Cybercriminal Identified Behind Series of Global Data Breaches
A recent investigation conducted by Group-IB has unveiled the identity of a prolific cybercriminal known by various aliases, including ALTDOS, DESORDEN, GHOSTR, and 0mid16B. This individual has been linked to over 90 data breaches worldwide, with a significant focus on companies in Asia and other regions.
The threat actor primarily employed a strategy of targeting internet-facing Windows servers. Utilizing methods evident in the MITRE ATT&CK framework, such as initial access through exploitation of vulnerabilities and subsequent data exfiltration techniques, this hacker was adept at extracting sensitive information and extorting his victims with ransom demands. In cases where companies refused to comply, the perpetrated threats resulted in the sale of stolen data on dark web marketplaces or its public exposure, ultimately causing severe financial and reputational damage to the compromised organizations.
ALTDOS, the cybercriminal’s original alias, surfaced in December 2020, having executed a high-profile attack against a financial institution in Thailand. His demand for a ransom of 170 BTC, valued at over $3 million at that time, was met with public dissemination of the stolen data when his demands went unanswered. In the following months, ALTDOS transitioned into selling breached data via platforms like RaidForums, operating under the same moniker.
However, the operations came to a halt in September 2021, when the criminal rebranded as DESORDEN. This change appeared to be a strategic move aimed at establishing a more formidable presence within the cybercrime landscape. As DESORDEN, he refined his tactics to focus on Asian enterprises and briefly collaborated with other criminals on BreachForums, although he ultimately preferred to work independently. His operations were curtailed following a ban resulting from fraudulent activities reported within the forum, leading him to yet another alias.
Following his re-emergence as GHOSTR, the hacker successfully targeted nearly 30 victims across Asia and Canada. The operational similarities between GHOSTR and his previous identity indicated a continuation of his criminal methods, with consistent usage of communication tools such as Tox and Matrix, suggesting that he remained the same individual under different guises.
The cybercriminal’s activities concluded with his arrest on February 26, 2025, during a coordinated operation by the Royal Thai Police and the Singapore Police Force. Throughout his criminal career, he displayed a persistent pattern of employing SQL injection techniques and exploiting vulnerable web servers to gain unauthorized access to sensitive data. His ability to frequently change identities aided him in evading capture for several years, but ultimately, his operational patterns and communication methods led to his downfall.
The investigation by Group-IB emphasizes the significance of monitoring and analyzing the tactics, techniques, and procedures (TTPs) of cyber adversaries to mitigate future breaches. Understanding the MITRE ATT&CK framework’s relevant tactics, including initial access, persistence, and privilege escalation, can be critical for organizations striving to bolster their cybersecurity defenses.
For business owners attentive to cybersecurity risks, this case serves as a stark reminder of the continually evolving nature of cyber threats. It underscores the necessity of implementing robust security measures to protect sensitive data against such adversarial threats.