A latest investigation by Group-IB has make clear a infamous cybercriminal working below a number of aliases, together with ALTDOS, DESORDEN, GHOSTR, and 0mid16B.
This particular person was liable for over 90 knowledge breaches globally, primarily focusing on firms in Asia and different areas.
The menace actor’s modus operandi concerned compromising internet-facing Home windows servers, exfiltrating delicate knowledge, and extorting victims by way of ransom calls for.
If victims refused to conform, the stolen knowledge was offered on darkish internet boards or publicly uncovered, resulting in vital monetary and reputational losses for the affected firms.
Evolution of the Risk Actor
The menace actor first emerged as ALTDOS in December 2020, saying a high-profile assault on a Thai monetary establishment.
ALTDOS demanded a ransom of 170 BTC, valued at over $3 million on the time, and publicly dumped the stolen knowledge when the demand was not met.
Over time, ALTDOS transitioned to promoting breached knowledge on platforms like RaidForums, the place he gained consideration below the alias “altdos.”
Nevertheless, he ceased operations in September 2021 and re-emerged as DESORDEN, a transfer probably supposed to rebrand himself as a extra formidable determine within the cybercrime ecosystem.
As DESORDEN, the menace actor continued to focus on Asian firms, refining his techniques and increasing his attain.
He collaborated briefly with different notable figures on BreachForums however in the end most well-liked to function alone.
DESORDEN’s actions have been halted after a rip-off report led to his ban from BreachForums, prompting him to reinvent himself as soon as extra.
This time, he emerged as GHOSTR, rapidly amassing practically 30 victims throughout Asia and Canada.
GHOSTR’s operational similarities to DESORDEN, together with using Tox and Matrix for communication, strongly recommended that GHOSTR was one other alias of the identical particular person.
Arrest
The menace actor’s actions below these aliases got here to an finish together with his arrest on February 26, 2025, in a joint operation by the Royal Thai Police and the Singapore Police Drive.
All through his operations, the menace actor demonstrated a constant sample of utilizing SQL injection instruments and exploiting weak internet servers to achieve unauthorized entry to delicate knowledge.
His capacity to adapt and alter identities allowed him to evade detection for a number of years, however in the end, his techniques and communication strategies led to his publicity.
The investigation highlights the significance of monitoring and analyzing the techniques, strategies, and procedures (TTPs) of cybercriminals to stop future breaches.
Examine Actual-World Malicious Hyperlinks & Phishing Assaults With Risk Intelligence Lookup – Strive for Free
