{ "id": "564e1e57-534d-4b36-9878-a8d198cd0894", "created_at": "2026-04-06T00:13:09.506874Z", "updated_at": "2026-04-10T03:36:01.436773Z", "deleted_at": null, "sha1_hash": "5b2a97c9caa0328ebd41085c63cb116ca5927d5a", "title": "Group-IB contributes to joint operation of Royal Thai Police and Singapore Police | Group-IB", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 111679, "plain_text": "Group-IB contributes to joint\r\noperation of Royal Thai\r\nPolice and Singapore Police\r\nForce leading to arrest of\r\ncybercriminal behind more\r\nthan 90 data leaks\r\nworldwide\r\nMedia Center → Press Releases February 27, 2025 · 4 min to read\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 1 of 11\n\nAsia-Pacific Cybersecurity Data leaks Royal Thai Police Singapore Police Force\r\nGroup-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital\r\ncrime, announced today that it has contributed to a joint operation of the Royal Thai Police and the\r\nSingapore Police Force which led to the arrest of an individual responsible for more than 90\r\ninstances of data leaks worldwide, including 65 across the Asia-Pacific region. It resulted in over\r\n13TB of personal data which has been sold on the dark web. In some countries the government\r\nagencies were also attacked, compromising sensitive information on a large scale. Operating under\r\naliases ALTDOS, DESORDEN, GHOSTR and 0mid16B, the arrested individual was one of the most\r\nactive cybercriminals in the Asia-Pacific since 2021, targeting companies and businesses in Thailand,\r\nSingapore, Malaysia, Indonesia, India and many more.\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 2 of 11\n\nGroup-IB’s Threat Intelligence and High-Tech Crime Investigation teams located in the Digital Crime\r\nResistance Centers (DCRCs) in Thailand and Singapore have been tracking the cybercriminal since\r\n2020. He first emerged under the alias ALTDOS with victims mostly in Thailand. The main goal of his\r\nattacks was to exfiltrate the compromised databases containing personal data and to demand\r\npayment for not disclosing it to the public. If the victim refused to pay, he did not announce the\r\nleaks on dark web forums. Instead he notified the media or personal data protection regulators, with\r\nthe aim of inflicting greater reputational and financial damage on his victims.\r\nLater he also asserted pressure on his victims by sending direct customer notifications via email or\r\nvia instant messengers to force them into submission. In rare occasions, Group-IB has also\r\nobserved the cybercriminal encrypting the victim’s databases.\r\nRelatively quickly he expanded the victim geography beyond Thailand and started to publish data\r\nleaks to be sold on popular dark web forums. He was highly regarded on data leak forums as an\r\nowner of a large number of unique data leaks, and commanded a higher price for the leaked data.\r\nTo attack victims, the cybercriminal leveraged SQL injection tools like sqlmap and exploiting\r\nvulnerable Remote Desktop Protocol (RDP) servers to gain unauthorized access to sensitive data.\r\nThe cybercriminal then installed a beacon of a cracked version of the CobaltStrike to control\r\ncompromised servers. Based on Group-IB’s findings, the cybercriminal did not perform significant\r\nlateral movement, and exfiltrated data to their rented cloud servers for further blackmailing of a\r\ncompany.\r\nThe investigation of this cybercriminal was hampered by the fact that he changed his nicknames\r\nand approach to work several times. Group-IB discovered that from 2020 until February 2025 he\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 3 of 11\n\noperated under several aliases including ALTDOS, DESORDEN, GHOSTR and 0mid16B. Group-IB’s\r\ndark web monitoring technologies analysed and correlated the similar styles of writing, format of\r\nposts, and preferences in data sharing websites, messengers and target regions. The connections\r\nwere further confirmed by the timeline of accounts activity and correlations in posted databases.\r\nGroup-IB’s investigation team analyzed every instance of alias changes. At times, he created a new\r\ndigital persona to avoid correlation with previous attacks. In 2023, he was banned for scamming,\r\nand later, in 2024, for multi-accounting.\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 4 of 11\n\nHe gained further notoriety under the nickname DESORDEN, primarily targeting companies in Asia-Pacific countries. His main targets included industries such as healthcare, retail, property investment,\r\nfinance, e-commerce, logistics, technology, hospitality, insurance, and recruitment. In the later stages\r\nof DESORDEN—and more intensively under the aliases GHOSTR and 0mid16B—he expanded his\r\nattacks to companies in the United Kingdom, the Middle East, Canada, and the United States.\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 5 of 11\n\nThe Royal Thai Police raiding the cybercriminal’s premises. Courtesy of the Royal Thai Police.\r\nDuring the operation, the Royal Thai Police seized several laptops and electronic devices, as well as\r\na large number of luxury goods that was purchased with the cybercriminal with proceeds from the\r\nsale of the data leaks.\r\nElectronic devices and luxury goods seized during the operation. Courtesy of the Royal Thai Police.\r\nDmitry Volkov\r\nCEO, Group-IB\r\n“This case highlights the evolution of cybercriminal tactics, not just through\r\ntechnical exploits, but through coercion, intimidation, and reputational\r\nthreats. We are proud to have assisted the Royal Thai Police and the\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 6 of 11\n\nSingapore Police Force, and we are grateful for their efforts in bringing the\r\ncybercriminal to justice. Working together, we have prevented him from\r\ncausing further breaches, and protected the personal data of millions. This\r\noperation reaffirms our commitment to continue our fight against cybercrime\r\nalongside global and local law enforcement agencies, and ensuring a safer\r\ndigital world for all.”\r\nAccording to Group-IB’s High-Tech Crime Trends Report 2025, Thailand was among the top 10\r\njurisdictions globally with 18 instances of data leaks in 2024. Globally, there were 1,107 instances of\r\nnew data leaks in 2024, which compromised more than 6.4 billion user data strings worldwide,\r\nincluding email and passwords, as well as phone numbers published on the dark web.\r\nShare article\r\nAbout Group-IB\r\nFounded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity\r\ntechnologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the\r\ncompany’s DNA, shaping its technological capabilities to defend businesses, citizens, and support\r\nlaw enforcement operations.\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 7 of 11\n\nGroup-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central\r\nAsia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific\r\nthreats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime\r\nprevention and continually expand its threat-hunting capabilities.\r\nGroup-IB’s decentralized and autonomous operational structure helps it offer tailored,\r\ncomprehensive support services with a high level of expertise. We map and mitigate adversaries’\r\ntactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and\r\nrequirements of various industries, including retail, healthcare, gambling, financial services,\r\nmanufacturing, crypto, and more.\r\nThe company’s global security leaders work in synergy with some of the industry’s most advanced\r\ntechnologies to offer detection and response capabilities that eliminate cyber disruptions agilely.\r\nGroup-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber\r\nenvironment by utilizing intelligence-driven technology and agile expertise that completely detects\r\nand defends against all nuances of digital crime. The platform proactively protects organizations’\r\ncritical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous\r\nbehavior all over their network.\r\nThe comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete\r\nFraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed\r\nExtended Detection and Response (XDR), All-infrastructure Business Email Protection, and External\r\nAttack Surface Management.\r\nFurthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently\r\nelevated industry standards. This includes the 77,000+ hours of cybersecurity incident response\r\ncompleted by our sector-leading DFIR Laboratory, more than 1,400 successful investigations\r\ncompleted by the High-Tech Crime Investigations Department, and round-the-clock efforts of\r\nCERT-GIB.\r\nTime and again, its solutions and services have been revered by leading advisory and analyst\r\nagencies such as Aite Novarica, Gartner®, Forrester, Frost \u0026 Sullivan, KuppingerCole Analysts AG,\r\nand more.\r\nBeing an active partner in global investigations, Group-IB collaborates with international law\r\nenforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer\r\ncyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3)\r\nAdvisory Group on Internet Security, which was created to foster closer cooperation between\r\nEuropol and its leading non-law enforcement partners.\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 8 of 11\n\nRead next\r\nMarch 19, 2026\r\nGroup-IB\r\nPartners with\r\nCopy Cat Group\r\nto Strengthen\r\nIntelligence-Led\r\nCybersecurity\r\nAcross East\r\nAfrica\r\nMarch 13, 2026\r\nGroup-IB\r\nSupports\r\nINTERPOL’s\r\nOperation\r\nSynergia III,\r\nContributing\r\nIntelligence to\r\nGlobal\r\nCybercrime\r\nTakedown\r\nMarch 12, 2026\r\nGroup-IB\r\nExpands into the\r\nAmericas with\r\nLaunch of Digital\r\nCrime Resistance\r\nCenter in Chile\r\nMarch 3, 2026\r\nGroup-IB and\r\nNebrija\r\nUniversity\r\nStrengthen\r\nCybersecurity\r\nEducation\r\nThrough MOU\r\nand Threat\r\nIntelligence\r\nIntegration\r\nFebruary 26, 2026\r\nGroup-IB\r\nPartners with\r\nSavex\r\nTechnologies to\r\nAdvance\r\nPredictive Threat\r\nIntelligence and\r\nCyber Fraud\r\nProtection\r\nAcross India and\r\nSAARC\r\nFebruary 16, 2026\r\nNational\r\nPolytechnic\r\nUniversity of\r\nArmenia and\r\nGroup-IB sign\r\nstrategic\r\npartnership to\r\nstrengthen\r\ncybersecurity\r\neducation and\r\nresearch in\r\nArmenia\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 9 of 11\n\nGo to all Press Releases →\r\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 10 of 11\n\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/" ], "report_names": [ "joint-operation-with-royal-thai-police-and-singapore-police-force" ], "threat_actors": [ { "id": "e5ccc758-f2a5-417b-ba5c-70edf39bc048", "created_at": "2022-10-25T16:07:24.481513Z", "updated_at": "2026-04-10T02:00:05.005021Z", "deleted_at": null, "main_name": "Desorden", "aliases": [], "source_name": "ETDA:Desorden", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "6e8effad-d9fb-4b49-bba4-9b4e5953356d", "created_at": "2024-04-23T02:00:04.243074Z", "updated_at": "2026-04-10T02:00:03.630533Z", "deleted_at": null, "main_name": "GhostR", "aliases": [], "source_name": "MISPGALAXY:GhostR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "348b092b-f28a-41d0-a7f2-4c399f2f973f", "created_at": "2024-06-25T02:00:05.046536Z", "updated_at": "2026-04-10T02:00:03.664032Z", "deleted_at": null, "main_name": "ALTDOS", "aliases": [], "source_name": "MISPGALAXY:ALTDOS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad", "created_at": "2022-10-25T16:07:24.444096Z", "updated_at": "2026-04-10T02:00:04.994412Z", "deleted_at": null, "main_name": "ALTDOS", "aliases": [ "0mid16B", "ALTDOS", "Desorden", "GHOSTR" ], "source_name": "ETDA:ALTDOS", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434389, "ts_updated_at": 1775792161, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5b2a97c9caa0328ebd41085c63cb116ca5927d5a.pdf", "text": "https://archive.orkl.eu/5b2a97c9caa0328ebd41085c63cb116ca5927d5a.txt", "img": "https://archive.orkl.eu/5b2a97c9caa0328ebd41085c63cb116ca5927d5a.jpg" } }