The cybercriminals are often organised in specialist groups who carry out targeted attacks for the purposes of extortion, espionage or sabotage. Here is a list of the best-known groups, with their specialities and notable attacks.
1οΈβ£ Groups specialising in ransomware π°
These groups develop and distribute ransomware (programs that encrypt files and demand a ransom to unlock them).
π΄ REvil (Sodinokibi)
📍 Origin : Russia
📌 Speciality: Ransomware-as-a-Service (RaaS), dual extortion (exfiltration + encryption)
📌 Famous attacks :
- JBS Foods (2021) - Ransom of 11 million $
- Kaseya (2021) - Reached over 1,500 companies
🔹 Status : Disbanded by the FBI in 2022, but some members are still active
π΄ LockBit
📍 Origin : Probably Russia
📌 Speciality: Rapid, targeted attacks on businesses
📌 Famous attacks :
- Thales (2022) - Data infiltration
- Hospitals in France (2022) - Massive disruption
🔹 Status : Still active, "LockBit 3.0" version
π΄ Conti
📍 Origin : Russia
📌 Speciality: Attacks on businesses and critical infrastructure
📌 Famous attacks :
- Costa Rica (2022) - Costa Rican government paralysed
- Health Service Executive (HSE) in Ireland (2021) - Impact on hospitals
🔹 Status : Disbanded in 2022, but members joined other groups
π΄ Black Basta
📍 Origin: Russia (ex-Conti members)
📌 Speciality: Attacks on companies
📌 Famous attacks :
- Deutsche Windtechnik (2022) - Wind energy company
- Foxconn (2022) β Data theft industrial
🔹 Status : Always active
2οΈβ£ Groups specialising in espionage and cyber sabotage π΅οΈββοΈ
These groups, often linked to governmentsThey carry out attacks to steal industrial secrets, manipulate elections or sabotage infrastructure.
π’ APT29 (Cozy Bear)
📍 Origin: Russia (linked to the FSB, formerly the KGB)
📌 Speciality: Spying on governments and major corporations
📌 Famous attacks :
- Hacking of the US Democratic Party (2016)
- Attacks on COVID-19 (2020) vaccine laboratories
🔹 Status : Assets
π’ APT28 (Fancy Bear)
📍 Origin: Russia (linked to the GRU, military service)
📌 Speciality: Cyber-warfare, propaganda, election manipulation
📌 Famous attacks :
- Hacking of Emmanuel Macron's campaign (2017)
- Hacking of the German Bundestag (2015)
🔹 Status : Assets
π’ Lazarus Group
📍 Origin : North Korea
📌 Speciality: Espionage + Theft of funds to finance the regime
📌 Famous attacks :
- Hacking of Sony Pictures (2014) - In response to the film The Interview
- Theft of 620 million $ in cryptocurrencies (2022) via Axie Infinity
🔹 Status : Assets
π’ Charming Kitten (APT35)
📍 Origin : Iran
📌 Speciality: Spying on NGOs, journalists and technology companies
📌 Famous attacks :
- Attempted hacking of the US elections (2020)
- Hacking of Iranian dissidents and academic researchers
🔹 Status : Assets
3οΈβ£ Groups specialising in theft and fraud π³
These groups steal bank detailsand credit cards and resell data on the dark web.
π΅ FIN7 (Carbanak Group)
📍 Origin: Ukraine and Russia
📌 Speciality: Bank data theft, financial scams
📌 Famous attacks :
- 1 billion $ stolen through attacks on banks
- Pirates of fast food chains (Chili's, Arby's, etc.)
🔹 Status : Some members arrested in 2018, but still active
π΅ Magecart
📍 Origin: Various groups (decentralised network)
📌 Speciality: Bank card skimming via e-commerce sites
📌 Famous attacks :
- British Airways hack (2018) - 380,000 bank cards stolen
- Ticketmaster hacking (2018)
🔹 Status : Assets
π΅ Evil Corp
📍 Origin : Russia
📌 Speciality: Theft of funds via malware banking
📌 Famous attacks :
- 100 million $ stolen via Dridex malware
- Linked to ransomware attacks (WastedLocker)
🔹 Status : Still active, but under US sanctions
4οΈβ£ Groups of hacktivists and cybermercenaries π₯
Some cybercriminals act on behalf ofpolitical or social ideasOthers sell their services to the highest bidder.
π Anonymous
📍 Origin: Decentralised global network
📌 Speciality: DDoSdata leakage, whistleblowing by governments and companies
📌 Famous attacks :
- Attacks on PayPal and Mastercard (2010) after WikiLeaks was blocked
- Cyber attacks against Russia after the invasion of Ukraine (2022)
🔹 Status : Always active
π GhostSec
📍 Origin: Hacktivists (ex-Anonymous)
📌 Speciality: Attacks on terrorist groups and authoritarian states
📌 Famous attacks :
- Cyber attacks against the Islamic State (2015-2017)
🔹 Status : Assets
