RansomHub, a ransomware-as-a-service (RaaS) operation, is topping the list of the most prolific cybercriminal groups that Group-IB, a cybersecurity company, has investigated this past year.
To compile the list of the Top 10 Masked Actors for 2025, Group-IB dove into its very own High-Tech Crime Trends Report, full of in-depth insights from over 1,550 successful investigations.
Cybercrime rates keep growing, Group-IB CEO Dmitry Volkov said. Ransomware attacks increased by 10% in 2023, and financial losses from cybercrime have reached staggering levels.
“As we turn our focus to 2025, the cybersecurity landscape will grow even more dynamic. Ransomware and APT (advanced persistent threat) tactics will evolve, pushing defenders to adopt increasingly proactive, intelligence-driven approaches,” said Volkov.
We’ll steal your face and your money
Group-IB says its Top 10 list of cybercrime’s main villains is precisely that: proactive reporting about the threats so that more potential victims would know what to expect.
According to the company, the criminal organizations included in the list were identified “through extensive intelligence, highlighting the scale, sophistication, and impact of these active threat groups across sectors and geographies.”
Group-IB says that the most prolific group is RansomHub, a RaaS operation that surfaced after ALPHV (BlackCat) disappeared. It’s primarily targeting industrial manufacturing and healthcare, claiming 74 victims in September alone.
“RansomHub presents itself as a group of helpful and professional consultants rather than cybercriminals, offering ‘valuable advice' on IT protection, post-payment,” says the report, adding that the organization is motivated by financial gain.
Another must-watch cybercrime collective is GoldFactory, a mobile banking malware group responsible for GoldPickaxe.iOS, the first known iOS trojan designed to harvest facial recognition data for deepfake-enabled financial fraud.
In other words, these cybercriminals want to steal your face - and unlike changing a stolen password, what can you really do about it?
GoldFactory tends to target finance companies in the Asia-Pacific region, but there are indications it will expand its operations beyond its two target countries, Vietnam and Thailand.
Lazarus and Iranian threat actors
Other infamous groups are, of course, also included in the list. An example is Lazarus – a North Korea-linked nation-state threat actor responsible for high-profile attacks on financial institutions and cryptocurrency platforms, with over $1.3 billion stolen in 2024 alone.
DragonForce, an emerging hacktivist and ransomware group possibly linked to DragonForce Malaysia, is rapidly expanding its operations globally. It targets governments and corporations across multiple industries, and one of the most lucrative attacks on a Saudi firm led to the theft of 6TB of data.
OilRig, an Iranian state-sponsored cyber espionage group linked to Iran’s Ministry of Intelligence and Security, is also very active and specializes in increasingly sophisticated phishing attacks to gain intelligence from finance, energy, telecom, and government entities.
Another Iranian nation-state actor, MuddyWater, focuses on cyber espionage campaigns targeting NATO-affiliated nations, particularly through spear-phishing campaigns.
Brain Cipher, a new RaaS group that surfaced in mid-2024, made headlines after demanding an $8 million ransom following an attack on Indonesia’s national data center.
Representing a new wave of cybercriminals, Boolka specialises in exploiting website vulnerabilities. “The group’s evolving stealth tactics and ability to adapt and deploy modular malware causes significant financial and reputational damage that’s likely affected thousands of businesses and users worldwide,” says Group-IB.
Ajina is a rapidly growing Central Asian cybercrime group targeting everyday users of banking apps through sophisticated Android malware campaigns. Group-IB analysed over 1,400 unique samples, suggesting a significant number of affected users and an increasing global reach.
Finally, Team TNT is likely the most prolific cybercrime group specializing in crypto crime. Team TNT has gained infamy for its relentless cloud-focused cryptojacking and brute-force attacks, targeting Kubernetes, Redis, and Docker environments.
Your email address will not be published. Required fields are markedmarked