Executive Summary

This Open Source Intelligence (OSINT) report provides a comprehensive analysis of the hacktivist group H3C4KEDZ, a Cambodia-based entity targeting Thai infrastructure as part of the #OpThailand operation. The report integrates evidence from network graphs generated by the stealth mole tool and Telegram channel data scraped from the “We_H3c4kedz1” channel, supplemented by additional data provided on August 13, 2025, at 09:31 PM IST. H3C4KEDZ is affiliated with the broader AnonSec-KH (Anonymous Cambodia) network and is known for high-profile breaches, including the exfiltration of 1.5 TB of data from Mahidol University. Their activities, driven by the Cambodia-Thailand border conflict, pose significant risks to Thai educational, governmental, and technological systems.

Methodology

  • Data Sources: Network graphs from the stealth mole tool, Telegram channel data from “We_H3c4kedz1,” and additional evidence provided on August 13, 2025. Analysis includes user IDs, message IDs, media paths, URLs, and geopolitical tags.
  • Timeframe: Data is current as of 09:31 PM IST, August 13, 2025.
  • Tools: Stealth mole tool for entity mapping; manual review of Telegram metadata and text content.
  • Limitations: Media files (e.g., photos) are inaccessible; reliance on metadata and text for analysis.

Threat Actor Profile: H3C4KEDZ

  • Confidence Level: High
  • Attribution: Cambodian state-affiliated or nationalist hacktivist group
  • Sophistication Level: Medium to High
  • Operational Security: Moderate (public Telegram communications indicate lower OPSEC)

Collaborative Network

The group demonstrated extensive collaboration with multiple threat actors:

  • BL4CKCYB3R (17 mentions) - Primary operational partner
  • NXBBSEC (14 mentions) - Technical specialist group
  • Cyber Volk - Strategic alliance partner
  • K0LSec × NullSec Philippines - Regional expansion
  • DigitalGhost - Latest alliance (August 2025)
  • Indonesian cyber teams - Broad coalition building

Overview

H3C4KEDZ, also referenced as “We_H3c4kedz1” in Telegram data, is a Cambodian hacktivist group with a strong presence in the cyber conflict against Thailand. The group’s activities are centered around retaliatory operations tied to the Cambodia-Thailand border dispute, with a focus on high-impact breaches and data exfiltration. Stealth mole tool graphs highlight connections to Thai police URLs (e.g., specialtraining.bop.police.go.th), GitHub repositories (github.com/H3c4kedz), and the Thailand flag (TH), indicating targeted attacks. The Telegram channel “We_H3c4kedz1” (sender_id: -1002888167044) serves as a primary communication hub, with posts dating from July 5, 2025, to August 13, 2025.

Untitled design.png

Social Media and Online Presence

  • X Accounts:
    • @H3C4KEDZ (ID: 1901499198333390848), bio: “we are anonymous Cambodia ~ ./H3C4KEDZ,” with 2 followers.

    image.png

    • @h3c4kedzsec (1 follower).

    image

    • @hecknood (bio: “WE ARE H3C4KEDZ,” 7 followers).

    image

    • These accounts reinforce the group’s Anonymous Cambodia affiliation and focus on Thai targets.
  • Telegram: The “We_H3c4kedz1” channel shows a history of bans, with a new channel established after the old one was banned on July 5, 2025 (message_id: 3). Recent posts include operational updates and a mention of a TikTok ban on August 13, 2025 (message_id: 673).

image

image

  • GitHub: github.com/H3c4kedz hosts repositories with DDoS tools (Ddos, DDOSV1, GhostDDOSV2), dirsearch (directory enumeration), and SQL-INJECTION scripts, indicating technical capabilities.

    Github 1.png

Github 2.png

Activities and Operations

H3C4KEDZ employs a range of cyber tactics, as evidenced by both stealth mole tool data and Telegram posts:

  • Major Breach - Mahidol University:

image.png

  • Date: July 7, 2025 (message_id: 40).
  • Details: The group breached Mahidol University, a prestigious Thai institution, exfiltrating over 1.5 TB of critical data. This included student records, internal emails, research documents, financial data, and server configurations. The Telegram post described the university as a “leading institution in research, medicine, and education,” highlighting the breach’s significance. Evidence was shared via a Photos.zip file.
  • Impact: Exposure of sensitive academic and administrative data, potentially affecting thousands of students and staff.
  • Ongoing Operations:
    • Date: August 12, 2025 (message_id: 670-672).
    • Details: Multiple photo posts (e.g., photo_2025-08-12_23-55-54.jpg) suggest continued activity, possibly documenting new attacks or proofs. A post on August 12, 2025 (message_id: 670) states “Start…!”, indicating an ongoing or planned operation.
    • Additional Evidence: The stealth mole tool links H3C4KEDZ to awgateasean.doae.go.th (July 11, 2025), a Thai agricultural site, suggesting additional targeting of governmental systems.

    image

  • Platform Bans:
    • Date: August 13, 2025 (message_id: 673).
    • Details: A post notes “My TikTok Banned 🚫,” replying to message_id 666 (not fully visible), indicating potential account takedowns due to their activities.
  • Historical Context:
    • Stealth mole data connects H3C4KEDZ to prior attacks on Thai police sites (e.g., wp-login.php exploits) and leaks (e.g., bd.0510), with media timestamps (e.g., 2025-01-17 20:54.35) showing long-term engagement.

    image

image

Attack Methods & Techniques

Primary Attack Vectors

  1. DDoS Attacks (31 incidents) - Most frequent attack method
  2. Data Breaches (30 incidents) - High-value target exploitation
  3. Data Deletion (13 incidents) - Destructive capabilities
  4. Website Defacements (11 incidents) - Psychological warfare

Technical Capabilities

  • Admin Panel Exploitation - Systematic targeting of weak authentication
  • Advanced DDoS Tools - “FoxC2-network” with claimed 30,000 RPS capability
  • Data Exfiltration - Terabyte-scale data theft operations
  • Credential Harvesting - Multiple compromised admin accounts
  • System Wiping - “No backup, no recovery” destruction tactics

Target Analysis

High-Value Targets Compromised

Sector Count Notable Targets
Government 15 Office of Prime Minister (5.9TB claimed), Ministry of Public Health (1.2TB), National Cyber Security Committee (397.8GB)
Military/Security 5 Royal Thai Army 2nd Region (5.1TB claimed), Police systems, Defense networks
Educational 4 Mahidol University (1.5TB claimed), Various .ac.th domains
Infrastructure 4 Airports Authority, Banking systems (K-Bank), Transportation networks

Data Volume Claims

Total claimed data exfiltration: 20.8 TB across major breaches, indicating either:

  • Significant technical capabilities, or
  • Substantial exaggeration for psychological impact

Tools and Techniques

  • DDoS Tools: GitHub repositories (DDoS, DDOSV1, GhostDDOSV2) suggest the use of distributed denial-of-service attacks to overwhelm Thai targets.
  • Exploitation Scripts: SQL-INJECTION and dirsearch indicate capabilities for database probing and directory enumeration, used in breaches like Mahidol.
  • Data Exfiltration: Photos.zip and similar media files imply structured leak campaigns, with 1.5 TB exfiltrated from Mahidol.

Motivation

H3C4KEDZ’s actions are driven by the Cambodia-Thailand border conflict, with a clear intent to humiliate and destabilize Thai institutions. The group’s Anonymous Cambodia branding and use of #OpThailand align with a broader nationalist and retaliatory agenda, persisting despite the July 28, 2025, ceasefire.

Indicators of Compromise (IOCs)

  • URLs: ~~github.com/H3c4kedz~~, ~~specialtraining.bop.police.go.th~~, ~~awgateasean.doae.go.th~~, ~~h3c4kedz.com~~.
  • Emails: ~~nongxuanfamily@gmail.com~~ (from stealth mole data).
  • Hashtags: #OpThailand #Op_thailand2025 etc
  • User IDs: -1002888167044 (Telegram channel).

Connections and Affiliations

  • AnonSec-KH: The group’s bio and Telegram posts link it to Anonymous Cambodia, sharing tactics and goals with groups like NXBBSEC and BL4CK CYB3R.
  • Collaborative Networks: Stealth mole graphs show overlaps with other Cambodian actors via shared media hashes and user IDs, suggesting a coordinated effort.
  • External Ties: The TikTok ban hint may indicate international platform monitoring, though no direct foreign collaboration is confirmed yet.

Impact Assessment

  • Targeted Sectors: Education (Mahidol University), government (police, agriculture), and potentially social media platforms.
  • Data Exposure: 1.5 TB of sensitive data at risk, including personal and research information.
  • Operational Resilience: Continued activity post-ban suggests adaptability and a robust support network.

Conclusion and Recommendations

H3C4KEDZ represents a sophisticated threat within the Cambodian hacktivist ecosystem, leveraging breaches and DDoS to target Thai institutions amid geopolitical tensions. The Mahidol University attack underscores their capability to inflict significant damage. Recommendations include:

  • Enhanced Cybersecurity: Thai educational and governmental entities should strengthen defenses against SQL injection and DDoS.
  • Monitoring: Track github.com/H3c4kedz and “We_H3c4kedz1” for new tools and proofs.
  • Diplomatic Efforts: Address the border conflict to reduce motivations.

Threat Actor Profile: “H3C4KEDZ”