{ "id": "31f151d1-d5e1-4faa-a57b-500066d8299a", "created_at": "2026-04-06T15:52:30.788838Z", "updated_at": "2026-04-10T03:36:01.403395Z", "deleted_at": null, "sha1_hash": "1c6766ae5324f63d5a43fad47cb57187a8cb1793", "title": "The Cybercriminal with Four Faces: Revealing Group-IB's Investigation into ALTDOS, DESORDEN, GHOSTR and 0mid16B | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 142308, "plain_text": "Jessica Tedja\r\nCyber Investigation Specialist, APAC\r\nVesta Matveeva\r\nHead of High-Tech Crime\r\nInvestigation Department, APAC\r\nThe Cybercriminal with Four\r\nFaces: Revealing Group-IB's\r\nInvestigation into ALTDOS,\r\nDESORDEN, GHOSTR and\r\n0mid16B\r\nFollowing the arrest of the cybercriminal behind the aliases ALTDOS, DESORDEN, GHOSTR, and\r\n0mid16B, Group-IB provides a deep dive into his activities, uncovering striking similarities and\r\nunmasking the cybercriminal that breached more than 90 instances of data leaks worldwide over\r\nthe span of four years in operation.\r\nMarch 20, 2025 · min to read · Cyber Investigations\r\n← Blog\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 1 of 30\n\nCyber Investigation Data Leak Extortion Threat Intelligence\r\nIntroduction\r\n“THIS IS DESORDEN HACKER GROUP. WE HAVE HACKED AND BREACHED INTO YOUR\r\nSERVERS.”\r\nThis chilling message heralded a cyberattack that turned an ordinary day into chaos for victimized\r\ncompanies. What started as a routine day then quickly spiraled into panic as they faced a\r\ndevastating data breach.\r\nThe attack was part of a planned campaign motivated by financial gain. The threat actor was\r\nnotorious for executing high-profile data breaches in Asia and internationally. He targeted internet-facing Windows servers, specifically searching for databases that contained personal information.\r\nAfter compromising these servers, he exfiltrated the victim’s data and, in some cases, encrypted it on\r\nthe compromised servers. His ultimate goal was to extort the victim into paying the ransom, or risk\r\npublic exposure of their data, which could lead to financial losses and reputational damage for the\r\nvictim.\r\nTo communicate his demands, the threat actor left ransom notes on the victim’s servers or sent\r\nthem via email, detailing which databases had been exfiltrated and how the victim could make the\r\npayment. At times, he escalated his tactics by sending threatening emails or notifications via\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 2 of 30\n\nmessaging platforms to the victim’s customers. If the victim failed to respond or refused to pay, the\r\nthreat actor took his extortion efforts further by reporting the breach to data protection regulators\r\nto attract legal scrutiny, and by announcing the sale of the compromised data on dark web forums,\r\nto further exploit the situation for profit.\r\nGroup-IB’s Investigations and Threat Intelligence analysts have been tracking the actor since he\r\nbegan his journey in 2020. Over the years, the threat actor changed his aliases three times, and\r\ndrew significant media attention over the course of his criminal exploits. In this article, we uncover\r\nhis evolution under the aliases of ALTDOS, DESORDEN, GHOSTR and 0mid16B, examining the\r\npatterns that linked his operations, and exposing how he used multi-accounting to remain\r\nundetected, until his arrest on 26 February 2025 in a joint operation by the Royal Thai Police, and\r\nthe Singapore Police Force.\r\nAct 1: The emergence of ALTDOS\r\nThe threat actor first emerged publicly on 4 December 2020, under the alias ALTDOS, announcing\r\nthat he had conducted an attack on a financial institution based in Thailand. Seeking to amplify the\r\nimpact of the attack, ALTDOS contacted multiple news outlets in Thailand, and DataBreaches.net, a\r\nplatform that tracks and reports on data breaches, security incidents, and cybersecurity news.\r\nAccording to an article published by DataBreaches.net on 10 December 2020, ALTDOS contacted\r\nthe victim company’s executives via email on 5 December 2020, demanding a ransom of 170 BTC in\r\nreturn for not publishing the stolen data.The ransom amount was valued at more than US$3 million\r\nat the time of the attack. When the victim company did not comply with his demands, ALTDOS\r\nretaliated by publicly dumping the compromised data, setting a precedent for future attacks. Later,\r\nwe discovered that this actor had non-public victims even earlier than December 2020.\r\nAs ALTDOS, the threat actor continued to use the same modus operandi for subsequent attacks,\r\nprimarily targeting companies in ASEAN countries such as Singapore, Thailand, Bangladesh, and\r\nMalaysia. However, over time, he adapted and refined his tactics. He began publishing full sets of\r\ncompromised data on dark web forums like CryptBB and RaidForums, and then transitioned to\r\nselling the stolen data as well. The shift to using dark web forums for dumping complete databases\r\nmay have been intended to send a message to future victims about the potential consequences if\r\nthey did not comply with his demands. The transition to selling compromised data on dark web\r\nforums likely served to maximize his profits and broaden the scope of his criminal activities.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 3 of 30\n\nFigure 1. Jurisdictions where ALTDOS’ victims’ data were leaked.\r\nIn April 2021, the threat actor created his first account on the forum CryptBB with the nickname\r\nmystic251. The forum is mainly focused on cybercrime and hacking discussions. During that time,\r\nhe published only a single thread about the release of a database from a “popular furniture retail\r\nchain in Singapore”.\r\nFigure 2. A screenshot of the thread on CryptBB forum, posted by the threat actor under the\r\nnickname “mystic251”, announcing the release of a database from a Singaporean victim.\r\nHis thread on CryptBB did not seem to get much response, which likely influenced his decision to\r\ncease activity on the forum. He then shifted his focus to RaidForums, where he posted under the\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 4 of 30\n\nalias altdos. Unlike on CryptBB, his thread attracted considerable attention on RaidForums,\r\nreceiving numerous replies.\r\nFigure 3. A screenshot of a post under the nickname altdos on RaidForums.\r\nRaidForums was a data breach and marketplace platform popular among cybercriminals. ALTDOS’\r\nearly attempts on CryptBB suggest he was still learning the best practices of selling breached data,\r\nindicating a lack of experience at the time.\r\nFurther investigation revealed the threat actor’s Tactics, Techniques, and Procedures (TTPs). He\r\ntargeted victims by utilizing SQL injection tools, such as sqlmap, to conduct reconnaissance on\r\nexposed databases, or exploiting vulnerable web servers to gain unauthorized access to sensitive\r\ndata. He then deployed a beacon from a cracked version of CobaltStrike to maintain control over\r\nthe compromised servers. During the course of Group-IB’s investigations, the threat actor did not\r\nengage in significant lateral movement, and instead exfiltrated the data to his rented cloud servers,\r\nlater using it for blackmail against the victim company.\r\nThen in September 2021, ALTDOS suddenly ceased his operations. The threat actor would resume\r\nhis activity four days later under a different alias, which we will detail in the next section. Group-IB’s\r\nhypothesis on this abrupt identity shift is that cybercriminals often treat their online personas like\r\nbrands, and ALTDOS’ frequent tactical shifts and inconsistent methods initially painted him as an\r\ninexperienced operator. By adopting a new identity, he may have sought to establish himself as a\r\nmore professional and formidable figure in the underground cybercrime market.\r\nAct 2: Reinventing as DESORDEN\r\nOn 26 September 2021, a threat actor with the name DESORDEN started actively selling breached\r\ndatabases on RaidForums. Group-IB’s analysis found striking similarities between DESORDEN and\r\nALTDOS.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 5 of 30\n\nBoth shared a similar writing style, and their victimology overlapped significantly, with a primary\r\nfocus on Asian companies. Given these patterns, Group-IB conducted a deeper investigation into\r\nDESORDEN’s activities, searching for further links to ALTDOS that could confirm they were, in fact,\r\nthe same individual operating under a new alias.\r\nBased on the comparison, Group-IB observed that both ALTDOS and DESORDEN used capital\r\nletters when mentioning the nickname, and provided a video as proof of the attack. The sentence\r\n“Here is a video screen recording of the stolen …” was identically used by both aliases. Additionally,\r\nboth ALTDOS and DESORDEN provided a link to the file sharing website, with a video recording.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 6 of 30\n\nFigure 4. A comparison of one of ALTDOS’ posts (top), and DESORDEN’s post (bottom) on\r\nRaidForums.\r\nThere were also similarities in the way the ransom notes were drafted. Both ALTDOS and\r\nDESORDEN consistently followed a distinct pattern, with each message beginning with “Today is\r\n\u003cdate\u003e”, using a day-first format followed by the month name and year (e.g., “3rd August 2022”).\r\nImmediately after the date, the threat actor introduced himself in a standardized manner, always\r\nstarting with “This is \u003cthreat actor’s nickname\u003e”. The ransom notes shown below were captured on\r\nthe hacker’s machine, which is likely a Kali Linux, since part of the logo typical for Kali Linux is visible\r\non the background of both screenshots.\r\nFigure 5. A comparison of ALTDOS’ ransom note (top), and DESORDEN’s ransom note (bottom).\r\nOver time, the threat actor appeared to use capital letters more frequently. As seen on the ransom\r\nnote above, he wrote the note in all capital letters. DESORDEN also added the word “group” after\r\nhis nickname. It is a common tactic among individual threat actors to impersonate a group of threat\r\nactors, as they believe it adds more weight to their actions. ALTDOS has always referred to himself\r\nwith the word “we”.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 7 of 30\n\nAside from sharing a similar victim profile, writing style, and web services with ALTDOS, DESORDEN\r\nalso exhibited identical TTPs. These correlations led us to conclude that the same individual behind\r\nALTDOS was highly likely operating under the DESORDEN alias.\r\nDESORDEN was initially active on RaidForums and later migrated to BreachForums after\r\nRaidForums was taken down by law enforcement in 2022. Operating under this alias for the longest\r\nperiod, he gained significant notoriety, establishing himself as a formidable figure in the cybercrime\r\necosystem. This phase marked his most notable evolution, as he refined his tactics, expanded his\r\nreach, and solidified his reputation as a high-profile threat actor.\r\nFigure 6. Jurisdictions where DESORDEN’s victims’ data were leaked.\r\nOver a two-year period, DESORDEN compromised more than 30 victims, significantly escalating his\r\ncybercrime activities. During this time, he briefly collaborated with notorious BreachForums figures,\r\nincluding @Bjorka and @cod. However, this partnership lasted only a few months, suggesting that\r\nhe ultimately preferred to operate alone.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 8 of 30\n\nFigure 7. A screenshot of an Indonesian website defaced by DESORDEN, cod, 747, and Bjorka.\r\nInitially, like ALTDOS, DESORDEN did not publicly share contact details, instead requiring interested\r\nparties to initiate communication via private messages. However, by November 2021, he expanded\r\nhis contact options to include Tox and Jabbim.\r\nAfter transitioning to BreachForums in 2022, he abandoned Jabbim in favor of Tox, and later\r\nincorporated Matrix. Unlike Jabbim, a centralized messaging platform, Tox and Matrix are\r\ndecentralized. Both messengers are the most preferred options nowadays among cybercriminals.\r\nGroup-IB investigators conducted an analysis to identify dark web actors specializing in data\r\nbreaches, targeting victims in Asia (specifically Thailand), and using Matrix as a contact method.\r\nAccording to Group-IB Threat Intelligence, between 2022 and 2023, DESORDEN was the only\r\nknown cybercriminal to fit this profile—further reinforcing the link between his activities and his\r\npreferred communication platform.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 9 of 30\n\nFigure 8. A screenshot of Group-IB’s Threat Intelligence platform. (“The request “first_post:true”\r\nindicates that we search for a first message in a forum thread only”).\r\nAs DESORDEN’s notoriety grew, he began facing impersonation attempts, prompting him to include\r\na disclaimer at the end of every post: “WE DO NOT USE TELEGRAM.” This was likely an effort to\r\nprevent scammers from exploiting his reputation to deceive potential buyers.\r\nFigure 9. A screenshot of the footer used by DESORDEN for his posts.\r\nIn September 2023, a buyer published a complaint against DESORDEN on BreachForums, accusing\r\nhim of getting payment without providing a database. With no evidence provided to refute the\r\ncomplaint from the buyer, BreachForums administrators swiftly banned DESORDEN.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 10 of 30\n\nFigure 10. A screenshot of a message from DESORDEN to his buyer.\r\nOnce again, DESORDEN’s activities came to an abrupt halt — but this time, it was not by choice.\r\nIn underground marketplaces like BreachForums, reputation is everything. Credibility and\r\ntrustworthiness are critical for cybercriminals, as buyers are constantly evaluating whom to trust\r\nwith illicit transactions. With numerous competitors vying for customers, being labeled a scammer\r\ncan severely damage a hacker’s ability to operate.\r\nFor DESORDEN, the scam report and subsequent ban meant a severe reputational blow, making it\r\nnearly impossible to sell stolen data or engage with other cybercriminals under that alias. As a result,\r\nhe was forced to reinvent himself once again.\r\nAct 3: Third time’s the charm as GHOSTR\r\nJust a week later, in October 2023, a new BreachForums account under the alias GHOSTR emerged,\r\nquickly amassing nearly 30 victims, with a primary focus on Asia and Canada. Given the rapid\r\nreappearance and operational similarities, we conducted a deeper analysis to determine potential\r\nconnections between GHOSTR and DESORDEN.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 11 of 30\n\nFigure 11. Jurisdictions where GHOSTR’s victims’ data were leaked.\r\nOne similarity was GHOSTR’s communication preferences. He listed Tox and Matrix as his contact\r\nmethod—just as DESORDEN had. Additionally, he included a disclaimer: “GhostR does not sell\r\nhacking services or databases on Telegram or any other platforms.” This mirrored DESORDEN’s\r\npast attempts to prevent impersonation, further reinforcing the likelihood that GHOSTR was simply\r\na rebranded version of DESORDEN.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 12 of 30\n\nFigure 12. A screenshot of GHOSTR’s profile on BreachForums.\r\nAccording to Group-IB Threat Intelligence, between 2023 and 2024, GHOSTR was the only other\r\nthreat actor, aside from DESORDEN, who used Matrix as a contact method and targeted victims in\r\nThailand for data breaches.\r\nFigure 13. A screenshot of Group-IB’s Threat Intelligence platform.\r\nThis overlap in both communication channels and victimology further reinforced the connection\r\nbetween the two aliases, suggesting that GHOSTR was simply DESORDEN operating under a new\r\nidentity.\r\nThe avatars used by GHOSTR and DESORDEN also bore notable similarities, further supporting the\r\nconnection between the two aliases.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 13 of 30\n\nFigure 14. A comparison between GHOSTR (left) and DESORDEN’s (right) avatar on BreachForums.\r\nThrough Group-IB’s interactions with GHOSTR posing as a potential buyer, we identified similarities\r\nin both his motivation and modus operandi. Like DESORDEN, his primary goal was financial gain—\r\nhe only sold stolen data if the victim refused to pay the ransom.\r\nFigure 15. A screenshot of a message from GHOSTR, when approached by Group-IB’s analysts\r\nposing as a potential buyer.\r\nDESORDEN also went by a similar quote, which he specified in his BreachForums’ account bio.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 14 of 30\n\nFigure 16. A screenshot of GHOSTR’s bio on his profile on BreachForums.\r\nA comparison of ransom notes from GHOSTR and DESORDEN revealed similarities in writing style.\r\nCertain phrases were identical, while others were nearly identical.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 15 of 30\n\nFigure 17. An extortion email sent through onionmail to the victim in May 2024 by GHOSTR (above),\r\nand a ransom note left by DESORDEN in July 2022 (below).\r\nThrough a comprehensive analysis of GHOSTR’s account details, forum posts, and direct\r\ninteractions, we established a strong correlation between GHOSTR and DESORDEN.\r\nUltimately, GHOSTR was banned in August 2024 after a BreachForums member exposed his multi-accounting with DESORDEN.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 16 of 30\n\nFigure 18. A screenshot of GHOSTR’s profile on BreachForums after the ban.\r\nFigure 19. A screenshot of a message sent by one of the moderators of BreachForums, in response\r\nto whether GHOSTR was DESORDEN.\r\nMulti-accounting is a serious violation in underground cybercrime markets, as it compromises\r\nplatform integrity and erodes trust within the community. By creating multiple accounts, individuals\r\ncan manipulate reputations, evade restrictions, and engage in deceptive practices, ultimately\r\nundermining the credibility and reliability of these marketplaces.\r\nGHOSTR’s ban for multi-accounting with DESORDEN underscores the severe consequences of\r\nsuch actions. This incident reinforced the importance of transparency in underground forums,\r\nwhere reputation is a critical asset for cybercriminals looking to operate successfully.\r\nAct 4: Masquerading as 0mid16B\r\nLearning from past mistakes, the threat actor resurfaced once again—this time under the alias\r\n0mid16B. Determined to avoid detection, he altered his avatar, tweaked his writing style, and shifted\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 17 of 30\n\nhis strategy, using X (formerly Twitter) to publicly announce his victims instead of relying solely on\r\ndark web forums.\r\nAnother key shift was in target demographics. Unlike his previous aliases, which primarily focused\r\non Asian companies, 0mid16B expanded his operations globally, with a significant number of victims\r\nlocated outside Asia, including the United States. However, similar to GHOSTR and DESORDEN, the\r\nactor kept referring to himself as a “group”.\r\nFigure 20. Jurisdictions where 0mid16B’s victims’ data were leaked.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 18 of 30\n\nFigure 21. 0mid16B’s account on X (formerly Twitter).\r\nAlthough 0mid16B significantly altered his methods and operational approach, our analysis revealed\r\nconsistent patterns linking him to his previous aliases.\r\nOne key similarity was his continued use of Matrix as a preferred communication channel. From\r\n2022 to 2024, only three threat actors—DESORDEN, GHOSTR, and 0mid16B—were known to use\r\nMatrix while targeting victims in Thailand.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 19 of 30\n\nFigure 22. A screenshot of Group-IB’s Threat Intelligence platform.\r\nOne persistent detail across all four of his aliases was his method of publishing stolen data\r\nscreenshots. Regardless of his rebranding, he consistently uploaded images directly from the same\r\ndevice, revealing a key operational fingerprint.\r\nEach time, the device interface was similar to Kali Linux, and the stolen data was stored in the same\r\n/media folder structure. The drive name remained identical across all aliases—“sf_E_DRIVE”—with\r\none exception: under ALTDOS, the drive was labeled “sf_Storage”. Additionally, he always used the\r\nvictim’s name as the folder name, a pattern seen repeatedly in his leaked screenshots.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 20 of 30\n\nThis setup strongly suggests that he relied on VirtualBox, a popular virtualization tool, to run Kali\r\nLinux for his attacks. In VirtualBox, shared folders are typically mounted using the “sf_” prefix,\r\nfollowed by the name assigned to the shared folder or the drive letter of the host system’s shared\r\nresource. For instance, if a user configures a shared folder as “E_DRIVE”, it appears in Kali Linux as\r\n/media/sf_E_DRIVE.\r\nGiven this consistent digital footprint, we can infer that 0mid16B—like his previous aliases—used\r\nVirtualBox with Kali Linux to conduct his operations, further cementing the connection between his\r\nmultiple identities.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 21 of 30\n\nFigure 23. A comparison of media folder structures between ALTDOS (above) and DESORDEN\r\n(below).\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 22 of 30\n\nFigure 24. A comparison of media folder structures between GHOSTR (above) and 0mid16B (below).\r\nUnder the alias 0mid16B, the threat actor underwent a drastic transformation—a strategic move\r\nprompted by the exposure and banning of his previous GHOSTR identity, which had been linked to\r\nDESORDEN.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 23 of 30\n\nTo distance himself from his past aliases, he shifted his approach, incorporating X (formerly Twitter)\r\nas a new platform for victim announcements. By adopting these new communication channels,\r\n0mid16B attempted to break past associations, obscure his identity, and regain credibility in the\r\ncybercriminal underground.\r\nThe Final Act: The Downfall\r\nSince his emergence, this threat actor’s approach stood out as unconventional, setting him apart\r\nfrom typical dark web criminals. Unlike many cybercriminals who operate in groups, we believe he\r\nworked alone, yet managed to achieve significant success while evading detection for an extended\r\nperiod.\r\nThe investigation into his activities was complex and prolonged. Despite repeatedly leaving digital\r\nfingerprints across multiple aliases, his meticulous operational security (OPSEC) made it\r\nexceptionally difficult to uncover his true identity.\r\nOne key indicator of his strict OPSEC practices was an instructional guide published by\r\nDESORDEN, outlining security measures that he likely followed to maintain anonymity. The\r\nconsistency of his tactics, aliases, and cybercriminal methods suggests that his self-imposed\r\nsecurity discipline played a major role in his ability to stay undetected for so long.\r\nFigure 25. A post published by DESORDEN about OPSEC practices, monitored by Group-IB’s\r\nThreat Intelligence platform.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 24 of 30\n\nFor more than 4 years, the threat actor known as ALTDOS, DESORDEN, GHOSTR, and 0mid16B has\r\nbeen the most prolific yet elusive cybercriminal in the Asia-Pacific. But in the end, it was his digital\r\nbreadcrumbs that ultimately led to his discovery. Since his emergence, Group-IB’s Threat\r\nIntelligence and High-Tech Crime Investigation teams located in the Digital Crime Resistance\r\nCenters (DCRCs) in Thailand and Singapore have been tracking him across his multiple aliases, and\r\ncontributed to the ongoing investigations by the law enforcement agencies. On 26 February 2025,\r\nthe threat actor was finally arrested in Thailand by the Royal Thai Police.\r\nFigure 26. A screenshot of 0mid16B’s X account after his arrest in Thailand on 26 February, 2025.\r\nDuring the press conference, the Royal Thai Police also revealed that the cybercriminal confessed\r\nthat his main target was large private companies and he avoided attacking government agencies\r\nbecause he did not want the public to be affected.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 25 of 30\n\nMITRE ATT\u0026CK\r\nRecommendations\r\nAs cyber threats continue to evolve, organizations must adopt proactive security measures to\r\ndefend against data breaches, extortion, and advanced cyberattacks. The case of ALTDOS,\r\nDESORDEN, GHOSTR, and 0mid16B highlights the increasing sophistication of threat actors, who\r\ncontinually adapt their methods to exploit vulnerabilities across industries.\r\nTo mitigate these risks, businesses must implement robust security strategies that focus on\r\nprevention, detection, and rapid response. The following recommendations outline critical\r\ncybersecurity measures designed to protect organizations from unauthorized access, data theft,\r\nand ransomware attacks.\r\nImplement a patch management policy to ensure firmware and software are regularly updated\r\nwith the latest security patches to protect against known vulnerabilities.\r\nImplement network segregation and enforce strict firewall rules to limit lateral movement within\r\nthe network.\r\nDisable unnecessary RDP access, and restrict it to trusted IP addresses only.\r\nRegularly monitor and audit accounts; remove or disable dormant accounts to prevent\r\nunauthorized access.\r\nImplement multi-factor authentication (MFA) for VPN and other remote access services to add\r\nan additional layer of security.\r\nImplement application control on hosts to prevent installation and execution of unauthorised\r\nprograms.\r\nImplement Endpoint Detection and Response (EDR) solution to detect and respond to\r\nsuspicious activities such as deployment of backdoors or indicators of compromise (IOCs)\r\nassociated with popular penetration testing frameworks.\r\nEngage in MTH (Managed Threat Hunting) service, to proactively hunt for unknown threats and\r\nsophisticated attacks.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 26 of 30\n\nDo not hesitate to contact the Group-IB Investigation team in case you suffer a data breach to seek\r\nprofessional assistance in handling the incident as well as further investigation.\r\nEncrypt sensitive data both at rest and in transit to make it useless even if exfiltrated by an\r\nattacker.\r\nSubscribe to an incident response retainer service to ensure access to a team of cybersecurity\r\nprofessionals who can effectively respond to any incidents that may occur within the\r\ninfrastructure.\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 27 of 30\n\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 28 of 30\n\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 29 of 30\n\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/\r\nPage 30 of 30", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/" ], "report_names": [ "the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e5ccc758-f2a5-417b-ba5c-70edf39bc048", "created_at": "2022-10-25T16:07:24.481513Z", "updated_at": "2026-04-10T02:00:05.005021Z", "deleted_at": null, "main_name": "Desorden", "aliases": [], "source_name": "ETDA:Desorden", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6e8effad-d9fb-4b49-bba4-9b4e5953356d", "created_at": "2024-04-23T02:00:04.243074Z", "updated_at": "2026-04-10T02:00:03.630533Z", "deleted_at": null, "main_name": "GhostR", "aliases": [], "source_name": "MISPGALAXY:GhostR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "348b092b-f28a-41d0-a7f2-4c399f2f973f", "created_at": "2024-06-25T02:00:05.046536Z", "updated_at": "2026-04-10T02:00:03.664032Z", "deleted_at": null, "main_name": "ALTDOS", "aliases": [], "source_name": "MISPGALAXY:ALTDOS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad", "created_at": "2022-10-25T16:07:24.444096Z", "updated_at": "2026-04-10T02:00:04.994412Z", "deleted_at": null, "main_name": "ALTDOS", "aliases": [ "0mid16B", "ALTDOS", "Desorden", "GHOSTR" ], "source_name": "ETDA:ALTDOS", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775490750, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c6766ae5324f63d5a43fad47cb57187a8cb1793.pdf", "text": "https://archive.orkl.eu/1c6766ae5324f63d5a43fad47cb57187a8cb1793.txt", "img": "https://archive.orkl.eu/1c6766ae5324f63d5a43fad47cb57187a8cb1793.jpg" } }