do son 
A screenshot of 0mid16B’s X account after his arrest in Thailand on 26 February, 2025 | Image: Group-IB
In a four-year pursuit that spanned multiple aliases and continents, law enforcement has finally apprehended a notorious cybercriminal. Group-IB’s Threat Intelligence and High-Tech Crime Investigation teams played a crucial role in tracking the threat actor across his various identities: ALTDOS, DESORDEN, GHOSTR, and Omid16B.
The actor’s tactics were marked by a clear motive: financial gain. As the report states, “The attack was part of a planned campaign motivated by financial gain.”
His operations typically involved:
-
Targeting internet-facing Windows servers
-
Searching for databases containing personal information
-
Exfiltrating and sometimes encrypting victim data
-
Extorting victims with threats of public data exposure
To communicate demands, the threat actor left ransom notes or sent emails detailing exfiltrated databases and payment methods. In some cases, the actor would even directly threaten the victim’s customers.
If victims didn’t pay up, the threat actor escalated by reporting the breach to data protection regulators and announcing the sale of compromised data on dark web forums.
The threat actor’s journey began in 2020 under the alias ALTDOS. After an attack on a financial institution in Thailand, ALTDOS contacted news outlets and DataBreaches.net to amplify the attack’s impact.
When the victim company didn’t meet ransom demands, ALTDOS publicly dumped the stolen data, setting a precedent for future attacks. Over time, the actor refined his methods, moving from dumping data to selling it on dark web forums like CryptBB and RaidForums.
In September 2021, ALTDOS abruptly ceased operations, only to resurface four days later as DESORDEN. This new persona continued targeting Asian companies with similar tactics. Group-IB’s investigation uncovered similarities between DESORDEN and ALTDOS, including writing style, victimology, and specific phrases used in their posts.
DESORDEN became the actor’s most notable alias, under which he compromised over 30 victims in two years. Despite briefly collaborating with other figures on BreachForums, DESORDEN primarily operated alone.
In September 2023, DESORDEN was banned from BreachForums due to a buyer’s complaint, damaging his reputation.
A week later, the alias GHOSTR appeared on BreachForums, quickly accumulating nearly 30 victims. Group-IB identified connections between GHOSTR and DESORDEN through similar communication preferences, disclaimers, avatars, and modus operandi.
GHOSTR’s activities were halted in August 2024 when he was banned for multi-accounting with DESORDEN.
The threat actor then adopted the alias Omid16B, altering his avatar, writing style, and strategy. Omid16B expanded his target demographics globally and used X (formerly Twitter) to announce victims.
Despite these changes, Group-IB found consistent patterns linking Omid16B to his previous aliases, such as the continued use of Matrix and the method of publishing stolen data screenshots.
The cybercriminal’s meticulous operational security (OPSEC) made uncovering his true identity exceptionally difficult. However, Group-IB’s persistent tracking of his digital breadcrumbs across multiple aliases ultimately led to his discovery.
On February 26, 2025, the Royal Thai Police arrested the threat actor in Thailand.
During the press conference, the Royal Thai Police revealed that the cybercriminal confessed that his main target was large private companies and he avoided attacking government agencies because he did not want the public to be affected.
Related Posts:
- Teen Genius to Hospital Prison: Lapsus$ Hacker’s Cyber Crimes Cost Him Freedom
- The Cobalt hacker group is still active, although the leader was arrested
- Secure Email Gateways Fail to Stop Advanced Phishing Campaign Targeting Multiple Industries
- Canadian Hacker Indicted for $65 Million DeFi Exploit
- Group-IB and other security firms assisted Ukrainian police in taking down on DDoS criminal gangs
