Most Active Threat Groups

Ranked by intelligence feed activity in the last 30 days

Attribution lags activity. Many incidents are never publicly attributed — victims stay silent, investigations take months, and skilled groups hide their tracks. Groups marked Watchlist are highly active in expert and law-enforcement channels even when this month's incidents cannot yet be pinned to them.

Today's most dangerous threat actors are not the shadowy state operatives of Cold War imagination. Many are digitally native, Gen Z gamers who taught themselves to hack in their bedrooms, graduating from gaming exploits to corporate extortion before they were old enough to vote. Groups like Lapsus$ and Scattered Spider built their tradecraft through online communities, Discord servers, and sheer audacity rather than formal training.

The landscape spans three broad actor types: criminal enterprises motivated purely by financial return, operating with the sophistication of legitimate businesses; hacktivists and loosely affiliated collectives with ideological or reputational goals; and state-sponsored operations ranging from North Korea's directly government-run cyber units funding the regime through ransomware, to China's disciplined long-term espionage programmes, to Russia's deliberately ambiguous relationship with criminal groups it tolerates, enables, and occasionally directs.

What unites them is capability, speed, and the asymmetric advantage of attacking at scale against defenders stretched across thousands of systems. The groups below represent the most reported in our intelligence feed over the last 30 days.

Loading threat actor data…

Group activity derived from feed intelligence items. Mention frequency reflects source reporting volume, not confirmed attack count. Watchlist entries reflect expert and law-enforcement visibility rather than this month's attributed reporting.