A recent investigation by Group-IB has revealed striking connections between four aliases ALTDOS, DESORDEN, GHOSTR, and 0mid16B linked to a single cybercriminal responsible for over 90 global data breaches.
The threat actor, who was arrested on February 26, 2025, in a joint operation by the Royal Thai Police and the Singapore Police Force, targeted internet-facing Windows servers to exfiltrate personal data and extort victims financially.
Evolution of the Threat Actor
The cybercriminal first emerged under the alias ALTDOS in December 2020, announcing an attack on a Thai financial institution.
ALTDOS demanded a ransom of 170 BTC, valued at over $3 million at the time, and publicly dumped the stolen data when the demand was not met.
This modus operandi set the stage for future attacks, primarily targeting companies in ASEAN countries.
Over time, ALTDOS transitioned to selling stolen data on dark web forums like RaidForums, maximizing profits and broadening his criminal activities.
In September 2021, ALTDOS ceased operations and re-emerged as DESORDEN, continuing to target Asian companies and refining his tactics.
DESORDEN gained significant notoriety on RaidForums and later BreachForums, collaborating briefly with other cybercriminals before operating alone.
However, his activities were halted after a scam report led to his ban from BreachForums.
Rebranding and Arrest
Following the ban, DESORDEN rebranded as GHOSTR in October 2023, quickly amassing nearly 30 victims.
GHOSTR used similar communication methods, including Tox and Matrix, and mirrored DESORDEN’s tactics, further solidifying the connection between the two aliases.
However, GHOSTR was also banned from BreachForums after his multi-accounting was exposed.
The investigation revealed that all four aliases ALTDOS, DESORDEN, GHOSTR, and 0mid16B were linked to the same individual, who was eventually apprehended in February 2025.
This arrest marks a significant milestone in combating global cybercrime, highlighting the importance of collaborative efforts between law enforcement agencies and cybersecurity firms like Group-IB.
