ALTDOS, Desorden
Description
(Group-IB) Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, announced today that it has contributed to a joint operation of the Royal Thai Police and the Singapore Police Force which led to the arrest of an individual responsible for more than 90 instances of data leaks worldwide, including 65 across the Asia-Pacific region. It resulted in over 13TB of personal data which has been sold on the dark web. In some countries the government agencies were also attacked, compromising sensitive information on a large scale. Operating under aliases ALTDOS, DESORDEN, GHOSTR and 0mid16B, the arrested individual was one of the most active cybercriminals in the Asia-Pacific since 2021, targeting companies and businesses in Thailand, Singapore, Malaysia, Indonesia, India and many more.
Names
| Name | Name-Giver |
|---|---|
| ALTDOS | self given |
| Desorden | self given |
| GHOSTR | elf given |
| 0mid16B | self given |
Country
Motivation
- Financial gain
First Seen
2020
Observed Countries
- Australia
- Austria
- Cambodia
- Canada
- France
- India
- Indonesia
- Bangladesh
- Malaysia
- New Zealand
- Pakistan
- Philippines
- Singapore
- Taiwan
- Thailand
- UK
- USA
Tools
Operations
- 2020-12: “ALTDOS,” as they call themselves, contacted a number of news outlets in Thailand and online news sites to announce that they had attacked CGSEC on December 4. https://www.databreaches.net/thai-securities-trading-firm-goes-offline-after-cyberattack/
- 2021-01: The same hacking group that hit Country Group Securities (CGSEC) in Thailand has revealed a recent attack on Mono Next Public Company Limited, a media and content conglomerate in Thailand. https://www.databreaches.net/thai-media-and-content-conglomerate-mono-next-public-company-hit-by-altdos-hackers/
- 2021-01: Hackers claim to have attacked major Bangladeshi conglomerate https://www.databreaches.net/hackers-claim-to-have-attacked-major-bangladeshi-conglomerate/
- 2021-03: Vhive, a popular retail furniture chain in Singapore, has posted a notice on their web site and Facebook page announcing a cyberattack that occurred on March 23. https://www.databreaches.net/sg-vhive-alerts-consumers-to-cyberattack/ https://www.databreaches.net/sg-vhive-attackers-escalate-take-control-of-furniture-retailers-email-server/
- 2021-05: Audio House customer data possibly stolen by hackers https://www.straitstimes.com/tech/tech-news/audio-house-customer-data-possibly-stolen-by-hackers
- 2021-06: ALTDOS claimed to have attacked Unispec Group Singapore, which operates in the marine industry, providing services in marine insurance, surveying, cargo, containers, and marine IT software. UniSpec has offices in Singapore, India, Thailand, Malaysia, Indonesia, South Korea and China. https://www.databreaches.net/asean-companies-still-targeted-by-altdos-threat-actors/
- 2021-08: Singapore-based OrangeTee appears to have suffered a massive hack and data exfiltration by ALTDOS threat actors. https://www.databreaches.net/singapore-real-estate-firm-breached-by-altdos/
- 2021-09: ALTDOS claims to have hacked one of Malaysia’s biggest conglomerates https://www.databreaches.net/altdos-claims-to-have-hacked-one-of-malaysias-biggest-conglomerates/
- 2021-09: Desorden Group claims to have stolen 200 GB of data from ABX Express https://www.databreaches.net/desorden-group-claims-to-have-stolen-200-gb-of-data-from-abx-express/
- 2021-10: Another Malaysia carrier allegedly hacked and data exfiltrated — Skynet https://www.databreaches.net/another-malaysia-carrier-allegedly-hacked-and-data-exfiltrated-skynet/
- 2021-10: Acer confirms second security breach this year https://therecord.media/acer-confirms-second-security-breach-this-year/
- 2021-10: Acer under fire: Now hackers claim to have hit Acer Taiwan, too https://www.databreaches.net/acer-under-fire-now-hackers-claim-to-have-hit-acer-taiwan-too/
- 2021-10: Central Restaurants Group in Thailand hit by Desorden https://www.databreaches.net/central-restaurants-group-in-thailand-hit-by-desorden/
- 2021-10: Desorden Group expands attack on Central Group after deal to pay them allegedly fell through https://www.databreaches.net/desorden-group-expands-attack-on-central-group-after-deal-to-pay-them-allegedly-fell-through/
- 2022-07: Desorden is back, declares an attack on MISTINE Better Way Thailand Company https://www.databreaches.net/desorden-is-back-declares-an-attack-on-mistine-better-way-thailand-company/
- 2022-07: Thai entities continue to fall prey to cyberattacks and leaks https://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/
- 2022-08: Major Indonesia tollroad operator hacked by DESORDEN https://www.databreaches.net/major-indonesia-tollroad-operator-hacked-by-desorden/
- 2022-09: TH: Major Cineplex and Major Development PCL hit by DESORDEN https://www.databreaches.net/th-major-cineplex-and-major-development-pcl-hit-by-desorden/
- 2022-09: Customer data from hundreds of Indonesian and Malaysian restaurants hacked by DESORDEN https://www.databreaches.net/customer-data-from-hundreds-of-indonesian-and-malaysian-restaurants-hacked-by-desorden/
- 2022-09: DESORDEN leaks more data from Indonesia; “Indo data is officially worthless” https://www.databreaches.net/desorden-leaks-more-data-from-indonesia-indo-data-is-officially-worthless/
- 2022-09: Malaysian Telecom RedOne hit by DESORDEN https://www.databreaches.net/malaysian-telecom-redone-hit-by-desorden/
- 2022-10: Thailand’s THE ICON GROUP hacked by DESORDEN https://www.databreaches.net/thailands-the-icon-group-hacked-by-desorden/
- 2022-10: Revenge telecom hacking by DESORDEN Group; third attack threatened https://www.databreaches.net/revenge-telecom-hacking-by-desorden-group-third-attack-threatened/
- 2022-10: Johnson Fitness and Wellness hit by DESORDEN Group https://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/
- 2023-07: Major Malaysian water utilities company hit by hackers; Ranhill offline; hackers claim databases and backups deleted https://www.databreaches.net/major-malaysian-water-utilities-company-hit-by-hackers-ranhill-offline-hackers-claim-databases-and-backups-deleted/
- 2024-03: Hackers are threatening to leak World-Check, a huge sanctions and financial crimes watchlist https://techcrunch.com/2024/04/18/world-check-database-leaked-sanctions-financial-crimes-watchlist/
- 2024-05: Cooler Master confirms customer info stolen in data breach https://www.bleepingcomputer.com/news/security/cooler-master-confirms-customer-info-stolen-in-data-breach/
- 2024-05: Thailand’s Hatari Electric Faces Major Data Breach: GHOSTR Claims Possession of 617.3 GB of Sensitive Information https://news.cloudsek.com/2024/05/thailands-hatari-electric-faces-major-data-breach-ghostr-claims-possession-of-617-3-gb-of-sensitive-information/
- 2024-06: Singapore-Based Absolute Telecom Allegedly Hit by Cyberattack: Over 34GB of Data Compromised https://thecyberexpress.com/alleged-absolute-telecom-data-breach/
- 2024-06: Victorian Freight Specialists suffers alleged 800+GB data breach https://www.cyberdaily.au/security/10667-victorian-freight-specialists-suffers-alleged-800-gigabyte-data-breach
- 2024-07: Air India Investigating Data Breach Claims Stemming from Arabian Travel Agency Hack https://thecyberexpress.com/arabian-travel-agency-data-breach-exposed-info/
- 2024-07: Third-party breach resulted in Singapore Moneylenders Credit Bureau being leaked by GhostR https://databreaches.net/2024/07/24/third-party-breach-resulted-in-singapore-moneylenders-credit-bureau-being-leaked-by-ghostr/
- 2024-11: Thai loyalty membership card data of 5 million customers put up for sale on hacking forum https://databreaches.net/2024/11/20/thai-loyalty-membership-card-data-of-5-million-customers-put-up-for-sale-on-hacking-forum/
- 2024-12: Today’s insider threat: Ardyss edition https://databreaches.net/2024/12/24/todays-insider-threat-ardyss-edition/
- 2024-12: Hacked on Christmas, DEphoto starts notifying customers, only to be attacked again https://databreaches.net/2025/01/01/hacked-on-christmas-dephoto-starts-notifying-customers-only-to-be-attacked-again/
- 2025-01: Exclusive: Apex Custom Software hacked, threat actors threaten to leak the software https://databreaches.net/2025/01/30/exclusive-apex-custom-software-hacked-threat-actors-threaten-to-leak-the-software/
Counter Operations
- 2021-09: ALTDOS claims some of their servers were seized but they did not lose data https://www.databreaches.net/altdos-claims-some-of-their-servers-were-seized-but-they-did-not-lose-data/
- 2025-02: Hacker responsible for international data breaches arrested in joint Singapore-Thailand operation https://www.channelnewsasia.com/singapore/spf-royal-thai-police-global-hacker-arrested-altdos-desorden-ghostr-0mid16b-4963661
Information
- https://www.csa.gov.sg/singcert/-/media/Singcert/PDFs/Joint-Advisory-on-ALTDOS.pdf
- https://cloudsek.com/threatintelligence/threat-group-desorden-actively-targeting-asian-conglomerates/
- https://www.group-ib.com/media-center/press-releases/joint-operation-with-royal-thai-police-and-singapore-police-force/
- https://www.group-ib.com/blog/the-cybercriminal-with-four-faces-revealing-group-ib-s-investigation-into-altdos-desorden-ghostr-and-0mid16b/
Other Information
Uuid
0d49b800-c289-48a6-a2f9-c9cfba116e21
Last Card Change
2025-04-21