The name Bjorka has haunted Indonesian cyberspace for years. The notorious and infamous hacker's name had been whispered in newsrooms, debated in chat groups, and feared by government agencies.
And this time, with the arrest of a man known only by his initials, WFT, the country’s effort to unravel this digital mystery seems to finally end. The authorities may have scored its most tangible breakthrough yet in the cybercrime space.
The news about WFT's arrest shocked the Indonesian public, reigniting the long-standing mystery surrounding the hacker Bjorka.
Yet even as police confirmed the capture, questions quickly surfaced: was this man truly the infamous hacker who once shook the nation’s cyberspace?
The path between WFT and the alleged hacker Bjorka remains murky, full of claims, counterclaims, and unfinished investigations.
Authorities say WFT was taken into custody on September 23, 2025, in Totolan Village, Kakas Barat, Minahasa, North Sulawesi.
He’s accused of being the person behind several high-profile leaks and dark-web activities under the name Bjorka.
While police have recovered digital devices, online accounts, and samples of leaked data claimed by Bjorka, they are still working to confirm whether WFT is indeed the Bjorka whose actions have rattled Indonesia and gained international attention.
Key pieces of evidence, like account ownership since 2020 and postings under various aliases, are being cross-checked. Digital forensics labs are combing through the evidence. AKBP Fian Yunus of Polda Metro’s Cyber Directorate has emphasized that the evidence so far is suggestive but not conclusive.
To understand why this arrest matters so much. and why so many are skeptical, it helps to look back at what Bjorka has been known for.
Bjorka first appeared in public view around 2020 in Indonesia, gradually rising to infamy through a series of data breaches and leaks involving both governmental and private institutions.
Among the most notorious of these was the exposure of 1.3 billion SIM card registration data including data points like phone numbers, national identity numbers (NIK), registration dates, and other metadata. The leak was reportedly traded on forums like BreachForums, with cryptocurrency as the method of payment.
Bjorka allegedly earned around $50,000.
Other major leaks attributed to Bjorka include millions of records from IndiHome customers (users of Indonesia’s broadband/telecom service), personal data tied to MyPertamina, and huge volumes of data from the Komisi Pemilihan Umum (KPU, Indonesia’s election commission).
There were claims of breached data involving Paspor (passport) data of tens of millions of Indonesians, as well as alleged leaks of private correspondence or documents linked to the presidency or intelligence agencies.
Bjorka’s modus operandi seems to combine provocation with exposure.
Not only did the hacker post data for sale or free download, but also doxing of prominent political figures has been part of the pattern: revealing personal details of ministers, members of parliament, and other officials.
In public statements and Telegram/online posts, Bjorka taunted authorities, lambasted government institutions, and challenged the competence of security systems.
While he is hated by many, a lot adores him, and considers Bjorka a vigilante, if not an anti-hero.
Despite the magnitude of the leaks, some of the claims have been denied or disputed by the government. Whether about the source of the data, whether some of the files were authentic, or whether certain leaks actually occurred as claimed.
For instance, institutions have sometimes stated that internal audits found no breach or that data were already publicly available, or they questioned the technical plausibility of some leaks.
Globally, Bjorka has become one of many modern figures in the shifting terrain of cyber-activism, hacktivism, and digital crime: someone who operates under high anonymity, leverages the dark web and data markets, uses cryptocurrency to anonymize transactions, and provokes governments with leaks and threats.
While many countries face very similar challenges, what makes Bjorka especially attention-grabbing in Indonesia is the scale of data, the mix of political and private targets, and the sense among many citizens that their personal information is far more vulnerable than they believed.
Back to WFT’s arrest: police claim that WFT is tied to multiple online aliases used by Bjorka (or alleged aliases) — among them names like “Bjorka,” “Bjorkanesiaa,” “SkyWave,” “Shint Hunter,” and “Opposite 6890.”
They say WFT obtained access to bank customer databases, that he attempted or threatened extortion of a private bank after posting samples of exposed customer data, and that transactions were facilitated using cryptocurrencies.
Even so, the police also say that WFT has not yet been proven beyond doubt to be the Bjorka, in the full sense of all that name implies.
There are still questions over whether some leaks attributed to Bjorka might have been the work of others (copycats or collaborators), whether some account name claims are recycled, and whether some data authenticity issues remain unresolved.
Regardless, the arrest carries implications far beyond one hacker.
It raises urgent questions about data protection laws, cybersecurity infrastructure, the responsibility of institutions in securing citizen data, and how to hold malicious actors accountable, especially when they operate transnationally.
If this arrest does lead to solid proof that WFT is Bjorka, it could mark a turning point: enabling not just legal accountability, but also boosting demand for transparency and better digital safeguards.
At this time, WFT remains in custody under relevant cybercrime laws, as the authorities continue combing through the evidence and the long-list of portfolio.
"Maybe everyone can be anyone on the internet. We need to conduct a deeper investigation into the evidence we’ve found so that we can formulate our conclusions," said Fian at the Metro Jaya Police Headquarters on Thursday, October 2.
The Chairman of CISSReC (Communication & Information System Security Research Center), Pratama Persadha, believes there are strong indications that the individual who was arrested is not the real mastermind behind the series of hacking incidents that once shocked the public.
"There are several data points and facts that can be analyzed to strengthen the suspicion that the person arrested as Bjorka might actually be the wrong target," he said on October 5.
According to him, in cybersecurity analysis, attributing responsibility to a perpetrator always refers to three main factors: technical capability, consistency of digital activity patterns, and forensic evidence. If even one of these factors doesn’t align, then the identification of the perpetrator should be questioned.
Pratama stated that the technical profile of the person arrested does not match the level of skill that Bjorka has demonstrated so far.
The hacker is known to have breached large-scale databases, sold data on international dark web forums, and consistently interacted with the global cyber community. Such activities require high-level infrastructure and expertise.
“However, the facts on the ground instead show that the person arrested more closely resembles an ordinary online enthusiast with far less technical capability,” Pratama said. “Without testable technical evidence, the risk of false attribution is very high. This could undermine the credibility of the investigation,” he emphasized.
Although critical of the authorities’ actions, Pratama also stressed that the public must understand the limitations of cyber investigations.
Social and political pressure often forces law enforcement to present quick results. However, according to him, such hasty moves can be dangerous, as they might make it even harder to track down the real perpetrator.
"This case serves as an important lesson that Indonesia needs to strengthen its digital forensic capabilities, improve the cybersecurity ecosystem, and establish an investigative mechanism that is transparent and grounded in solid evidence," he said.
Pratama asserted that if the person arrested truly isn’t the main actor behind Bjorka, then improving investigative strategies becomes urgent to prevent similar cases from happening again.
Another factor that strengthens the doubt is the consistency of Bjorka’s communication patterns.
After the arrest, the Bjorka accounts remained active on both BreachForums and Telegram, even continuing to post messages taunting the authorities.
"This phenomenon is known as continuity of persona, which refers to a digital identity being managed by more than one person. This means that a physical arrest doesn’t necessarily end the existence of the Bjorka account," Pratama explained.
Bjorka was also known to have accessed strategic data likely obtained through supply chain attacks, insiders, or international dark web markets. However, the individual who was arrested does not have a background or access consistent with those methods.
"The fact that some of the leaked data had already circulated on dark web forums long before strengthens the suspicion that Bjorka acted more as an aggregator rather than a direct data thief," he added.
Following WFT's arrest, Bjorka remains both a name and a mystery: one that continues to test Indonesia’s resolve in the digital age.
Before this, the authorities arrested a young man who goes by the name Muhammad Agung Hidayatullah. At the time, the police suspected him in connection to the Bjorka hacking case. He was accused of creating and providing a Telegram channel named @Bjorkanism and selling it to someone claiming to be Bjorka for $100.
Since the evidence indicates that he is not confirmed to be the Bjorka, the police concluded that he was more of an associate or someone who provided a digital platform, not the mastermind.
https://www.eyerys.com/articles/timeline/indonesia-hunting-bjorka-the-hacker