Attackers
Named attackers
Individuals publicly identified — by indictment, sanctions, or intelligence reporting — as having participated in catalogued cyberattacks.
- 4
Park Jin Hyok
North Korean (DPRK) · indicted fugitive
North Korean RGB officer indicted by the U.S. DOJ in September 2018 as a Lazarus Group operator. Attributed to Sony Pictures (2014), WannaCry (2017), and the Bangladesh Bank SWIFT heist (2016).
- 2
Albert Gonzalez
- 2
Black Shadow
- 2
Dmitry Khoroshev
Russian · indicted fugitive
Russian national identified by the U.K. NCA, FBI, and Australian Federal Police as LockBitSupp — the developer and chief operator of the LockBit ransomware-as-a-service franchise.
- 2
Jabaroot
- 2
Sandworm Six (GRU Unit 74455)
- 2
Vitaly Kovalev
Russian · indicted fugitive
Russian national publicly identified as 'Stern' — the CEO-level operator of TrickBot, Conti, and the broader Ryuk / BazarLoader cybercrime conglomerate. Sanctioned by the U.S., U.K. and EU in 2023.
- 2
Yaroslav Vasinskyi
Ukrainian · convicted
Ukrainian REvil affiliate convicted in 2024 for the July 2021 Kaseya VSA supply-chain ransomware attack. Sentenced to 13 years 7 months and ordered to pay $16M restitution.
- 1
"teapotuberhacker" (18-year-old, later linked to Lapsus$)
- 1
1937CN
- 1
Aleksandr Kogan (Global Science Research)
- 1
Andrei Tyurin
- 1
Anonymous 4chan user ("DisgustinglyGreedy")
- 1
Anonymous Sudan (pro-Russian hacktivist group)
- 1
APT31
- 1
APT31 (Zirconium / Judgment Panda)
- 1
Arion Kurtaj ("teapotuberhacker" / "TeaPot")
- 1
Babuk ransomware group
- 1
Black Basta ransomware group
- 1
BlackCat (ALPHV)
- 1
Brain Cipher
- 1
Brandon Glover
- 1
Cambridge Analytica
- 1
Chinese state-affiliated actors (APT31 / Wuhan Xiaoruizhi Science and Technology)
- 1
Christopher Scott
- 1
Chukwuemeka Peter Nwadi
- 1
Clop (Cl0p) ransomware group / TA505
- 1
Clop ransomware operators
- 1
ComodoHacker
- 1
Dalton Norman
- 1
Damon Patrick Toey
- 1
DeepBlueMagic ransomware group
- 1
Desorden Group
- 1
Dmitri Galushkevich (only person convicted)
- 1
Emotet / TrickBot / Ryuk operators
- 1
Equifax PLA officers (Wu, Wang, Xu, Liu)
- 1
Gery Shalon
- 1
GGD call-centre insiders
- 1
Graham Ivan Clark
- 1
Grief
- 1
Hive ransomware-as-a-service affiliate
- 1
Hive ransomware-as-a-service operators
- 1
Ifesinachi Fountain Anakwe
- 1
Joenel de Asis
- 1
Joshua Samuel Aaron
- 1
Josiah White
- 1
Khemarat Boonchuay
- 1
Konstantin Goloskokov (Nashi commissar, claimed responsibility)
- 1
Kotz
- 1
Lazarus Group
- 1
Lazarus Group operators
- 1
Lebanese General Directorate of General Security (GDGS)
- 1
Ler Teck Siang
- 1
LockBit
- 1
LockBit 3.0 ransomware affiliate
- 1
LockBit ransomware-as-a-service affiliate
- 1
Maksim Yakubets
Russian · indicted fugitive
Russian national identified by the U.S. Treasury and FBI as the leader of Evil Corp — the Dridex banking trojan and BitPaymer / WastedLocker ransomware operation. $5 million State Department reward.
- 1
Mason Sheppard (Chaewon)
- 1
meli0das
- 1
Mikhy Farrera-Brochez
- 1
Mirai botnet operator (Daniel Kaye / 'BestBuy')
- 1
Mount Locker affiliate
- 1
Multiple actors: cryptominers, botnets (Mirai, Muhstik), ransomware crews, state-sponsored groups
- 1
N4ughtySecTU (self-described hacking group)
- 1
Nima Fazeli (Rolex)
- 1
NSO Group (spyware vendor)
- 1
Paige Thompson
American · convicted
Former AWS engineer convicted in 2022 for the 2019 Capital One breach. Exploited a misconfigured WAF to exfiltrate data on 100 million Capital One credit-card customers.
- 1
Paras Jha
- 1
Paul Biteng
- 1
Play
- 1
RA World (formerly RA Group)
- 1
RansomEXX operators
- 1
RansomHub ransomware-as-a-service affiliate
- 1
REvil affiliate
- 1
Russian GRU (Cadet Blizzard / DEV-0586)
- 1
Russian GRU Unit 74455 (Sandworm / ELECTRUM)
- 1
Russian GRU Unit 74455 (Sandworm)
- 1
Seller using the handle 'Peace'
- 1
Two unnamed Russian co-conspirators (DOJ indictment)
- 1
Unattributed nation-state (Kaspersky linked tooling to Flame)
- 1
Unattributed operator with intimate knowledge of Egyptian state actions
- 1
Unattributed party operating Sandvine PacketLogic devices on Telecom Egypt
- 1
Unidentified actor (possible insider involvement)
- 1
Unidentified attacker (Kristian Boykov charged, case unproven)
- 1
Unidentified extortion actor
- 1
Unidentified extortionist
- 1
Unidentified seller on dark-web forum
- 1
Unidentified sophisticated actors
- 1
Unnamed researcher-hacker (arrested in the UK, December 2015)
- 1
USDoD (Luan BG, alleged)
- 1
Vasile Mereacre
- 1
Yevgeniy Nikulin (Russian national, convicted 2020)
- 1
Ziv Orenstein
Equifax PLA officers (Wu, Wang, Xu, Liu)
Chinese · indicted fugitive
Four members of the Chinese People's Liberation Army's 54th Research Institute indicted by the U.S. DOJ in February 2020 for the 2017 Equifax breach.
Mikhail Matveev
Russian · indicted fugitive
Russian national indicted by the U.S. DOJ in May 2023 as Wazawaka / Boriselcin / Uhodiransomwar — a senior affiliate of LockBit, Babuk, and Hive ransomware operations.
Sandworm Six (GRU Unit 74455)
Russian · indicted fugitive
Six Russian GRU officers indicted by the U.S. DOJ in October 2020 for NotPetya, the 2018 Olympics destructor, attacks on Ukraine's electric grid, and the 2017 French election hack-and-leak.
Vyacheslav Penchukov
Ukrainian · convicted
Ukrainian national arrested in Geneva in 2022, extradited to the U.S. in 2023, and sentenced in 2024 for operating the JabberZeus banking trojan and later the IcedID malware loader.