Authorities Arrested Hackers Behind 90 Data Leaks Worldwide

Authorities arrested a prolific hacker responsible for over 90 data breaches across 65 organizations in the Asia-Pacific region and 25 additional global targets. 

The cybercriminal, operating under aliases ALTDOS, DESORDEN, GHOSTR, and 0mid16B, exfiltrated 13 terabytes of sensitive data between 2020 and February 2025, targeting industries ranging from healthcare to finance. 

The operation marks a critical victory in combating digital extortion tactics that blend technical sophistication with psychological coercion.

The cybersecurity firm Group-IB contributed to this joint operation of the Royal Thai Police and the Singapore Police Force.  The cybercriminal first emerged in 2020 under the alias ALTDOS, primarily targeting Thai organizations. 

His initial campaigns focused on SQL injection attacks using tools like sqlmap to exploit vulnerable web applications, extracting databases containing personal identifiable information (PII). 

Victims were extorted via a dual-pronged approach: demands for payment to suppress data leaks, coupled with threats to notify media outlets or data protection authorities—a tactic designed to maximize reputational damage.

By 2022, his methods escalated to include Remote Desktop Protocol (RDP) server breaches, leveraging weak credentials or unpatched vulnerabilities to infiltrate networks. 

Once inside, he deployed a cracked version of the CobaltStrike penetration testing toolkit—specifically a modified Beacon payload—to establish command-and-control (C2) channels. 

Unlike advanced persistent threats (APTs), however, the attacker prioritized rapid data exfiltration over lateral movement, transferring stolen datasets to rented cloud storage servers (e.g., AWS S3 buckets) for subsequent monetization.

Monetization of the Dark Web and Technical Evasion

Group-IB’s Threat Intelligence team noted the attacker’s operational shifts across aliases.

After being banned from dark web forums in 2023 for multi-accounting and fraudulent transactions, he adopted the DESORDEN persona, expanding his targets to Singaporean, Malaysian, and Indian enterprises. 

Under this alias, he introduced direct customer notifications, sending personalized emails and Telegram messages to individuals whose data was compromised a psychological tactic to pressure organizations into paying ransoms.

By 2024, operating as GHOSTR and 0mid16B, the hacker diversified his monetization strategy. Instead of private extortion, he auctioned datasets on forums like RaidForums and BreachForums, pricing leaks based on uniqueness and regional impact. 

For example, a Thai healthcare database containing 2.3 million patient records sold for 12 Bitcoin (~$480,000 at the time), while a Singaporean e-commerce breach fetched 8 Bitcoin. 

Analysts correlated these sales through stylistic hallmarks, including consistent Base64-encoded filenames and forum post templates.

Attributing the attacks proved challenging due to the cybercriminal’s operational security (OpSec) measures. He frequently rotated VPNs (e.g., Mullvad, NordVPN), utilized cryptocurrency tumblers for transactions, and compartmentalized activities across aliases. 

However, Group-IB’s Digital Crime Resistance Centers (DCRCs) in Thailand and Singapore identified behavioral patterns, such as repeated typos in leaked data headers (e.g., “custmerID” instead of “customerID”) and a preference for Telegram over encrypted alternatives like Signal. 

Cross-referencing forum timestamps with victim breach notifications further solidified the connection. The hacker’s later campaigns under 0mid16B targeted entities in the UK, UAE, and the US, including a New York-based insurance firm and a London property investment platform. 

This geographical shift prompted Group-IB to share intelligence with INTERPOL and the FBI, culminating in a coordinated raid on February 25, 2025. 

Thai authorities seized 12 encrypted laptops, 27 external hard drives, and luxury assets worth $2.1 million, including a Rolex Daytona and a Lamborghini Huracán purchased with illicit proceeds.

Moving forward, organizations are urged to prioritize patch management for RDP servers, implement web application firewalls (WAFs) to block SQLi attempts and conduct regular audits of cloud storage permissions. 

As Dmitry Volkov, CEO of Group-IB ,noted, “Cybercriminals innovate relentlessly; our defenses must evolve faster.” 

The hacker now faces charges under Thailand’s Computer Crimes Act and Singapore’s Cybersecurity Act 2018. The case sets a precedent for holding digital extortionists accountable—a crucial step in safeguarding the Asia-Pacific’s $1.2 trillion digital economy.

Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free

The post Authorities Arrested Hackers Behind 90 Data Leaks Worldwide appeared first on Cyber Security News.