{ "id": "65152392-bb0b-4c43-b4b0-f16649761916", "created_at": "2026-04-06T00:14:51.120866Z", "updated_at": "2026-04-10T03:36:01.419183Z", "deleted_at": null, "sha1_hash": "3ff745ed2bc55821c7c8d4bc051e8a20a6ce22d7", "title": "Resecurity | Cybercriminals leaked massive volumes of stolen PII data from Thailand in Dark Web", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8035569, "plain_text": "Resecurity | Cybercriminals leaked massive volumes of stolen PII\r\ndata from Thailand in Dark Web\r\nPublished: 2024-01-22 · Archived: 2026-04-02 12:37:49 UTC\r\nMassive Leak of Stolen Thai PII Data on Dark Web by Cybercriminals\r\nRecently, the Criminal Court in Thailand issued an order to block the website 9near.org. This action was taken\r\nafter the site threatened to disclose the personal information of 55 million Thai citizens, allegedly obtained from\r\nvaccine registration records. The court further declared that any other websites found distributing data from\r\n\"9near.org\" would also face blocking. This measure follows a request from the Digital Economy and Society\r\n(DES) Ministry, which is preparing for the likely apprehension of the individual responsible for the hack.\r\nThe person running the website, who goes by \"9Near – Hacktivist\", made an announcement on the Breach Forum\r\nwebsite, claiming they had accessed personal details of 55 million people from Thailand. This data includes full\r\nnames, birthdates, ID card numbers, and phone numbers. Recently, the Rural Doctors Society suggested that this\r\ninformation might have originated from a leak at the Public Health Ministry’s Immunization Centre.\r\nThailand is swiftly becoming a key player in the digital arena, particularly in the field of Information and\r\nCommunication Technology (ICT), within the Asia-Pacific region. Notably, from the latter part of 2022 to the\r\nearly months of 2023, there's been a significant drop in incidents of data breaches in the country. To put it in\r\nperspective, during the third quarter of 2022, for every thousand people in Thailand, about 6.8 instances of data\r\nexposure were recorded. Impressively, this number plummeted to just 1 per thousand by the first quarter of 2023.\r\nBut as we step into 2024, this trend might see a change. There are reports of cybercriminals, known in the\r\nshadowy corners of the Dark Web as Naraka, circulating large amounts of stolen personal identifiable information\r\n(PII) of Thai citizens. It's believed that these sensitive details were sourced from various breached platforms.\r\nThe beginning of 2024 saw a noticeable increase in data leaks from consumer-focused platforms,\r\nconfirming that threat actors are actively targeting the personal data of Thai citizens.\r\nThreat actors target Thai-based e-commerce, fintech and government resources due to a large presence of\r\npersonal documents both in text and graphical form used for KYC (\"Know Your Customer\").\r\nCompared to 2023, there has been an increase in the frequency of attacks, as evidenced by the rising\r\nnumber of leaked data incidents involving consumers and businesses from Thailand on the Dark Web. In\r\nthe early part of January 2024 alone, at least 14 significant data breaches exposing citizens' information\r\nwere posted on cybercriminal forums, nearly surpassing the annual volume of compromised records\r\nidentified last year.\r\nBad actors use stolen PII data to defraud Thai citizens and attack financial organizations, which are\r\nactively developing and cultivating digitization in the region to service 71.6 million people population.\r\nOn January 11th, 2024, an individual known as Naraka listed a data dump for sale on breachforums.is,\r\nfeaturing one of Thailand's largest bookstores called Chulabook. This breach affected over 160,000 users. Naraka\r\nspecified payment in cryptocurrencies, specifically XRM (Monero) or BTC (Bitcoin).\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 1 of 13\n\nResecurity alerted Chulabook and the Electronic Transactions Development Agency (ETDA), a government\r\nagency under the supervision of the Ministry of Digital Economy and Society responsible for the oversight of All\r\nDigital Service Providers who offer services to customers in Thailand. Our team acquired additional artifacts from\r\nthe actor confirming successful access to the backend containing thousands of orders and customer records.\r\nDuring interactions with the actor involved in the data breach, another compromised web resource in Thailand\r\nwas identified. This additional breach was also found to be leaking personal identifiable information (PII) of Thai\r\ncitizens.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 2 of 13\n\nRight before the New Year's Eve celebrations, it was discovered that the operators of the UFO Market on\r\nTelegram were actively selling stolen data. This compromised data included a staggering 538,418 records\r\nfeaturing personal identifiable information (PII) of individuals, encompassing details like citizens' ID card\r\nnumbers.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 3 of 13\n\nThese large collections of stolen data are particularly prized by those involved in identity theft and financial fraud.\r\nThe detailed personal information they contain provides these individuals with a comprehensive view of potential\r\ntargets for online banking fraud and various internet scams.\r\nPrior to this incident, the same culprits were involved in distributing a massive amount of data, specifically\r\n3,149,330 records related to students, which is believed to have been illicitly obtained from the Basic Education\r\nCommission (OBEC). Such information is especially sensitive and could be highly valuable for nefarious\r\npurposes, considering the vulnerabilities of the younger population and the risk of them being targeted by\r\nmalevolent entities in the online space.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 4 of 13\n\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 5 of 13\n\nSome portions of this data were found being leaked at no cost – the wrongdoers are distributing it on the Dark\r\nWeb. They're doing this to trade and use it in future schemes like spamming, online scams, and Business Email\r\nCompromise (BEC) campaigns. This free circulation makes the data more accessible for various malicious\r\nactivities.\r\nA separate data set was uncovered on a site known as breachedforums.is, labeled “Thailand DOP.go.th\r\nLeaked”. This particular set is composed of personal identifiable information (PII) primarily concerning the\r\nelderly population in Thailand. It's a substantial collection, around 690MB in size, containing a whopping\r\n19,718,687 rows of data.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 6 of 13\n\nEarlier, a new data breach was revealed by an entity known as Ghostr on Breachforums.is. This particular leak\r\nwas massive, involving about 186GB of data, and included a staggering 5.3 million records from a stock trading\r\nplatform. The leaked information encompassed comprehensive details of Thai users, including their full names,\r\nphone numbers, email addresses, and ID card numbers.\r\nIn a separate incident, a leak was reported by Milw0rm on breachforum.is. This particular dataset, released on\r\nJanuary 1, 2024, is to Thai job seekers and includes an extensive range of personal information. The dataset is\r\nconsists of 61,000 rows, featuring detailed data such as usernames, passwords, email addresses, mobile and home\r\ntelephone numbers, zip codes, birthdates, physical attributes like weight and height, current employment status,\r\ninformation about children, typing proficiency in Thai, and salary details.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 7 of 13\n\nBefore, an individual known as R1g made a significant data dump involving the personal database of the Royal\r\nThai Volunteers. This breach affected a substantial number of records, totaling 4.6 million. The leaked data\r\nincluded sensitive personal information such as names, citizen ID numbers, gender, birthdates, and addresses.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 8 of 13\n\nThe same individual, R1g, was responsible for another major data leak on Thursday, January 11, 2024. This\r\ntime, the breach involved sensitive information pertaining to Thailand Navy Officers, marking another\r\nsignificant security incident.\r\nJanuary 15th, 2024, the actor who goes by the alias Soni posted a leaked database related to healthcare. The data\r\nbreach consists of 25.5k records of user information including ID, user URL, encrypted passwords (phpass), user\r\nemails, login details, account status, display names, registration dates, and user activation keys The actor shared a\r\nsample of the data as proof.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 9 of 13\n\nCybercriminals have also focused their attacks on the government and military sector in Thailand, breaching the\r\npersonal identity details of officials and law enforcement personnel. This type of operation is typical for\r\ncyberespionage groups functioning within the realm of cybercrime.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 10 of 13\n\nThe perpetrators disclosed various confidential documents, which included internal correspondences and\r\ninteractions with law enforcement agencies in Cambodia. These leaks might have occurred due to a compromise\r\nby a third party. The origin of this breach remains unidentified, but the malicious cyber activities against Thai\r\ngovernment officials could indicate a growing trend of targeting in the region.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 11 of 13\n\nConclusion\r\nIn 2024, Thailand is set to play a crucial role in the global fight against cybercrime. As the nation progresses in its\r\njourney of digital transformation and expands its capabilities in Information and Communication Technology\r\n(ICT), it faces a growing wave of cyber threats, especially those involving breaches of personal data. This\r\nescalating challenge underscores the pressing need for Thailand to adopt and reinforce strong cybersecurity\r\nstrategies.\r\nThe series of large-scale data breaches and the looming risk of misuse of sensitive information in Thailand serve\r\nas a stark reminder of the critical need for improved data protection and proactive cyber defense tactics. For\r\nThailand, it's essential to strengthen its cybersecurity framework, enact stringent data privacy regulations, and\r\ncultivate a widespread culture of digital vigilance among both its population and institutions. Such measures are\r\nkey not just for protecting the privacy and security of its citizens, but also for reinforcing Thailand's stature as a\r\ndependable and secure player in the international digital arena.\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 12 of 13\n\nSource: https://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nhttps://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.resecurity.com/blog/article/cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web" ], "report_names": [ "cybercriminals-leaked-massive-volumes-of-stolen-pii-data-from-thailand-in-dark-web" ], "threat_actors": [ { "id": "6e8effad-d9fb-4b49-bba4-9b4e5953356d", "created_at": "2024-04-23T02:00:04.243074Z", "updated_at": "2026-04-10T02:00:03.630533Z", "deleted_at": null, "main_name": "GhostR", "aliases": [], "source_name": "MISPGALAXY:GhostR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad", "created_at": "2022-10-25T16:07:24.444096Z", "updated_at": "2026-04-10T02:00:04.994412Z", "deleted_at": null, "main_name": "ALTDOS", "aliases": [ "0mid16B", "ALTDOS", "Desorden", "GHOSTR" ], "source_name": "ETDA:ALTDOS", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434491, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3ff745ed2bc55821c7c8d4bc051e8a20a6ce22d7.pdf", "text": "https://archive.orkl.eu/3ff745ed2bc55821c7c8d4bc051e8a20a6ce22d7.txt", "img": "https://archive.orkl.eu/3ff745ed2bc55821c7c8d4bc051e8a20a6ce22d7.jpg" } }