Campaigns
Campaigns
Strategic operations spanning multiple incidents — coordinated attribution, technique, or intent. From Stuxnet to the Snowflake cohort.
Cl0p mass-exploitation campaign
12020– · active
Multi-year Cl0p / TA505 operation exploiting zero-days in managed-file-transfer (MFT) products to mass-extort thousands of organisations: Accellion FTA (2020), GoAnywhere MFT (2023), MOVEit Transfer (2023), Cleo (2024).
$12.15BLazarus cryptocurrency-theft programme
42017– · active
Sustained North Korean state cybercrime programme (2017–present) targeting cryptocurrency exchanges, custody providers, and DeFi protocols. Estimated cumulative proceeds exceed $5 billion across hundreds of attributed operations.
$2.74BChinese 'Big Four' PII collection campaign
42014–2018 · concluded
Coordinated Chinese state cyberespionage campaign (2014–2018) against U.S. personal-records-rich data sources: OPM, Anthem, Marriott/Starwood, and Equifax. Together the four datasets enable comprehensive intelligence dossiers on cleared U.S. personnel.
$2.19BLockBit ransomware-as-a-service franchise
32019–2024 · disrupted
The most prolific ransomware-as-a-service operation of 2022–2024, responsible for ~25% of all observed ransomware attacks at peak. Disrupted by NCA-led Operation Cronos in February 2024, with developer Dmitry Khoroshev unmasked as LockBitSupp.
$200.0MSnowflake cohort credential-stuffing campaign (2024)
12024–2024 · concluded
Coordinated 2024 criminal campaign against ~165 Snowflake-customer tenants. Operators used infostealer-harvested credentials to authenticate against tenants without MFA, exfiltrating data from AT&T, Ticketmaster, Santander, Advance Auto Parts, and many others.
$200.0MOperation Olympic Games
12006–2012 · concluded
Joint U.S.-Israeli covert programme (2006–2012) to delay Iran's nuclear enrichment via cyber means. Best known for Stuxnet but encompassing Duqu, Flame, and related malware families.
$100.0M