Cybercrime
,
Fraud Management & Cybercrime
Man Accused of Hacking 90 Organizations Globally Under a Variety of Aliases
Thai police arrested a suspected hacker extortionist tied to more than 90 global data breaches.
See Also: Top 10 Technical Predictions for 2025
The suspect, who has not been named, is accused of perpetrating 65 data breaches in the Asia-Pacific region alone. The Royal Thai Police collaborated with the Singapore Police Force to identify and detain the 39-year-old man on Wednesday.
“The threat actor is suspected to have exploited vulnerabilities in the victims’ networks before stealing the victims’ data,” the Singapore Police Force said in a statement distributed to local press. “The threat actor is also suspected to have published the stolen data for sale online when victims failed to pay the ransom demanded.”
Police said they seized laptops, mobile phones, luxury goods and vehicles worth more than $300,000.
The suspect operated under a variety of online personas, including “Altdos,” which focused on Southeast Asia. Other aliases included “Desorden,” “Ghostr” and “0mid16B,” and were involved in attacks across the globe.
Singapore-based cybersecurity firm Group-IB, which assisted the investigation, described the suspect as being “one of the most active cybercriminals in the Asia-Pacific since 2021, selling more than 13 terabytes of personal data on the dark web.”
Group-IB said the suspect’s decision to change aliases was an apparent attempt to make his efforts tougher to trace. The firm said it helped police connect the various aliases to the single suspect by “linking his activities through writing styles, posting patterns and account timelines despite bans for scamming and multi-accounting.”
As Altdos, the suspect allegedly focused on targeting Thai organizations before expanding the focus to Singapore, Bangladesh and other Asia-Pacific nations. The Singapore police said the attacker sometimes also used distributed denial-of-service attacks against victims “to disrupt operational services and to remind them to pay the ransom.”
As Desorden, the attacker is suspected of attacking a major Thai hotel chain, further targets in Singapore, as well as Acer’s operations in Taiwan and India. The attacker regularly posted samples of stolen data on the RaidForums cybercrime forum to publicize attacks and pressure victims into paying.
Last year, an attacker using the alias GhostR claimed on the cybercrime forum BreachForums to have stolen more than 34 gigabytes of data belonging to Singapore-based telecom company Absolute Telecom PTE and 846 gigabytes of data from Australian logistics company Victorian Freight Specialists. The attacker also claimed to have stolen 5.3 million records from a major British screening database maintained by the London Stock Exchange Group containing information on terrorists, potential criminals and high-risk individuals.
The attacker often gained remote access to systems via SQL injection attacks, using such tools as sqlmap, as well as by targeting poorly secured remote desktop protocol servers, Group-IB said.
The attacker typically “deployed a cracked version of Cobalt Strike to control compromised servers, exfiltrated data to rented cloud servers for blackmail, and leveraged direct customer notifications, media leaks and regulatory reports to pressure victims.” In some cases, the attacker also encrypted databases to add pressure on victims to pay.
“This case highlights the evolution of cybercriminal tactics, not just through technical exploits but through coercion, intimidation and reputational threats,” said Dmitry Volkov, CEO of Group-IB.