A recent joint operation led by Group-IB, in collaboration with the Royal Thai Police and Singapore Police Force, resulted in the arrest of a hacker responsible for over 90 data breaches across 25 countries. The hacker, who operated under various aliases such as ALTDOS, DESORDEN, GHOSTR, and 0mid16B, targeted a wide range of industries, including healthcare, government agencies, and multinational corporations. Between 2020 and 2025, the hacker exfiltrated 13 terabytes of sensitive data, causing significant damage to businesses and individuals across the globe.
The hacker’s initial attacks, under the alias ALTDOS, were focused on Thai entities.
Using tools like SQL injection and exploiting vulnerabilities in Remote Desktop Protocol (RDP) servers, the hacker infiltrated networks and stole data, which was later sold on dark web forums. Unlike typical ransomware actors, the hacker prioritized data theft and extortion, threatening to leak sensitive information unless paid, as seen in 2022 when they leaked 8 million customer records from a Thai e-commerce platform after it refused to comply with their demands.
By 2023, the hacker rebranded as DESORDEN and expanded their operations to the Asia-Pacific region, targeting healthcare and financial institutions.
Group-IB’s analysts noted the hacker’s increasing sophistication, such as deploying CobaltStrike beacons for persistent access and using minimal lateral movement within networks. During this period, the hacker stole 9.5 million patient records, which were later sold on platforms like BreachForums for cryptocurrency. The hacker’s operations also spanned Western countries, including the UK and Canada, where their attacks affected millions of individuals’ personal and financial data.
The arrest marks a significant step in global efforts to combat dark web crime syndicates. Authorities seized electronic devices and luxury goods purchased with illicit profits from the data sales. Legal experts predict severe penalties under Thailand’s Computer Crimes Act and Singapore’s Cybersecurity Act. This case highlights the critical role of public-private partnerships in tackling cybercrime and underscores the importance of proactive cybersecurity measures such as patching RDP vulnerabilities and auditing third-party access.
