A significant breakthrough was achieved in the fight against cybercrime as cybersecurity firm Group-IB, in collaboration with the Royal Thai Police and Singapore Police Force, successfully apprehended a notorious hacker responsible for more than 90 major data breaches in 25 countries, with 65 of these attacks targeting the Asia-Pacific region.
This prolific cybercriminal, known by multiple aliases such as ALTDOS, DESORDEN, GHOSTR, and 0mid16B, managed to infiltrate and extract a staggering 13 terabytes of sensitive data between 2020 and 2025, affecting various industries ranging from healthcare to government entities.
The joint investigation, led by Group-IB’s Digital Crime Resistance Centers (DCRCs) in Thailand and Singapore, culminated in a raid on the hacker’s hideout in Thailand. Law enforcement authorities seized numerous electronic devices, laptops, and luxury items that were purchased using illicit funds obtained from selling stolen data on the dark web.
According to the Royal Thai Police, the arrested individual is confirmed to have been involved in cyberattacks against multinational corporations, small businesses, and government databases, with victims spread across Thailand, India, Indonesia, the UK, and the United States.
Initially operating under the alias ALTDOS in 2020, the hacker primarily targeted Thai entities by utilizing SQL injection tools such as sqlmap and exploiting vulnerabilities in Remote Desktop Protocol (RDP) servers to gain unauthorized access to networks. Unlike typical ransomware attackers, this criminal prioritized data theft over encryption, threatening victims with exposing their information through media outlets or data regulators unless a ransom was paid.
As the hacker evolved and rebranded as DESORDEN in 2023, the scope of the attacks expanded to include healthcare providers and financial institutions across the Asia-Pacific region. Analysts observed a shift towards using CobaltStrike beacon deployments for persistent access within networks, resulting in the theft of 9.5 million patient records from a regional hospital chain.
Under the aliases GHOSTR and 0mid16B in 2024, the cybercriminal escalated his attacks on Western entities, including a UK logistics firm and a Canadian insurance provider. To avoid detection, the hacker frequently changed personas, communication channels, and data-sharing platforms. However, Group-IB’s AI-driven dark web monitoring was able to link the various aliases by detecting linguistic patterns, posting formats, and victim geography.
The hacker’s malicious activities compromised sensitive data of more than 40 million individuals, including national ID numbers, medical histories, and financial records. One particular breach resulted in a Middle Eastern government agency losing 2.7 terabytes of citizen data, leading to concerns about identity theft on a national scale.
Legal experts anticipate severe penalties under Thailand’s Computer Crimes Act and Singapore’s Cybersecurity Act, which could result in up to 20 years of imprisonment for aggravated cybercrimes. This case highlights the importance of collaborative efforts between law enforcement agencies and private cybersecurity firms in combating cyber threats.
The arrest of this prolific hacker serves as a stark reminder of the ever-present digital vulnerabilities that organizations and individuals face in today’s interconnected world. Authorities emphasize the need for organizations to patch vulnerabilities, monitor third-party access, and implement robust threat-hunting mechanisms to mitigate cyber risks effectively.
Moving forward, INTERPOL intends to utilize the insights gained from this operation to enhance global dark web surveillance protocols and prevent similar large-scale cyber campaigns. The takedown of this cybercriminal not only delivers a semblance of justice to the victims but also underscores the ongoing battle against cyber threats in the digital landscape.