Cybersecurity leader highlights the most dangerous threat actors of the year to help organisations stay ahead of attacks
UAE – May 13, 2025 – Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, unveils its list of the Top 10 Masked Actors for 2025 – the most prolific cybercriminal groups shaping the global threat landscape. With this new ranking, Group-IB arms businesses with critical intelligence to better anticipate threats, strengthen their defences, and stay one step ahead of cybercrime.
The findings are drawn from Group-IB’s latest High-Tech Crime Trends Report, which delivers in-depth analysis, forecasts, and actionable insights from over 1,550 successful high-tech crime investigations.
Group-IB identified the 2025 Masked Actors through extensive intelligence, highlighting the scale, sophistication, and impact of these active threat groups across sectors and geographies. The 2025 Top 10 Masked Actors include:
- RansomHub – The Ransomware-as-a-Service (RaaS) operation that surfaced after ALPHV (BlackCat) disappeared. Accounting for nearly a fifth of ransomware victims between February and September 2024, it has quickly become a dominant force, targeting industrial manufacturing and healthcare sectors.
- GoldFactory – A nefarious mobile banking malware group responsible for GoldPickaxe.iOS, the first known iOS trojan designed to harvest facial recognition data for deepfake-enabled financial fraud.
- Lazarus – A North Korea-linked threat actor responsible for high-profile attacks on financial institutions and cryptocurrency platforms, with over $1.3 billion stolen in 2024 alone.
- DragonForce – An emerging hacktivist and ransomware group possibly linked to DragonForce Malaysia, that’s rapidly expanding its operations globally. It targets governments and corporations across multiple industries.
- OilRig – A Middle East-based group that’s been active for over a decade. OilRig specialises in increasingly sophisticated phishing attacks to gain intelligence from finance, energy, telecom, and government entities.
- MuddyWater – Another Middle East-based group. MuddyWater focuses on cyber espionage campaigns targeting NATO-affiliated nations, particularly through spear-phishing campaigns.
- Brain Cipher – A new Ransomware-as-a-Service (RaaS) group that surfaced in mid-2024. It made headlines after demanding an $8 million ransom following an attack on Indonesia’s national data center.
- Boolka – Representing a new wave of cybercriminals, Boolka specialises in exploiting website vulnerabilities. The group’s evolving stealth tactics and ability to adapt and deploy modular malware causes significant financial and reputational damage that’s likely affected thousands of businesses and users worldwide.
- Ajina – A rapidly growing Central Asian cybercrime group targeting everyday users of banking apps through sophisticated Android malware campaigns. Group-IB analysed over 1,400 unique samples, suggesting a significant number of affected users and an increasing global reach.
- Team TNT – Likely the most prolific Malicious Minds in crypto crime, Team TNT has gained infamy for its relentless cloud-focused cryptojacking and brute-force attacks, targeting Kubernetes, Redis, and Docker environments.
To delve into the inner workings of each of these threat groups, Group-IB is launching the Masked Actors podcast series, hosted by Gary Ruddell, a cyber threat intelligence expert, and Nick Palmer, a highly experienced financial crime fighter and Group-IB’s VP of Global Sales. The first episode will focus on the Gold Factory threat group and premieres today, May 13th, available on all major listening platforms.
A detailed overview of the top global threats, key threat actors, and their evolving tactics is available in the full High-Tech Crime Trends 2025 report. The report provides in-depth insights into the evolving threat landscape, equipping businesses and cybersecurity professionals with the intelligence to stay safe.
