Cybercriminals leaked massive volumes of stolen PII data from Thailand in Dark Web

Massive Leak of Stolen Thai PII Data on Dark Web by Cybercriminals

Recently, the Criminal Court in Thailand issued an order to block the website 9near.org. This action was taken after the site threatened to disclose the personal information of 55 million Thai citizens, allegedly obtained from vaccine registration records. The court further declared that any other websites found distributing data from "9near.org" would also face blocking. This measure follows a request from the Digital Economy and Society (DES) Ministry, which is preparing for the likely apprehension of the individual responsible for the hack.

The person running the website, who goes by "9Near – Hacktivist", made an announcement on the Breach Forum website, claiming they had accessed personal details of 55 million people from Thailand. This data includes full names, birthdates, ID card numbers, and phone numbers. Recently, the Rural Doctors Society suggested that this information might have originated from a leak at the Public Health Ministry’s Immunization Centre.

Thailand is swiftly becoming a key player in the digital arena, particularly in the field of Information and Communication Technology (ICT), within the Asia-Pacific region. Notably, from the latter part of 2022 to the early months of 2023, there's been a significant drop in incidents of data breaches in the country. To put it in perspective, during the third quarter of 2022, for every thousand people in Thailand, about 6.8 instances of data exposure were recorded. Impressively, this number plummeted to just 1 per thousand by the first quarter of 2023. But as we step into 2024, this trend might see a change. There are reports of cybercriminals, known in the shadowy corners of the Dark Web as Naraka, circulating large amounts of stolen personal identifiable information (PII) of Thai citizens. It's believed that these sensitive details were sourced from various breached platforms.

• The beginning of 2024 saw a noticeable increase in data leaks from consumer-focused platforms, confirming that threat actors are actively targeting the personal data of Thai citizens.
  
  
• Threat actors target Thai-based e-commerce, fintech and government resources due to a large presence of personal documents both in text and graphical form used for KYC ("Know Your Customer").
  
  
• Compared to 2023, there has been an increase in the frequency of attacks, as evidenced by the rising number of leaked data incidents involving consumers and businesses from Thailand on the Dark Web. In the early part of January 2024 alone, at least 14 significant data breaches exposing citizens' information were posted on cybercriminal forums, nearly surpassing the annual volume of compromised records identified last year.
  
  
• Bad actors use stolen PII data to defraud Thai citizens and attack financial organizations, which are actively developing and cultivating digitization in the region to service 71.6 million people population.

On January 11th, 2024, an individual known as Naraka listed a data dump for sale on breachforums.is, featuring one of Thailand's largest bookstores called Chulabook. This breach affected over 160,000 users. Naraka specified payment in cryptocurrencies, specifically XRM (Monero) or BTC (Bitcoin).

Resecurity alerted Chulabook and the Electronic Transactions Development Agency (ETDA), a government agency under the supervision of the Ministry of Digital Economy and Society responsible for the oversight of All Digital Service Providers who offer services to customers in Thailand. Our team acquired additional artifacts from the actor confirming successful access to the backend containing thousands of orders and customer records.

During interactions with the actor involved in the data breach, another compromised web resource in Thailand was identified. This additional breach was also found to be leaking personal identifiable information (PII) of Thai citizens.

Right before the New Year's Eve celebrations, it was discovered that the operators of the UFO Market on Telegram were actively selling stolen data. This compromised data included a staggering 538,418 records featuring personal identifiable information (PII) of individuals, encompassing details like citizens' ID card numbers.

These large collections of stolen data are particularly prized by those involved in identity theft and financial fraud. The detailed personal information they contain provides these individuals with a comprehensive view of potential targets for online banking fraud and various internet scams.

Prior to this incident, the same culprits were involved in distributing a massive amount of data, specifically 3,149,330 records related to students, which is believed to have been illicitly obtained from the Basic Education Commission (OBEC). Such information is especially sensitive and could be highly valuable for nefarious purposes, considering the vulnerabilities of the younger population and the risk of them being targeted by malevolent entities in the online space.

Some portions of this data were found being leaked at no cost – the wrongdoers are distributing it on the Dark Web. They're doing this to trade and use it in future schemes like spamming, online scams, and Business Email Compromise (BEC) campaigns. This free circulation makes the data more accessible for various malicious activities.

A separate data set was uncovered on a site known as breachedforums.is, labeled “Thailand DOP.go.th Leaked”. This particular set is composed of personal identifiable information (PII) primarily concerning the elderly population in Thailand. It's a substantial collection, around 690MB in size, containing a whopping 19,718,687 rows of data.

On January 10th, 2024, there was yet another data breach incident, this time involving the Bangkok Industrial Gas Company Limited. This leak marked another significant instance of data vulnerability targeting critical infrastructure and oil & gas segment.

Earlier, a new data breach was revealed by an entity known as Ghostr on Breachforums.is. This particular leak was massive, involving about 186GB of data, and included a staggering 5.3 million records from a stock trading platform. The leaked information encompassed comprehensive details of Thai users, including their full names, phone numbers, email addresses, and ID card numbers.

In a separate incident, a leak was reported by Milw0rm on breachforum.is. This particular dataset, released on January 1, 2024, is to Thai job seekers and includes an extensive range of personal information. The dataset is consists of 61,000 rows, featuring detailed data such as usernames, passwords, email addresses, mobile and home telephone numbers, zip codes, birthdates, physical attributes like weight and height, current employment status, information about children, typing proficiency in Thai, and salary details.

Before, an individual known as R1g made a significant data dump involving the personal database of the Royal Thai Volunteers. This breach affected a substantial number of records, totaling 4.6 million. The leaked data included sensitive personal information such as names, citizen ID numbers, gender, birthdates, and addresses.

The same individual, R1g, was responsible for another major data leak on Thursday, January 11, 2024. This time, the breach involved sensitive information pertaining to Thailand Navy Officers, marking another significant security incident.

January 15th, 2024, the actor who goes by the alias Soni posted a leaked database related to healthcare. The data breach consists of 25.5k records of user information including ID, user URL, encrypted passwords (phpass), user emails, login details, account status, display names, registration dates, and user activation keys The actor shared a sample of the data as proof.

Cybercriminals have also focused their attacks on the government and military sector in Thailand, breaching the personal identity details of officials and law enforcement personnel. This type of operation is typical for cyberespionage groups functioning within the realm of cybercrime.

The perpetrators disclosed various confidential documents, which included internal correspondences and interactions with law enforcement agencies in Cambodia. These leaks might have occurred due to a compromise by a third party. The origin of this breach remains unidentified, but the malicious cyber activities against Thai government officials could indicate a growing trend of targeting in the region.

Conclusion

In 2024, Thailand is set to play a crucial role in the global fight against cybercrime. As the nation progresses in its journey of digital transformation and expands its capabilities in Information and Communication Technology (ICT), it faces a growing wave of cyber threats, especially those involving breaches of personal data. This escalating challenge underscores the pressing need for Thailand to adopt and reinforce strong cybersecurity strategies.

The series of large-scale data breaches and the looming risk of misuse of sensitive information in Thailand serve as a stark reminder of the critical need for improved data protection and proactive cyber defense tactics. For Thailand, it's essential to strengthen its cybersecurity framework, enact stringent data privacy regulations, and cultivate a widespread culture of digital vigilance among both its population and institutions. Such measures are key not just for protecting the privacy and security of its citizens, but also for reinforcing Thailand's stature as a dependable and secure player in the international digital arena.