Group-IB Reveals Top 10 Most Dangerous Cybercrime Groups for 2025

UAE – May 13, 2025: Group-IB, a global leader in cybersecurity solutions, has released its list of the Top 10 Most Dangerous Cybercrime Groups for 2025. This ranking provides organizations with critical intelligence on the most active and sophisticated threat actors that are shaping the global cyber threat landscape. The list is part of Group-IB’s latest High-Tech Crime Trends Report, which offers in-depth analysis, forecasts, and actionable insights from over 1,550 successful high-tech crime investigations.

The Top 10 Most Dangerous Cybercrime Groups of 2025

Group-IB has identified the following 10 cybercrime groups as the most dangerous for 2025, based on their scale, sophistication, and impact across sectors and geographies:

1. RansomHub

Type: Ransomware-as-a-Service (RaaS)
Activity: Emerged after the disappearance of ALPHV (BlackCat) and quickly gained dominance, responsible for nearly 20% of ransomware victims between February and September 2024.
Targets: Industrial manufacturing and healthcare sectors.

2. GoldFactory

Type: Mobile banking malware.
Activity: Developer of GoldPickaxe.iOS, the first known iOS trojan that steals facial recognition data for deepfake-enabled financial fraud.
Targets: Financial institutions and mobile users.

3. Lazarus

Type: State-linked cyber espionage and financial theft.
Activity: A North Korean group responsible for stealing over $1.3 billion from financial institutions and cryptocurrency platforms in 2024.
Targets: Financial and cryptocurrency sectors worldwide.

4. DragonForce

Type: Hacktivist and ransomware group.
Activity: Rapidly expanding operations globally, targeting governments and corporations across multiple industries.
Region: Likely linked to DragonForce Malaysia.

5. OilRig

Type: Advanced persistent threat (APT).
Activity: Specializes in sophisticated phishing attacks to gather intelligence from finance, energy, telecom, and government entities.
Region: Middle East.

6. MuddyWater

Type: Cyber espionage.
Activity: Focuses on spear-phishing campaigns targeting NATO-affiliated nations.
Region: Middle East.

7. Brain Cipher

Type: Ransomware-as-a-Service (RaaS).
Activity: Gained notoriety after demanding an $8 million ransom from Indonesia’s national data center in 2024.
Region: Global.

8. Boolka

Type: Advanced web vulnerability exploitation.
Activity: Specializes in exploiting website vulnerabilities with stealthy tactics and modular malware.
Region: Global, affecting thousands of businesses.

9. Ajina

Type: Android malware group.
Activity: Targets banking app users with sophisticated malware, with over 1,400 unique samples analyzed by Group-IB.
Region: Central Asia, with a growing global reach.

10. Team TNT

Type: Cryptojacking and brute-force attacks.
Activity: Focuses on cloud environments, including Kubernetes, Redis, and Docker, for illegal cryptocurrency mining.
Region: Global.

Group-IB’s Commitment to Enhancing Cybersecurity Awareness

To help organizations better understand and defend against these emerging threats, Group-IB has launched the “Masked Actors” podcast series, hosted by cybersecurity expert Gary Ruddell and Nick Palmer, VP of Global Sales at Group-IB.

“Masked Actors” Podcast Series:

First Episode: Focuses on the GoldFactory threat group.
Availability: Streaming on all major podcast platforms starting May 13, 2025.
Purpose: Provides in-depth insights into the tactics, techniques, and motivations of the world’s most dangerous cybercrime groups.

Get the Full High-Tech Crime Trends 2025 Report

For organizations seeking a more comprehensive understanding of the global cyber threat landscape, Group-IB’s full High-Tech Crime Trends 2025 report is now available. This detailed resource offers: