“Delovoy Peterburg” analyzes the global digital crime market and the most dangerous hacker groups today.
Cybercrime has long emerged from the shadows and become a full-fledged industry, where PR, negotiations, and accounting play an important role. Meanwhile, while companies and governments develop the digital economy, their “dark side” — the economy of attacks — is becoming increasingly noticeable and organized.
According to Evgeny Kokuykin, CEO of HiveTrace, cybercriminals and cybersecurity companies often evolve within the same ecosystem but with opposing goals. Hackers, in addition to making profits, may engage in corporate espionage and sabotage. Both sides invest in research and automation, and some tools look similar.
“Some security tools really resemble those used by hackers, for example, vulnerability scanners. Certified 'white hat' hackers work in large companies, conducting controlled attacks to identify vulnerabilities. The main difference is ethics: hackers operate illegally, while security specialists work within the law,” he added.
Modern cybercriminals increasingly use APT (Advanced Persistent Threat) tactics — sophisticated targeted attacks, which is why their groups are often referred to as APT groups.
“Delovoy Peterburg” consulted with leading cybersecurity experts and compiled a list of groups shaping the landscape of cybercrime in 2025, including both ransomware operators and state-sponsored espionage groups.
LockBit — Franchise Veterans
This ransomware group has been one of the most prominent for the past decade. In February 2024, the international operation Cronos, involving the FBI, Europol, and the UK National Crime Agency, dismantled their infrastructure, seized servers, and even launched the gang's website as a leak portal. However, just a week later, LockBit announced its return.
“LockBit operates on a 'ransomware as a service' (RaaS) model, providing partners access to ransomware programs and taking a percentage of the ransom. There have been cases where they offer consultations with lawyers to increase pressure on the victim during negotiations,” said Kirill Mitrofanov, head of the Cyber Threat Intelligence analytics team at Kaspersky Lab.
Thanks to the RaaS model, cyber extortion has become a “franchise,” where participants earn percentages and bonuses. Mitrofanov notes that a whole market of auxiliary tools has emerged on this basis, including “stealers,” programs that steal credentials and access tokens.
The LockBit format has allowed for an expansion of the geography of attacks: victims have included hospitals in the USA, factories in Europe, and municipalities in Australia. According to the US Department of Justice, the number of attacked organizations has exceeded 2,000. Their style is characterized by massiveness and brutality, negotiations occur in a tough mode, and the publication of victim data happens on a schedule, as if it were press releases.
RansomHub — New Careerists
Emerging in 2023, this group quickly took top positions. After a temporary decline of LockBit, they became leaders in the number of attacks. In 2024, experts counted over 500 successful hacks attributed to them, accounting for nearly 10% of all registered cases worldwide.
Unlike LockBit, RansomHub emphasizes speed. Their attacks occur within hours: from infection to encryption and publication. The principle of operation is that the faster they strike the victim's business, the faster they will receive the ransom.
Kirill Mitrofanov emphasizes that the technical level of cyber groups continues to rise.
“They operate more organized, employing sophisticated methods and tools. Furthermore, interaction among criminals is intensifying, allowing them to use shared infrastructure and divide tasks, making it difficult to attribute attacks to a specific group,” noted a representative of Kaspersky.
RansomHub is known for working with contractors and affiliated groups. Essentially, they act as brokers of extortion: providing a platform and tools, while partners complete the job.
Cl0p — Mass Attack Punks
This group strikes not selectively, but en masse. Their largest attack occurred in 2023 and targeted a vulnerability in the MOVEit software, affecting hundreds of companies worldwide, including American corporations and European universities.
The Cl0p method involves finding a vulnerability in a widely used product and attacking many clients at once. The damage from the MOVEit attack is estimated in the billions, not only due to ransoms but also due to reputational losses.
The main feature of Cl0p is their lack of interest in negotiations. They immediately publish lists of victims, demonstrating their power and creating a panic effect. These “punks” of the digital world value noise as much as money. However, experts warn that this is not the worst part...
“LockBit and Cl0p are already familiar problems, like COVID, which are time-limited. However, an APT group that has been in your network for 13 months represents an existential threat that you may not even suspect. We are focused on protecting supply chains, as the long-term presence of an attacker in the network makes an attack nearly irreparable,” explains Denis Batrankov, business development director at “Garda.”
BlackCat (ALPHV) — The Technological New Wave
This group was one of the first to use the Rust programming language to create ransomware, giving them a significant advantage: such viruses are difficult to track and neutralize.
In 2024, BlackCat paralyzed the largest healthcare network in the USA, leading to weeks of downtime and the cancellation of hundreds of operations, with damages estimated in the hundreds of millions of dollars. Their approach focuses on pressuring critical infrastructure, where time is of the essence.
Unlike Cl0p or LockBit, BlackCat actively uses PR; their website serves as a showcase where victim data is presented with threats and is beautifully designed. They operate like a new generation of IT specialists: technologically savvy, efficient, and with a recognizable brand.
“Privacy is becoming a kind of 'class of service': large companies pay for encryption, segmentation, and insurance, while small and medium-sized businesses manage risks as best they can. Artificial intelligence helps recover leaked data based on behavioral patterns, so the focus shifts from 'not leaking' to 'devaluing the stolen': reducing data storage and strictly limiting access,” emphasizes independent IT expert Alexander Dmitriev.
Lazarus Group (North Korea) — Raids Under a State Flag
This group is considered the most “state-sponsored.” According to data from the UN and the FBI, it is linked to the regime in Pyongyang and participates in financing North Korea's military programs.
“The geopolitics of cyberattacks is simple: states set the rules, corporations protect critical infrastructure, and private groups act as contractors,” notes Alexander Dmitriev.
Specializing in cryptocurrencies, in 2022 Lazarus stole $620 million from the Ronin blockchain network, and in 2023 — another $100 million from the Harmony Horizon Bridge. In February 2025, they executed the largest cryptocurrency heist in history, withdrawing about $1.5 billion in Ethereum from the Bybit exchange.
Lazarus operates systematically, developing entire campaigns: first infiltration through phishing, then establishing a foothold in the system, and only then stealing assets. Their goal is not just personal gain, but replenishing the North Korean state budget, which makes combating them increasingly complex.
“Given the growth of digitalization and the number of cyberattacks, 'manual' control by information security services is becoming insufficient. We expect the market to evolve towards greater automation, including the use of artificial intelligence,” says Kirill Mitrofanov.
APT28 (Fancy Bear) — Raw Power
APT28, known as Fancy Bear, is linked to Russian special services, although there is no official confirmation of this. Their name became known during the 2016 hack of the US Democratic Party servers.
Since then, APT28 has participated in attacks on the Bundestag, sports organizations, and NATO. Their style is characterized by a wide reach and aggressive tactics; they are not afraid to leave traces, acting like special forces.
“The resistance of information security services and cybercriminals is asymmetrical: a hacker needs just one successful attack out of a hundred, while a security service must protect all vectors and systems simultaneously,” emphasizes Evgeny Kokuykin.
APT29 (Cozy Bear) — Aristocrats of Espionage
This organization has a similar name to the previous one but represents a different school. It is known for its methodical and elegant approach, leaving minimal traces.
APT29 is attributed with the attack on SolarWinds in 2020, when hackers gained access to dozens of ministries and corporations through a software update. In 2023-2024, their activity was again observed in diplomatic circles.
The difference between APT28 and APT29 lies in their approaches: the former acts aggressively, while the latter operates stealthily, infiltrating systems and remaining there for extended periods.
“The average time to detect cyber espionage attacks in 2024 was 390 days, which is 40% more compared to 2023. This means that attackers can remain in the network for over a year before being noticed,” emphasizes Denis Batrankov.
Charming Kitten (Iran) — Precision Strikes
Charming Kitten, also known as APT35, operates on behalf of Iran, using classic phishing and social engineering methods in a very selective manner.
They target journalists, human rights defenders, and researchers. In 2024, attacks were registered against scientists working on Middle Eastern nuclear projects. Their goal is to obtain information rather than money.
Charming Kitten acts like “hunters with a magnifying glass”: their attacks go unnoticed by the general public but cause serious harm to victims. Unlike Lazarus, they do not steal billions but can compromise reputations and undermine entire institutions.
“Users have become more cautious about sharing data, tired of news about leaks. Trust works when a company not only apologizes but also actively compensates for inconveniences, demonstrating transparency in its actions to protect,” notes Alexander Dmitriev.
Evil Corp — The Oldest Bankers of the Underworld
The names of this group have been known since the early 2010s, when the Dridex and Zeus Trojans became symbols of banking cybercrime. Despite sanctions and arrests, Evil Corp remains active. They are characterized by their ability to quickly adapt: rebranding, changing tools, hiding, and reappearing.
These criminals do not act like fast extortionists but rather like an old mafia focused on money. Their methods are traditional: bank thefts, phishing, and the use of trojans. They rely on experience and connections.
“In recent studies, we identified 'exotic' techniques previously characteristic only of Red Team operations. It is possible that among those attacking Russia are former IT specialists or Red Team members. We expect such methods to become more common,” warns Kirill Mitrofanov.
FIN7 (Carbanak) — Billionaire Disguisers
The FIN7 group, also known as Carbanak, stole over $1 billion through attacks on banks and POS terminals in restaurants and hotels in the USA. Their style is disguise. They often operated through shell IT companies, hiring employees for fake projects to hide their criminal activities under legitimate activity.
Despite arrests in Europe, the group continues to exist. Their distinction from Evil Corp is that they are closer to corporate fraud, attacking not only banks but also entire retail and hospitality networks.
“Each company defines the consequences of incidents in its own way, but we see that the actions of attackers are becoming increasingly aggressive and destructive. They not only steal and encrypt data but also delete it using wipers, making recovery impossible. This indicates an intention to cause maximum damage,” describes current trends Mitrofanov.
Heirs of Conti — The Disbanded Octopus
Although the Conti group formally disbanded in 2022, its members scattered into other groups, forming dozens of “Conti children” — such as Royal, Hive, and others. They retained their infrastructure, methods, and connections, making them still one of the most dangerous forces in cybercrime.
“The security market is consolidating around a few platforms, and integrators are becoming curators of ecosystems. The nearest trends are automated responses and identity security. In the long term — managing attack routes and post-quantum cryptography. The main driving factor is the cost of downtime: when every minute of downtime costs a business more than the ransom demanded by hackers,” concludes Alexander Dmitriev.
