Threat actors
Threat actors
Groups, operations, and franchises responsible for the catalogued cyberattacks. Ranked by attributed incident count.
LockBit
7Russian-speaking ransomware-as-a-service operation, dominant 2022–2024 until law-enforcement seizure (Operation Cronos).
$9.10BDPRK RGB
6$8.84BLazarus Group
6North Korean state-sponsored actor (DPRK Reconnaissance General Bureau). Mixes espionage, financial theft, and cryptocurrency heists to fund the regime.
$8.84BQilin
4$31.4MConti
3$370.0MREvil
3$302.3MSandworm
3$10.10BScattered Spider
3$665.0MWizard Spider
3$370.0MALPHV
2$2.97BBlackSuit
2$1.00BGRU Unit 74455
2$10.10BHelloKitty
2RansomHub
2$2.90BShinyHunters
2$10.0MSodinokibi
2$300.0MTA505
2$30.2MUnknown criminal operators
2$100.0MAkira
1Aleksanteri Kivimäki
1$670.0KAPT28
1$22.0MAPT28 / Fancy Bear / GRU Unit 26165
1$50.0MAPT29
1$100.00BAPT29 / Cozy Bear / SVR (parallel intrusion)
1$50.0MAPT33 / Elfin (likely Iranian attribution)
1$200.0MAPT38
1$625.0MBlogXX (leak site)
1$250.0MBrain Cipher
1Cactus
1Chinese MSS-linked APT (APT10 cluster, per public attribution)
1$200.0MChinese MSS-linked APT (Black Vine / Deep Panda)
1$260.0MChinese MSS-linked APT (Deep Panda / Anchor Panda)
1$350.0MChinese PLA Unit 54th Research Institute (DOJ attribution)
1$1.38BCl0p
1$12.15BClop
1$220.0KCozy Bear
1$100.00BCutting Sword of Justice (claim persona)
1$200.0MDaniel Kelley, Matthew Hanley, Connor Allsopp, Aaron Sterritt (UK teenagers, convicted)
1$90.0MDarkSide
1$4.4MDeepBlueMagic
1DoppelPaymer
1$71.0MDragonForce
1$550.0MEquation Group (NSA-attributed)
1$100.0MEvil Corp
1$30.0MFancy Bear
1$22.0MFSB-affiliated operators (2014 breach, per DOJ indictment)
1$470.0MGolem (forum persona)
1$50.0MGRU Unit 26165
1$22.0MGuardians of Peace (cover persona)
1$100.0MHandala
1Hellcat
1HomeLand Justice
1Indrik Spider
1$30.0MInsider misuse / paid intermediary access
1Iran MOIS
1John Binns (lone actor, self-attributed)
1$500.0MJohn Binns + Connor Moucka (alleged participants)
1$200.0MLikely Volodymyr Tymoshchuk-attributed cluster (per 2025 DOJ unsealing)
1$75.0MLockerGoga operators
1$75.0MMagecart Group 6 (per RiskIQ designation)
1$35.0MNitrogen
1NOBELIUM (Microsoft)
1$100.00BOperation Olympic Games
1$100.0MPaige Thompson (lone actor)
1$270.0MPlay
1REvil-affiliated criminal operators
1$250.0MRhysida
1$8.5MRussian SVR (Foreign Intelligence Service)
1$100.00BSalt Typhoon
1Scattered Lapsus$ Hunters
1$2.40BSébastien Boulanger-Dorval (employee)
1$100.0MShinyHunters (re-sale market)
1$500.0MSofacy
1$22.0MStorm-0558
1Suspected Chinese state actor
1$7.5MTraderTraitor
1$1.50BUNC5537
1UNC5537 (Mandiant designation)
1$200.0MUnit 8200 (Israeli)
1$100.0MUnknown
1$140.0MUnknown criminal actor (2013 breach)
1$470.0MUnknown criminal crew (BlackPOS / Kaptoxa malware)
1$292.0MUnknown ransomware crew (suspected Chinese-attributed per Indian government statements)
1$15.0MVarious Magecart clusters
1$35.0MWhitefly (Symantec designation)
1$7.5MxenZen
1$30.0MALPHV (BlackCat)
Russian-speaking RaaS operation. First major ransomware written in Rust. Self-shutdown via exit scam after Change Healthcare in 2024.