The cybercriminals are often organised in specialist groups who carry out targeted attacks for the purposes of extortion, espionage or sabotage. Here is a list of the best-known groups, with their specialities and notable attacks.
1οΈβ£ Groups specialising in ransomware π°
These groups develop and distribute ransomware (programs that encrypt files and demand a ransom to unlock them).
π΄ REvil (Sodinokibi)
📍 Origin : Russia
📌 Speciality: Ransomware-as-a-Service (RaaS), dual extortion (exfiltration + encryption)
📌 Famous attacks :
- JBS Foods (2021) - Ransom of 11 million $
- Kaseya (2021) - Reached over 1,500 companies
🔹 Status : Disbanded by the FBI in 2022, but some members are still active
π΄ LockBit
📍 Origin : Probably Russia
📌 Speciality: Rapid, targeted attacks on businesses
📌 Famous attacks :
- Thales (2022) - Data infiltration
- Hospitals in France (2022) - Massive disruption
🔹 Status : Still active, "LockBit 3.0" version
π΄ Conti
📍 Origin : Russia
📌 Speciality: Attacks on businesses and critical infrastructure
📌 Famous attacks :
- Costa Rica (2022) - Costa Rican government paralysed
- Health Service Executive (HSE) in Ireland (2021) - Impact on hospitals
🔹 Status : Disbanded in 2022, but members joined other groups
π΄ Black Basta
📍 Origin: Russia (ex-Conti members)
📌 Speciality: Attacks on companies
📌 Famous attacks :
- Deutsche Windtechnik (2022) - Wind energy company
- Foxconn (2022) β Data theft industrial
🔹 Status : Always active
2οΈβ£ Groups specialising in espionage and cyber sabotage π΅οΈββοΈ
These groups, often linked to governmentsThey carry out attacks to steal industrial secrets, manipulate elections or sabotage infrastructure. They are also known as APT because they carry out APT attacks,
π’ APT29 (Cozy Bear)
📍 Origin: Russia (linked to the FSB, formerly the KGB)
📌 Speciality: Spying on governments and major corporations
📌 Famous attacks :
- Hacking of the US Democratic Party (2016)
- Attacks on COVID-19 (2020) vaccine laboratories
🔹 Status : Assets
π’ APT28 (Fancy Bear)
📍 Origin: Russia (linked to the GRU, military service)
📌 Speciality: Cyber-warfare, propaganda, election manipulation
📌 Famous attacks :
- Hacking of Emmanuel Macron's campaign (2017)
- Hacking of the German Bundestag (2015)
🔹 Status : Assets
π’ Lazarus Group
📍 Origin : North Korea
📌 Speciality: Espionage + Theft of funds to finance the regime
📌 Famous attacks :
- Hacking of Sony Pictures (2014) - In response to the film The Interview
- Theft of 620 million $ in cryptocurrencies (2022) via Axie Infinity
🔹 Status : Assets
π’ Charming Kitten (APT35)
📍 Origin : Iran
📌 Speciality: Spying on NGOs, journalists and technology companies
📌 Famous attacks :
- Attempted hacking of the US elections (2020)
- Hacking of Iranian dissidents and academic researchers
🔹 Status : Assets
π’ Equation
📍 Origin: United States (NSA)
📌 Speciality: Spying on countries (Iran, Russia, Pakistan, India, Syria, Mali, etc.)
📌 Famous attack:
- Location of the malware DoubleFantasy
🔹 Status : Assets
3οΈβ£ Groups specialising in theft and fraud π³
These groups steal bank detailsand credit cards and resell data on the dark web.
π΅ FIN7 (Carbanak Group)
📍 Origin: Ukraine and Russia
📌 Speciality: Bank data theft, financial scams
📌 Famous attacks :
- 1 billion $ stolen through attacks on banks
- Pirates of fast food chains (Chili's, Arby's, etc.)
🔹 Status : Some members arrested in 2018, but still active
π΅ Magecart
📍 Origin: Various groups (decentralised network)
📌 Speciality: Bank card skimming via e-commerce sites
📌 Famous attacks :
- British Airways hack (2018) - 380,000 bank cards stolen
- Ticketmaster hacking (2018)
🔹 Status : Assets
π΅ Evil Corp
📍 Origin : Russia
📌 Speciality: Theft of funds via banking malware
📌 Famous attacks :
- 100 million $ stolen via Dridex malware
- Linked to ransomware attacks (WastedLocker)
🔹 Status : Still active, but under US sanctions
4οΈβ£ Groups of hacktivists and cybermercenaries π₯
Some cybercriminals act on behalf ofpolitical or social ideasOthers sell their services to the highest bidder.
π Anonymous
📍 Origin: Decentralised global network
📌 Speciality: DDoSdata leakage, whistleblowing by governments and companies
📌 Famous attacks :
- Attacks on PayPal and Mastercard (2010) after WikiLeaks was blocked
- Cyber attacks against Russia after the invasion of Ukraine (2022)
🔹 Status : Always active
π GhostSec
📍 Origin: Hacktivists (ex-Anonymous)
📌 Speciality: Attacks on terrorist groups and authoritarian states
📌 Famous attacks :
- Cyber attacks against the Islamic State (2015-2017)
🔹 Status : Assets
