The 3 Masked Hackers Behind The World's Most Prolific Cyberattacks

Forbes

13-05-2025

10 masked cybercrime actors revealed.
From ransomware attacks demanding ridiculous payments of $1 trillion, or using insidious methods to watch victims at work, through to hackers stealing billions of passwords and publishing them to the dark web, cybercrime has never been as rife as it is today. Despite the best efforts of everyone from Google, Microsoft, and even the FBI, the attacks continue. But who are the hackers behind the crimes, the threat actors operating in the shadows to deliver these attacks? A newly published report has analyzed more than 1500 separate cybercrime investigations to reveal the most prolific cybercriminal groups, the masked hackers that continue to shape the threatscape.
New threat actors are continually emerging across the criminal landscape, often arising from the ashes of cybercrime groups that have been disrupted by law enforcement or have suffered from internal conflicts that lead to their disbandment. While some of these will gain traction and, in time, become an unwelcome addition to the cybersecurity lexicon, most will fall by the wayside. Those groups that have not only survived but are prospering are among the most prolific criminal actors operating today. 'Cross-border investigations and intelligence sharing are increasingly constrained by jurisdictional divides,' Dmitry Volkov, the Group-IB CEO, said, 'creating gaps that cybercriminals are quick to exploit.' Perhaps that partly explains why these gangs experience such longevity and success.
The May 13 High-Tech Crime Trends Report 2025, has analyzed more than 1,500 cybercrime investigations, enabling Group-IB threat intelligence analysts to identify who these groups are. It may come as something of a surprise, even to those who follow cybercrime reporting religiously, that the vast majority of the names on the list are unfamiliar.
Before we get to that, however, let's take a look at some of the other intelligence that this report has revealed concerning the cybercriminal threat landscape across 2024:
The U.S. hit hardest by ransomware attacks in 2024.
Although the full report is well worth reading, I would be doing a disservice if I didn't highlight the most prolific threat actors called out by the intelligence analysts across one or two important sectors.
There's the intriguingly-named 'NoName057(16)' sitting at the top of the hacktivist groups tree. Pro-Russian, and primarily using Distributed-Denial-of-Service attacks against government and financial institutions, NoName057(16) is said to be driven by 'political motives, particularly against information resources located in Europe.'
When it comes to APT attacks, Dark Pink sits at the top of the list by number of attacks, but Group-IB was unable to attribute these connected campaigns to any specific group. So, for me at least, that puts APT28 at number one — another Russian-speaking group, known to employ the currently highly-exploited ClickFix attack methodology using malicious CAPTCHA dialogs.
OK, let's move on to those three masked actors, the cybercriminal groups that have dominated cyberattacks during the past year, according to Group-IB threat intelligence.
The RansomHub ransomware-as-a-service operators, arising from the ashes of the infamous ALPHV or BlackCat group before it, are the prime cybercriminal gang. Since launching at the start of 2024, RansomHub has 'already surpassed even long-established cybercriminals in attacks,' according to the report, and is now the dominant force in the ransomware threat sector.
RansomHub - the number one most prolific cybercrime gang.
Sitting behind RansomHub, which you may have heard of, is GoldFactory, which you likely haven't. This mobile banking malware group was behind the first iOS banking trojan, which harvested facial recognition data to use in attacks. And in third place, one you will definitely know: Lazarus. This nation-state actor, which is known to keep rising from the dead, hence the original name, although it operates under many a pseudonym to evade detection, is thought to operate under the control of the North Korean intelligence agency, the Reconnaissance General Bureau. One thing is certain: these masked hackers, all of whom are included in the report and featured in an accompanying podcast, are well worth getting to know if you want to stay ahead in your defense efforts against them.