Cybercriminal Behind 90 Global Data Breaches Arrested: A Deep Dive into ALTDOS, DESORDEN, GHOSTR, and 0mid16B

Listen to this Post

The Rise and Fall of a Cybercriminal Mastermind

A major cybercrime breakthrough has been achieved with the arrest of a notorious hacker responsible for over 90 global data breaches. An investigation by Group-IB has linked four distinct hacker aliases—ALTDOS, DESORDEN, GHOSTR, and 0mid16B—to a single cybercriminal who operated for years before being apprehended on February 26, 2025, in a coordinated effort by the Royal Thai Police and the Singapore Police Force.

This cybercriminal targeted internet-facing Windows servers, exploiting vulnerabilities to exfiltrate personal and corporate data and using the stolen information for financial extortion. His arrest marks a significant victory in the ongoing battle against cybercrime, proving the effectiveness of international collaboration in cybersecurity enforcement.

Evolution of the Cybercriminal: From ALTDOS to 0mid16B

ALTDOS: The Beginning (December 2020 – September 2021)

  • First appeared in December 2020, attacking a Thai financial institution.
  • Demanded a ransom of 170 BTC ($3 million at the time) and leaked stolen data when the ransom was not paid.
  • Primarily targeted ASEAN companies, refining his extortion techniques over time.
  • Later moved to selling stolen data on dark web marketplaces like RaidForums to maximize profits.

The Birth of DESORDEN (September 2021 – Late 2023)
– After ALTDOS ceased operations, the same individual resurfaced under the alias DESORDEN.
– Continued to breach Asian companies, using advanced techniques to enhance his attacks.
– Gained a strong reputation in cybercriminal circles, especially on RaidForums and later BreachForums.
– Briefly collaborated with other cybercriminals before operating solo.
– Ultimately banned from BreachForums after a scam report led to community backlash.

GHOSTR Emerges (October 2023 – Early 2024)

  • Following his BreachForums ban, he rebranded as GHOSTR and quickly gained notoriety.
  • Amassed nearly 30 victims within a short period.
  • Used Tox and Matrix for communication—methods identical to his previous aliases.
  • Continued his extortion and data-leaking operations until BreachForums moderators banned him again for multi-accounting.

0mid16B and the Final Chapter (Early 2024 – February 2025)
– After the failure of GHOSTR, the criminal assumed another identity: 0mid16B.
– However, law enforcement and cybersecurity experts had already connected the dots between all four aliases.
– The cybercriminal was ultimately arrested in February 2025 in a coordinated operation between Thai and Singaporean authorities.

What Undercode Says: A Cybercriminal’s Playbook and Its Implications

This case provides an in-depth look into modern cybercriminal behavior, revealing a blueprint that many digital criminals follow. Let’s break down what we’ve learned and what it means for cybersecurity moving forward.

1. The Evolution of Cybercriminals: Why Rebranding Works

Rebranding is a common tactic among hackers, allowing them to evade detection and rebuild credibility under a new alias. Each transformation (ALTDOS → DESORDEN → GHOSTR → 0mid16B) gave this criminal another chance to restart operations before security firms caught up.

  • Implication: Cybersecurity firms and law enforcement must develop real-time tracking mechanisms that link threat actors across multiple aliases.
  1. The Role of Dark Web Forums in Cybercrime
    RaidForums and BreachForums played a crucial role in this hacker’s career. These platforms allow criminals to:

– Sell stolen data to the highest bidder.

– Communicate with potential collaborators in hacking forums.

– Evade authorities by frequently switching platforms.

  • Implication: Authorities should increase infiltration efforts into these communities to monitor and disrupt cybercriminal networks.

3. The Importance of International Cooperation

This arrest was only possible due to collaboration between Thai and Singaporean authorities alongside cybersecurity firms like Group-IB. This highlights the growing necessity of cross-border cybersecurity enforcement in tackling digital crime.

  • Implication: Governments must prioritize inter-agency collaboration and information sharing to dismantle cybercrime syndicates.

4. Financial Motivation Drives Cybercrime

This hacker’s initial ransom demand of 170 BTC ($3M at the time) shows the financial appeal of cybercrime. When ransoms weren’t paid, he pivoted to selling data on dark web forums, maximizing profits.

  • Implication: Companies should invest in cyber resilience strategies to avoid being vulnerable to such attacks, including regular security audits and employee awareness training.

5. The Challenge of Attribution in Cybercrime

Despite years of activity, authorities took a long time to definitively link ALTDOS, DESORDEN, GHOSTR, and 0mid16B to the same individual. Cybercriminals often use proxy networks, encrypted communication, and fake credentials to stay hidden.

  • Implication: AI-powered threat analysis and behavioral pattern recognition will be key in detecting rebranded cybercriminals before they strike again.

Fact Checker Results

  1. Confirmed: ALTDOS, DESORDEN, GHOSTR, and 0mid16B are the same individual.
  2. Verified: The hacker was arrested in February 2025 in a joint police operation.
  3. Accurate: His cyberattacks primarily targeted ASEAN countries, as reported.

This case serves as a powerful reminder that cybercriminals may change their names, but their tactics remain predictable. As law enforcement continues to refine its methods, cybersecurity efforts must remain one step ahead to prevent future attacks.

References:

Reported By: https://cyberpress.org/four-members-linked-to-90-global-data-breaches/
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image