The authorities arrested hackers behind 90 data leaks worldwide

The authorities arrested a productive hacker that is responsible for over 90 data injuries in 65 organizations in the Asian-Pacific area and 25 additional global goals.

The cyber criminals, which operates under Aliases Altdos, Desordden, Ghostr and 0mid16b, fed 13 terabytes of sensitive data between 2020 and February 2025 and aimed at industries that range from health care.

The operation marks a critical victory in combating digital blackmail tactics, which combines technical sophistication with the psychological compulsion.

The cybersecurity company Group-IB contributed to this joint operation of the Royal Thai Police and the police in Singapore. The cyber criminals first appeared under the alias Altdos in 2020 and mainly aimed at Thai organizations.

His first campaigns focused on SQL injection attacks using tools such as SQLMAP to use endangered web applications and extract databases with personal identifiable information (PII).

The victims were blackmailed through a double approach: payment requirements for the suppression of data leaks and with threats, media transactions or data protection authorities to notify a tactics to maximize reputation damage.

By 2022, his methods for Remote Desktop Protocol (RDP) server has escalated violations that use weak registration information or unpatched weaknesses for infiltration of networks.

As soon as he was inside, he set a cracked version of the cobalt streak penetration test toolkits in particular a modified Beacon protection load in order to set command and control channels (C2).

In contrast to advanced persistent threats (APTs), however, the attacker prioritized fast data exfiltration before the lateral movement and exceeded stolen data sets to rented cloud storage servers (e.g. AWS S3 -Eimer) for the subsequent monetization.

Monetarization of the dark network and technical dodging

The Group-IB threat intelligence team found the surgical changes of the attacker across aliase.

After he was banished from Dark web forums for multi-customer and fraudulent transactions in 2023, he took over the Order Persona and expanded his goals to Singapore, Malaysian and Indian companies.

Under this alias, he introduced direct customer notifications and sent personalized e -mails and telegram messages to people whose data impair a psychological tactic to put organizations under pressure, to pay ransom.

By 2024, the hacker, who acted as Ghostr and 0mid16b, diverse its monetization strategy. Instead of private blackmails, he auctioned data records in forums such as Raidforums and break forums, price leaks based on uniqueness and regional effects.

For example, a Thai health database with 2.3 million patient records for 12 Bitcoin (at that time ~ $ 480,000), while a Singapore e-commerce violation achieved 8 Bitcoin.

Analysts correlated these sales by stylistic license plates, including consistent base64-encoded file names and forum post templates.

The attribution of the attacks was a challenge due to the measurements of the operational security (Operational Security) of the cybercriminals (Opsec). It often turned VPNs (e.g. Mullvad, NordVPN), which used cryptocurrency bluers for transactions and compartment activities across aliase.

However, the digital crime resistance centers from Group-IB (DCRCS) in Thailand and Singapore identified behavior patterns such as: B. Repeated typing errors in leaked data headings (e.g. “Custmerid” instead of “Customerid”) and a preference for telegram compared to encrypted alternative signal.

Cross-referencing-forum-time temple with violations of victim violations continued to solidify the connection. The later campaigns of the hacker under 0, MID16B aimed in Great Britain, the United Arab Emirates and the USA, including an insurance company based in New York and a London real estate investment platform.

This geographical shift caused the group IB to share intelligence with Interpol and the FBI, which culminated in a coordinated robbery on February 25, 2025.

The Thai authorities confiscated 12 encrypted laptops, 27 external hard drives and luxury goods worth 2.1 million US dollars, including a Rolex Daytona and a Lamborghini Huracán, which was bought with illegal proceeds.

In the future, organizations will be asked to prioritize the patch management for RDP servers, to implement web usage -firewalls (WAFS) in order to block SQLI attempts and regularly carry out audits from cloud storage permits.

Like Dmitry Volkov, CEO of Group-IB, noticed: “Cyber ​​criminal innovation relentlessly; Our defense has to develop faster. ”

The hacker is now exposed to indictment points according to Thailand's computer crimes act and Singapore cybersecurity law 2018. The case is a precedent for accounting to digital blackmail-one step to secure the digital economy of $ 1.2 trillion in the Asian-Pacific area.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free