A lone cybercriminal masquerading as a hacker group has been unmasked as the entity behind more than 90 data breaches worldwide over a four-year period.
The individual, who operated under four distinct aliases, ALTDOS, DESORDEN, GHOSTR, and Omid16B targeted companies primarily in Asia before expanding globally, creating a trail of digital destruction motivated purely by financial gain.
.webp)
.webp)
.webp)
.webp)
The attacker’s modus operandi involved targeting internet-facing Windows servers, specifically searching for databases containing personal information.
.png
)
Using SQL injection tools such as sqlmap for reconnaissance, the threat actor would identify and exploit vulnerabilities to gain unauthorized access to sensitive data.
After compromising these servers, the attacker would exfiltrate the victim’s data and, in some cases, encrypt it on the compromised servers.
The cybercriminal’s ultimate goal was extortion—demanding ransoms from victims to prevent public exposure of their data.
When victims failed to comply, the attacker would escalate tactics by reporting breaches to data protection regulators and announcing the sale of compromised data on dark web forums, further exploiting the situation for profit.
Group-IB analysts identified distinctive patterns linking all four aliases through extensive digital forensics.
Their investigation revealed that despite changing identities, the threat actor consistently left behind fingerprints that enabled investigators to connect the dots between the seemingly separate entities.
Attack Infrastructure and Technical Footprint
Deeper examination of the attacker’s infrastructure revealed a consistent technical environment.
The cybercriminal utilized VirtualBox running Kali Linux for operations, deploying a cracked version of CobaltStrike to maintain control over compromised servers.
Evidence of this setup appeared in leaked screenshots where stolen data was consistently stored in identical folder structures (/media/sf_E_DRIVE/) across all four aliases.
Notably, the threat actor exhibited minimal lateral movement within compromised networks. Instead, the focus remained on efficient data exfiltration to rented cloud servers for subsequent extortion attempts.
Communication with victims followed recognizable patterns, with ransom notes beginning with “Today is ” followed by “This is ” – a signature pattern maintained across all aliases.
The cybercriminal was finally apprehended on February 26, 2025, by the Royal Thai Police following years of investigation by Group-IB’s Threat Intelligence and High-Tech Crime Investigation teams based in Thailand and Singapore.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
