{
	"id": "430ebc75-8545-48c5-a88e-478e8e87c778",
	"created_at": "2026-04-09T02:24:03.262427Z",
	"updated_at": "2026-04-10T03:36:01.456126Z",
	"deleted_at": null,
	"sha1_hash": "924d22c7e51d91138130dfd3ca9673feec9a5c06",
	"title": "ALTDOS claims some of their servers were seized but they did not lose data - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44542,
	"plain_text": "ALTDOS claims some of their servers were seized but they did not\r\nlose data - DataBreaches.Net\r\nPublished: 2021-09-06 · Archived: 2026-04-09 02:13:37 UTC\r\nIt would be great if the good guys had backups as good as the threat actors have.\r\nThreat actors who call themselves “ALTDOS” have re-emerged after a brief hiatus that had left this site\r\nwondering if something had happened to them following a joint advisory about them.\r\nALTDOS has attacked a number of ASEAN firms, as DataBreaches.net has documented over a series of posts and\r\nreports.  Most recently, ALTDOS had started disclosing a breach involving OT Group/OrangeTee in Singapore,\r\nand had indicated that they would be dumping data. But they suddenly went silent three days after a joint advisory\r\nwas issued about them by law enforcement, and they did not respond to any inquiries from this site, which has not\r\nbeen their usual pattern.\r\nIn an email to DataBreaches.net yesterday responding to this site’s inquiries about the joint advisory and the\r\nOrangeTee attack, they wrote:\r\nThe last email we sent to OT Group included many videos of subsequent breaches until 26th August\r\n2021, 2 weeks after OT Group announced the breach publicly. Servers containing some data and the\r\nvideos were seized shortly after ALTDOS emailed them on 27th August.\r\nA copy of that email was provided to DataBreaches.net. It informed OT Group/OrangeTee that there were videos\r\nshowing continued access and exfiltration up through August 26, weeks after the firm had publicly acknowledged\r\nawareness of the hack. A copy of the videos was uploaded to a file-sharing site for OT Group to download. That\r\nfile was no longer available when DataBreaches.net tried the link in the email.\r\nThe email also threatened, in part, to distribute the videos to regulators and media, along with data from\r\nOrangeTee. That approach — of publicly trying to embarrass companies  and notifying media to help increase\r\nembarrassment or pressure– has been a consistent element across all of the ALTDOS ASEAN attacks that\r\nDataBreaches.net is aware of. But their email to OT Group also gave this site an indication of how much extortion\r\nALTDOS demanded of these victims:\r\nALTDOS shall give your management one last opportunity to save yourself from this mess once we\r\npublish the breach videos and databases. ALTDOS will take a step back on the numbers. Instead of\r\ninitial asking of 10 BTC, OT Group can choose to pay just 1 BTC and ALTDOS will disappear entirely\r\nwithout leaking any videos or data.\r\nThree days after the joint advisory, and less than one day after that email to OT Group/OrangeTee, some of their\r\nservers were seized, ALTDOS claims.\r\nIt appears that OT Group did not decide to pay the 1 BTC, as ALTDOS started dumping data. Re-appearing on a\r\npopular forum to dump some of it, they noted the seizure as the cause of their delay:\r\nhttps://www.databreaches.net/altdos-claims-some-of-their-servers-were-seized-but-they-did-not-lose-data/\r\nPage 1 of 2\n\nWe took some time to begin the leak due to technical issues arising from the seizure of some of our\r\nservers, which caused partial data corruption during sync. ALTDOS  has already recovered our\r\ndatabases.\r\nIn a statement to DataBreaches.net, the threat actors responded to an inquiry from this site as to who had seized\r\ntheir servers and under what authority:\r\nALTDOS does not know specifically which authority seized the servers, only received emails from the\r\nserver company that our 3 servers were seized by authorities and requested more information from\r\nALTDOS in the event where ALTDOS wants the data backup.\r\nThe threat actors wrote that they were not concerned about the seizure:\r\nALTDOS has incremental backups performed across different servers, not a concern in case of seizures.\r\nOnly require extra time to recover the full data which has already been completed.\r\nDataBreaches.net has reached out to CSA Singapore and the PDPC to inquire as to who seized the servers, but no\r\nresponse was immediately forthcoming other than auto-acknowledgements from both agencies. The Singapore\r\nPolice, who were involved in the joint advisory, do not have any statement on their site that would indicate their\r\ninvolvement in the seizure. It is possible, of course, that the seizure is not related to Singapore authorities but to\r\nsome other authority related to non-Singapore victims, but the timeframe seems to suggest relationship to the\r\nOrangeTee incident.\r\nThis post will be updated if or when more information becomes available, but DataBreaches.net’s reply email to\r\nALTDOS has bounced back that their email address, which had been working as of several hours ago, no longer\r\nexists.\r\nSource: https://www.databreaches.net/altdos-claims-some-of-their-servers-were-seized-but-they-did-not-lose-data/\r\nhttps://www.databreaches.net/altdos-claims-some-of-their-servers-were-seized-but-they-did-not-lose-data/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.databreaches.net/altdos-claims-some-of-their-servers-were-seized-but-they-did-not-lose-data/"
	],
	"report_names": [
		"altdos-claims-some-of-their-servers-were-seized-but-they-did-not-lose-data"
	],
	"threat_actors": [
		{
			"id": "348b092b-f28a-41d0-a7f2-4c399f2f973f",
			"created_at": "2024-06-25T02:00:05.046536Z",
			"updated_at": "2026-04-10T02:00:03.664032Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [],
			"source_name": "MISPGALAXY:ALTDOS",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b4f79ca0-e94b-4abe-a61e-ea3d2a2458ad",
			"created_at": "2022-10-25T16:07:24.444096Z",
			"updated_at": "2026-04-10T02:00:04.994412Z",
			"deleted_at": null,
			"main_name": "ALTDOS",
			"aliases": [
				"0mid16B",
				"ALTDOS",
				"Desorden",
				"GHOSTR"
			],
			"source_name": "ETDA:ALTDOS",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775701443,
	"ts_updated_at": 1775792161,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/924d22c7e51d91138130dfd3ca9673feec9a5c06.pdf",
		"text": "https://archive.orkl.eu/924d22c7e51d91138130dfd3ca9673feec9a5c06.txt",
		"img": "https://archive.orkl.eu/924d22c7e51d91138130dfd3ca9673feec9a5c06.jpg"
	}
}