Masked cybercrime groups rise as attacks escalate worldwide
RansomHub, GoldFactory and Lazarus are dominating the cybercrime threatscape, with ransomware, mobile banking malware and state-sponsored hacking all on the rise.
Cybercrime is thriving like never before, with hackers launching attacks ranging from absurd ransomware demands of $1 trillion to large-scale theft of personal data. Despite efforts from Microsoft, Google and even the FBI, these threat actors continue to outpace defences.
A new report by Group-IB has analysed over 1,500 cybercrime investigations to uncover the most active and dangerous hacker groups operating today.
Rather than fading away after arrests or infighting, many cybercriminal gangs are re-emerging stronger than before.
Group-IB’s May 2025 report highlights a troubling increase in key attack types across 2024 — phishing rose by 22%, ransomware leak sites by 10%, and APT (advanced persistent threat) attacks by 58%. The United States was the most affected country by ransomware activity.
At the top of the cybercriminal hierarchy now sits RansomHub, a ransomware-as-a-service group that emerged from the collapsed ALPHV group and has already overtaken long-established players in attack numbers.
Behind it is GoldFactory, which developed the first iOS banking trojan and exploited facial recognition data. Lazarus, a well-known North Korean state-linked group, also remains highly active under multiple aliases.
Meanwhile, politically driven hacktivist group NoName057(16) has been targeting European institutions using denial-of-service attacks.
With jurisdictional gaps allowing cybercriminals to flourish, these masked hackers remain a growing concern for global cybersecurity, especially as new threat actors emerge from the shadows instead of disappearing for good.
Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!