A coordinated effort between law enforcement in Thailand, Singapore, and cybersecurity firm Group-IB has led to the arrest of a prolific hacker tied to more than 90 data breaches worldwide.
The individual, operating under multiple online identities such as GHOSTR, ALTDOS, DESORDEN, and 0mid16B, reportedly stole and sold over 13 terabytes of sensitive information including government agency records on dark web markets. The accused hacker was also an active member of the infamous cybercrime and data breach platform Breach Forums.
Active since at least 2020; the hacker targeted organizations across Asia-Pacific nations like Thailand, Singapore, Malaysia, Pakistan and India, later expanding to Europe, North America, and the Middle East. Victims spanned industries like healthcare, finance, e-commerce, and logistics.
Initially, they pressured companies by threatening to leak stolen data unless paid, often alerting media or regulators if demands were ignored. Later, they moved to selling databases on dark web forums, gaining a reputation for high-quality leaks and commanding premium prices. In some cases, they even emailed customers directly to force companies into compliance.
According to Group-IB’s press release published on Thursday, the hacker exploited common vulnerabilities to infiltrate systems. They used tools like sqlmap to execute SQL injections, a method that exploits websites to access backend databases and breached poorly secured Remote Desktop Protocol (RDP) servers.
Once inside, they deployed a modified version of the penetration-testing tool CobaltStrike to maintain control of compromised networks. The extracted data was then copied to cloud servers for extortion purposes.
Multiple Identities, Difficult to Track
Investigators faced challenges as the hacker frequently changed aliases and tactics. Group-IB’s teams linked the identities by analyzing writing styles, post formats, and target preferences across dark web forums. For example, the ALTDOS persona focused on Thai victims in 2020, while DESORDEN later targeted organizations in the following sectors:
- Retail
- Finance
- Logistics
- Insurance
- Healthcare
- Hospitality
- Recruitment
- Technology
- E-commerce
- Property investment
Despite bans from forums for scams and fake accounts, the hacker continued operations under new names until their trails of online activity led authorities to their real-world identity.
During the arrest, Thai authorities confiscated several laptops, electronic devices, and numerous luxury items purchased with proceeds from the data sales.
Group-IB’s role in mapping the hacker’s activity across aliases demonstrates how behavioural patterns and technical clues can unmask even the most persistent cyber criminals. The company’s threat intelligence also brings to mind the Brazilian hacker USDoD, who was tracked down after CrowdStrike exposed his real identity, leading to his arrest.