October 5, 2025
Top 10 Hacking Groups In the World in 2025
Mohammed Khalil
In 2025, a small set of actors drive the majority of serious incidents. State aligned units, including APT29, APT28, Sandworm, APT41, and Volt Typhoon, pursue durable access. They target cloud identities, email tenants, edge devices, and suppliers. Financially motivated crews, including Scattered Spider, RansomHub, Akira, and Clop, monetize access through data theft and extortion.
Top risks: cloud token theft, OAuth abuse, password spraying at scale, supply chain compromise, living off the land inside IT that touches OT, large volume exfiltration before any encryption.
Top groups to track: Volt Typhoon for disruption risk, Lazarus for high value theft, APT29 and APT28 for cloud and email tradecraft, Sandworm for OT adjacent operations, Scattered Spider and leading ransomware brands for extortion pressure.
Top controls: phishing resistant MFA for all admin and service accounts, strict OAuth consent and app governance, rapid edge patching, vendor access gates with SBOM and key handling rules, protected and tested backups for critical apps, and rehearsed incident playbooks.
Measure progress with admin FIDO coverage, OAuth risk score, edge patch velocity, and mean time to contain.
If you are trying to understand who actually drives today’s cyber incidents, you need to look at a small set of prolific threat groups that keep evolving. In 2025, the picture is clear. Russia- and China-aligned espionage units focus on cloud identities, critical infrastructure, and supply chains. North Korea’s Lazarus doubles down on high value crypto heists to fund the regime. Financially motivated collectives like Scattered Spider and RaaS crews such as RansomHub, Akira, and Clop continue to pressure enterprises through extortion and data theft. This guide gives you a current, source-backed view of the top 10 hacking groups in 2025, what they did recently, how they operate, and the defenses that actually help. Key takeaways include identity-first hardening for cloud workloads, strict third-party risk controls, and prepared incident playbooks for extortion-driven attacks. All claims are verified with recent advisories and threat-intel reports, so you can brief your leadership and tune controls with confidence.
Security leaders, IT, SecOps, OT owners, and procurement can use these profiles to brief leadership, prioritize identity first controls, and tune detections. Start with MFA coverage for admins and service accounts, OAuth governance, and edge patch velocity. Close with tabletop exercises and sector specific controls.
We include APTs, ransomware crews, and mixed motive actors. Ranking blends impact, recency, repeatability, and cross sector reach. Sources include government advisories, vendor DFIR, and first party telemetry where available. Evidence is tagged and dated. We review quarterly and after major advisories. Examples include CISA and Five Eyes guidance on Volt Typhoon and joint advisories on Russian GRU activity. CISA
We weigh four factors. Impact, recency, repeatability, and cross sector reach. Novel tradecraft earns weight, for example stealthy router botnets and living off the land operations in infrastructure pre-positioning. We adjust for visibility bias since some victims disclose more than others.
Who they are
APT29, also called Midnight Blizzard or Nobelium, is Russia’s SVR-linked espionage actor that targets governments, NGOs, and tech providers. They have a long track record of cloud provider and MSP compromises that let them pivot into downstream tenants. Microsoft
What they did in 2025
After Microsoft’s 2024 breach disclosure, activity continued into 2025 as the group tried to reuse exfiltrated secrets and escalated password-spray attempts. Multiple government advisories remain focused on their cloud initial access techniques. Reuters
Key TTPs to watch
Password spraying of legacy or service accounts, OAuth abuse, residential proxies, and spear-phish with RDP or LNK lures. NCSC and CISA note direct targeting of cloud identities. NCSC
How to defend
Mandate phishing-resistant MFA for admins and service accounts, restrict OAuth app consent, and monitor token issuance anomalies. Review any supplier email threads that contain secrets.
Sandworm, APT44
Who they are
Sandworm is a GRU unit associated with disruptive operations against Ukraine and European infrastructure, including ICS targets. Google Cloud
What they did in 2025
Microsoft and others exposed a subgroup running a multiyear “BadPilot” initial access operation. Separate research shows Sandworm using trojanized KMS activation tools to spy on Ukrainian targets, sustaining campaigns that blend espionage with operational impact potential. Microsoft
Key TTPs to watch
Supply-chain compromise, wipers, and abuse of cracked software in target environments. Prepare for OT pivot risk. EclecticIQ Blog
How to defend
Control unlicensed software, segment OT from IT, and simulate ICS failover. Validate backups can restore ICS historian and HMI servers quickly.
Lazarus Group
Who they are
North Korea’s premier threat actor mixes espionage with large-scale theft. Their 2025 focus includes record crypto exchange heists and developer-focused supply-chain attacks.
What they did in 2025
Chainalysis reports about 2.17 billion dollars in crypto stolen in H1 2025, with an estimated 1.5 billion dollars attributed to the Bybit incident, which the FBI linked to DPRK. Kaspersky also details Lazarus watering-hole attacks against South Korean software ecosystems.
Key TTPs to watch
Malicious npm packages, credential theft, social engineering of devs, and exploitation of zero-days in local software.
How to defend
Lock down developer package sources, enforce hardware keys for crypto systems, and monitor for unusual Git or CI activity that touches secrets.
Volt-Typhoon
Who they are
A PRC-aligned group pre-positioning in US critical infrastructure. Agencies warn this is not typical espionage, it aims to enable disruption during crises. CISA
What they did in 2025
Five Eyes partners issued fresh guidance in August 2025. Analysts continue to highlight living-off-the-land tradecraft, stealthy router botnets, and long dwell time. CISA
Key TTPs to watch
LotL commands through native admin tools, legacy router exploitation, and credentialed lateral movement in IT networks that touch OT. CISA
How to defend
Eliminate end-of-life network devices, rotate device creds, enable deep command telemetry, and rehearse manual operations for OT. DFPI
Expert note: “Volt Typhoon shows a shift from data theft to pre-positioning in civilian infrastructure, a pressure lever during a crisis,” said US officials, summarised in a 2025 policy testimony. Council on Foreign Relations
APT41, Wicked Panda
Who they are
A long-running China-linked collective that blends state espionage and cybercrime. It targets many sectors and is known for supply-chain and custom malware operations. IBM
What they did in 2025
Google’s threat team detailed fresh tactics. Proofpoint tracked mid-2025 campaigns against US policy orgs. Kaspersky linked APT41 activity to a government IT intrusion in Africa. Google Cloud
Key TTPs to watch
Spear-phishing with policy lures, web app exploits, ShadowPad ecosystem tools. SCM Demo
How to defend
Harden public apps, isolate management interfaces, and require step-up auth for admins. Google Cloud
APT28, Fancy Bear
Who they are
Russia’s GRU-linked intrusion set. It has targeted European logistics and IT firms since 2022 with recurring 2025 activity. CERT-EU
What they did in 2025
A May 2025 joint advisory calls out APT28’s campaign against Western logistics. CERT-FR and CERT-EU flagged spear-phishing, novel malware, and ongoing targeting of French entities. U.S. Department of War+1
Key TTPs to watch
Cloudflare-themed lures, Telegram-assisted filtering, Outlook backdoors, and LLM-assisted lure gen spotted in the wild. CERT-EU
How to defend
Block third-party OAuth grants by default, inspect email auth, and hunt for unusual mail rule creation. U.S. Department of War
Scattered Spider, Octo Tempest
Who they are
A financially motivated group known for elite social engineering, SIM swaps, and RaaS partnerships. Targets include telcos, airlines, retail, and finance. MITRE ATT&CK
What they did in 2025
Microsoft and multiple vendors documented continuing attacks. Reports highlight a rise in MFA bypass through AiTM kits, and fresh intrusions across multiple industries. Microsoft+1
Key TTPs to watch
Help-desk pretexting, MFA fatigue, SSO session theft, ESXi impact. CSO Online
How to defend
Adopt number-matching or FIDO2 for admins, block legacy voice or SMS MFA for high-risk roles, and train help-desk staff on strict identity proofing. CISA
Who they are
A fast-rising ransomware brand with visible victim postings and aggressive negotiation playbooks. SCM Demo
What they did in 2025
Ranked by Flashpoint as one of the top groups in the mid-year snapshot, alongside Akira and Clop. SCM Demo
Key TTPs to watch
Data theft first, then selective encryption. Steady use of bought access and affiliates. SCM Demo
How to defend
Patch edge devices, monitor for exfiltration channels, and stage clean rebuilds for core apps. SCM Demo
Who they are
A prominent ransomware operation that hits both SMBs and large enterprises, now common in 2025 incident feeds. SCM Demo
What they did in 2025
Akira appears in Flashpoint’s top five for the first half of 2025. Activity includes VPN abuse and dual extortion. SCM Demo
Key TTPs to watch
Credential reuse, targeting of NAS and ESXi, quick exfil to leak portals. SCM Demo
How to defend
Rotate VPN creds, enforce device certificates, and disable unmanaged legacy VPN protocols. SCM Demo
Who they are
Best known for mass exploitation campaigns and pure data-theft extortion. Still relevant in 2025 rankings despite law-enforcement pressure. SCM Demo
What they did in 2025
Appears in the mid-year ransomware top five. The playbook prioritizes mass exploitation over noisy encryption. SCM Demo
Key TTPs to watch
Zero-day exploitation of file transfer or edge services, large multipart exfiltration runs. SCM Demo
How to defend
Track vendor advisories, apply virtual patching with WAF rules, and pre-approve outage windows to patch fast. SCM Demo
Who is the most dangerous hacking group in 2025?
For disruption risk, Volt Typhoon worries defenders because it targets civilian infrastructure. For theft, Lazarus leads with record crypto heists. CISA
Are nation-state actors still using ransomware?
Yes, some state-linked groups blend espionage with profit. APT41 is a notable example of mixed motivation. IBM
What single control reduces most risk now?
Phishing-resistant MFA plus conditional access for all administrator roles, including third parties. CISA
Is DDoS still a serious threat in 2025?
Yes. Hacktivist DDoS remains common around events, although infrastructure takedowns can slow specific groups. ENISA
Which ransomware groups should I track first?
RansomHub, Akira, and Clop rank high in 2025 incident data. Prepare for double extortion and quick exfiltration.
Stay secure with DeepStrike penetration testing services. Reach out for a quote or customized technical proposal today
Contact Us