Executive Summary
This profile is a comprehensive analysis of the threat actor H3C4KEDZ and associated groups such as NXBBSEC, BL4CK CYB3R, KOLZSEC, and allied syndicates operating across Cambodia, Thailand, and Southeast Asia. The assessment is based exclusively on Telegram channel chat records (Jul-Aug 2025), open-source intelligence (OSINT), and corroborative indicators. The findings reveal a sophisticated, highly active hacktivist network orchestrating wide-scale data breaches, persistent DDoS, defacement, and psychological operations, primarily targeting the Thai Government, military, educational, and healthcare sectors, in a context of escalating geopolitical tensions.
Threat Actor Identifiers & Social Media Presence
- Threat Actor/Main Group: H3C4KEDZ
- Known Affiliates: NXBBSEC, BL4CK CYB3R, KOLZSEC, Khmer Ghost, NDSTEC, InfernalXploit, DigitalGhost, CyberKingdomKH, NullSec PH, among others
- Social Media/Channels:
- Telegram:
- Website:
- GitHub:
- TikTok:
- @weh3c4kedzsec
- @we_are_h3c4kedz
- Accounts frequently banned, indicating aggressive content moderation
- Other Platforms:
- Multiple Facebook shares, e.g., personarThailand, DramaAdd, FreshNewsAsia
- Presence in dark web forums (e.g., darkforums.st with sale of breach data)
Attack Timeline & Evidence
July-August 2025 Attack Campaigns
Summary:
The group conducted a coordinated sequence of breaches, defacements, distributed denial-of-service attacks (DDoS), credential leaks, and public shaming operations, targeting a wide variety of Thai government infrastructure, universities, hospitals, military, police, and corporations. Below is a breakdown of their claimed operations, with evidence drawn directly from chat logs:
Major Data Breaches (Exfiltration + Destruction)
- Mahidol University: 1.5 TB of student records, internal emails, research documents, financial and server configs stolen.
- Office of the Prime Minister (opm.go.th): 5.9 TB exfiltrated and erased, including classified files, emails, directives.
- Ministry of Public Health (moph.go.th, md.go.th): 6.1 TB medical/government data stolen, 1.2 TB wiped.
- Rice Department Thailand: Critical documents and internal drive data leaked.
- Thailand’s National Cyber Security Committee (SOC.go.th): 397.8 GB exfiltrated and deleted (threat intelligence, incident logs, protocols).
- National Assembly (parliament.go.th): 435.3 GB exfiltrated, servers wiped (legislative drafts, internal memos, complaints, ID data).