real /16. Traffic from Telegram users in the UAE and elsewhere outside India was pulled away from Telegram's actual servers (AS62041) and drawn instead toward RCOM's network (AS18101), where it hit the null-route blackhole meant only for domestic traffic.
How It Could Have Been Prevented
This global mishap was entirely avoidable. Network engineers have access to robust protocols that can enforce localized government censorship or handle routing errors without fracturing the global web.
1. What RCOM Could Have Done: Localized Blackholing
If an ISP needs to selectively block access to a platform exclusively within its home country, it should implement Null Routing combined with No-Export BGP communities.
Engineers can route the banned IP prefixes into a null interface (a digital trash can) inside their own network. By tagging that internal route with the well-known BGP community attribute NO_EXPORT, the router is explicitly forbidden from sharing that path with external, international peers. The block remains strictly domestic, and the global internet is left untouched.
2. Precautions Peer ISPs Must Take
To prevent rogue announcements from spreading, the global networking community must move away from implicit trust by adopting strict validation models:
Resource Public Key Infrastructure (RPKI): RPKI acts like a cryptographic ID card for IP addresses. It allows networks to digitally sign their route announcements. Peer routers running RPKI verification would have checked Reliance’s rogue announcement against a secure registry, seen that Reliance did not legally own Telegram's IPs, and automatically rejected the route.
Strict Inbound Prefix Filtering: Upstream tier-1 providers must rigorously filter the announcements they accept from downstream clients. If a client ISP suddenly claims to route traffic for an entity they don't own, the provider's filters should instantly drop it.
Maximum Prefix Limits: Routers should be configured to automatically shut down a peering session if a neighbor suddenly bursts out an unusually high volume of new prefix announcements, which is a classic indicator of a catastrophic route leak.
History Repeating: The Famous 2008 YouTube Outage
If this saga sounds familiar, it’s because the internet failed to fully learn the lessons of its past. The most infamous example of this exact BGP flaw occurred on February 24, 2008, between Pakistan Telecom and YouTube.
Following a government order to censor a specific video domestically, Pakistan Telecom configured its routers to block YouTube. However, they accidentally advertised a highly specific, longer prefix route for YouTube to their global upstream provider, PCCW Global.
Just like the Telegram incident, global routers prioritized the more specific Pakistani route. Within minutes, nearly all global traffic intended for YouTube was redirected to Pakistan, knocking the video giant completely offline worldwide for two hours.
The Takeaway
The 2026 Telegram crisis serves as a stark reminder of two systemic vulnerabilities: the legal grey area created by absolute digital anonymity during real-world crises like the NEET paper leaks, and the fragile, trust-based architecture that underpins global internet routing. As long as networks rely on unverified BGP announcements, a simple typo or localized censorship mandate in one corner of the world will always have the power to turn out the lights for the rest of the globe. Tools
Public BGP Looking Glass / Route Server Tools
RIPE RIS (Routing Information Service)https://www.ris.ripe.net/RIPE NCC's global collector network (RRC00–RRC26). You can query historical and live BGP updates from real router feeds.
RIPEstathttps://stat.ripe.net/Friendlier front-end on top of RIS data. Search any prefix or ASN (e.g. stat.ripe.net/AS18101) to see routing history, visibility, and origin changes over time — good for readers who want to click around without learning BGP query syntax.
Hurricane Electric BGP Toolkithttps://bgp.he.net/Simple ASN/prefix lookup showing current announcements, peers, upstreams, and IRR data. Durov reportedly shared screenshots from this tool as his "evidence."
bgp.toolshttps://bgp.tools/Modern looking glass with clean ASN pages, prefix history, and a live global BGP visualization. Good for screenshots in an article.
RouteViews Project (University of Oregon)http://www.routeviews.org/Another major public BGP data collector, often cited alongside RIPE RIS for corroborating route-leak timelines from a second, independent source.
Kentik's BGP tools / Doug Madory's analyseshttps://www.kentik.com/blog/Kentik ran the technical confirmation cited in most coverage of this incident.
IPinfo / bgp.tools / ipip.net WHOIS pagesUseful for pulling clean WHOIS/aut-num records, e.g. bgp.tools/as/62041 for Telegram, bgp.tools/as/18101 for RCOM.
MANRS Observatoryhttps://observatory.manrs.org/Tracks route-leak and RPKI-filtering compliance by network/country — useful if the article wants to discuss why FLAG Telecom/Tata Comm didn't filter this.
References





Comments