How 1 bad actor compromised 90+ organizations (and what you can learn from it)

Earlier this year—February 2025 to be more precise—a cybercriminal who carried out over 90 data breaches globally was arrested following a coordinated international law enforcement operation. 

The joint effort by the Royal Thai Police, Singapore Police Force, and security firm Group-IB unveiled a cyber campaign that targeted healthcare, finance, government, and retail sectors, and spanned across years. 

For security leaders, this particular incident is a case study in how one attacker exploited weaknesses, how law enforcement caught up, and what security teams must do to prevent similar breaches.

The exploit: Tactics, techniques, and procedures

The attacker, who goes by aliases including ALTDOS, DESORDEN, GHOSTR, and 0mid16B, specializes in identifying and exploiting network vulnerabilities.

Once inside, he exfiltrated sensitive data and—as expected—issued ransom demands. Victims who refused to pay up saw their data sold on the dark web. These activities spanned from Southeast Asia to Europe and North America, with specific emphasis on businesses with under-resourced security teams.

Common TTPs included:

• Exploitation of outdated software and unpatched systems

• Deployment of custom scripts to maintain persistence

• Bypassing MFA through social engineering

• Using public-facing web applications as entry points

These attacks suggest a high level of sophistication and persistence, generally slipping by undetected for months.

The resolution: International cooperation in action 

Once Singaporean entities reported a pattern of cyber extortion beginning in 2020, a multi-agency investigation kicked off. The joint task force identified a single actor behind the attacks and made an arrest in Thailand, seizing laptops, phones, luxury cars, and other assets valued at over 10 million baht—that’s roughly $295,000.

The success of this massive operation highlights not just the critical role of international cooperation but the importance of shared cyber threat intelligence and public-private partnerships in response to cybercrime.

The fallout: What happens after this kind of breach? 

It’s not just the immediate damage to reputation and operations that victims of this attack had to endure. The longer-term impact of this exploit includes:

• Regulatory investigations and penalties

• Class action lawsuits

• Long-term loss of customer trust

• Increased insurance premiums and compliance costs

Weak cybersecurity posture is no longer just an IT problem—it's a potentially devastating business risk. And for the decision-makers out there, the need for proactive investment in cybersecurity training, upskilling, and continuous assessment has never been clearer or more urgent.

5 key takeaways for your security team 

To stay ahead of threats like this one, there are a few proactive measures your team can take: 

1. Blue team training

Investing in realistic blue team labs and DFIR labs (like Sherlocks) that mimic real-world scenarios is an excellent starting point. Enterprise attack simulations are a great way to train your team when it comes to detecting and mitigating intrusions before any data is exfiltrated.

2. Continuous training and assessments

Using cyber ranges and cybersecurity assessment platforms allows you to routinely test your organization’s cyber readiness and identify your team’s strengths and weaknesses. Regular blue and purple team exercises will also give you better visibility of any weakened defenses, allowing you to take proactive measures against future attacks.

3. Upskilling and certification pathways

Give your team access to structured learning pathways, including role-based certifications. From pentesting labs to cloud security training, continuous learning is critical.

To that end, HTB Academy supports structured training in key areas including cloud security, pentesting, and more. Certifications are the next step on this journey, helping validate and measure that growth and foster long-term employee development. 

4. Simulate attacks with Capture The Flag (CTF) events

Host regular CTF events to evaluate your team’s response capabilities. CTFs are an engaging way to benchmark skills in a safe but competitive environment; they also foster better collaboration and help your people feel more engaged. Because bad actors are constantly learning and adapting, so your team should be too. 

Set up a CTF now 🚩

5. Focus on social engineering and insider threats

Even with robust controls in place, there’s one wildcard that’s notoriously complex: human behavior. Social engineering attacks are becoming more sophisticated, and insider threats get past even the strongest defenses. 

Help your team recognize and respond to these tactics with hands-on training that contributes to real-world awareness. All it takes is one misstep to leave the door wide open to threats. 

Proactive security is your first line of defense

The Thailand cyberattack is a stark reminder that one very determined, highly skilled threat actor can disrupt organizations on a global scale. Many organizations can foresee the threats—they know what’s coming their way. The real challenge lies in quantifying the risk.

That’s where we come in. By emulating threats from both the red and blue side, you can understand how a bad actor might move, what they’d exploit, and how much that might cost you. 

That calls for real data, not luck and guesswork. So, next time you’ll be able to go to your CISA and say not just ‘here’s a threat’ but something like: ‘Here’s the potential impact. Do we patch, or do we pray?’ 

Get ahead of the next attack—see Hack The Box in action