Top 10 Most Notorious Hacker Groups in History

Published on
most notorious hacker groups

The digital age has revolutionised the way we access information, streamline business and connect to other people,  but along with the positives it has opened doors into all aspects of our lives that criminals can exploit. 

The stereotypical impression of a ‘hacker’ or ‘cybercriminal’ often features lone hooded figure operating from a basement, preying on the elderly through phone and email spam.

However, cybercrime is big business. There are a range of powerful hacker groups with intricate structures and sophisticated tools that pose a significant threat to individuals, businesses, and even entire nations.

What is a hacker group?

A hacker group is an organization that collaborates to commit cybercrime.  They operate like a typical business with a structured hierarchy, with members specializing in different areas of cybersecurity expertise.

Also known as a ‘cybercriminal gang’ they tend to work in similar ways and demonstrate similar characteristics including:  

  • Organization: They operate with a defined leadership structure, often with individuals specializing in specific tasks like hacking, and financial management.
  • Collaboration: Members work together to achieve common goals, leveraging each other's skills and resources.
  • Sophistication: They often possess advanced technical knowledge and employ sophisticated tools and techniques to carry out their attacks.
  • Financial motivation: The primary goal of most hacker groups is financial gain, achieved through methods like ransomware attacks, data breaches, and online fraud.
  • Global reach: hacker groups operate across international borders, making them difficult to track and apprehend.

Hacking groups pose a significant threat to individuals, businesses, and even entire nations. They can disrupt critical infrastructure, cause significant financial losses, and compromise sensitive data.

What do hacker groups do? 

A hacker group's primary goal is usually financial gain, which isachieved through various malicious activities that exploit vulnerabilities in computer systems and networks.

A typical attack comes in multiple phases:

  • Reconnaissance: The initial phase involves gathering information about potential targets. This might involve using publicly available data, infiltrating social media accounts, or deploying malware to gather system information and identify weaknesses.
  • Planning and Attack Launch: Once a target is chosen, the gang meticulously plans the attack. This may involve developing custom malware, identifying entry points, and devising strategies to evade detection. The attack itself can take different forms, such as:
  • Phishing emails: Luring victims into clicking malicious links or downloading infected attachments.
  • Exploiting software vulnerabilities: Taking advantage of unpatched software to gain unauthorized access.
  • Social engineering: Tricking individuals into revealing sensitive information or granting access to systems.
  • Infiltration and Control: After breaching the target's defences, the gang establishes a foothold within the system. This might involve installing malware that allows them to steal data, manipulate systems, or deploy ransomware.
  • Extortion and Profit: Depending on their objective, the gang might.
  • Demand a ransom payment to decrypt stolen data or regain access to compromised systems (ransomware attacks).
  • Sell stolen data on the black market, such as credit card information or personal details.
  • Disrupt critical infrastructure or steal sensitive information for espionage purposes.
  • Evasion and Adaptation: hacking groups constantly evolve their tactics to stay ahead of security measures and avoid detection. This includes developing new malware strains, employing encryption techniques, and shifting their targeting strategies.

The most common cyber attacks used by hacker groups 


Malware, short for malicious software, is any software program or code intentionally designed to harm a computer system, network, or data. Unlike legitimate software, malware is designed with the sole purpose of causing harm, disruption, or financial gain for the attacker.

This harm can manifest in various ways, from stealing sensitive information and disrupting operations to encrypting files and demanding ransom for decryption. Malware can target individuals, businesses, organizations, or even critical infrastructure on a global scale.

Common types of malware include:

  • Viruses: Self-replicating code that can spread from one computer to another, infecting them and causing damage.
  • Worms: Similar to viruses, but they don't require a host program to replicate and spread.
  • Trojan horses: Disguise their true purpose as harmless software, tricking users into installing them, and allowing attackers access to the system.
  • Spyware: Steals sensitive information, such as passwords, browsing history, and keystrokes.
  • Ransomware: Encrypts files, preventing users from accessing their data and demanding a ransom payment for decryption.


Ransomware is a specific type of malware designed to hold a victim's data hostage. Ransomware uses encryption algorithms to scramble the victim's files, making them inaccessible. This can affect critical business documents, personal photos, or any other data stored on the infected device.

Once the files are encrypted, the attackers present a ransom demand, typically in the form of cryptocurrency, to provide the decryption key and regain access to the data.Ransomware attacks can cause significant disruption to individuals and organizations. Businesses can lose access to essential data, leading to operational delays, financial losses, and reputational damage.

The threat of permanently losing valuable data creates substantial psychological pressure on victims, making them more likely to pay the ransom.Attackers are constantly evolving their tactics, developing new encryption methods and employing "double extortion", where they not only encrypt data but also steal it, threatening to leak it publicly if the ransom is not paid.


Phishing is a deceptive attempt by cybercriminals to steal sensitive information, such as passwords, credit card details, or personal data, from individuals or organizations. Phishing is most commonly achieved through email but alternative methods including text, calls, and social media are on the rise.

Attackers disguise themselves as legitimate entities, such as banks, social media platforms, government agencies, or even trusted colleagues.They craft messages that create a sense of urgency or offer attractive incentives to encourage the victim to click on malicious links or open attachments. These links often lead to phishing websites designed to look identical to the real ones, tricking the victim into entering their personal information.

Once the victim enters their credentials on the fake website, the information is captured by the attacker and can be used for malicious purposes including financial fraud, identity theft and spreading malware. 

DDOS attack

A Denial-of-Service (DoS) attack is a malicious attempt to overwhelm a website, server, or network with excessive traffic, making it unavailable to legitimate users

Read more: 3 Million Smart Toothbrushes Turned into Botnet for DDoS Attack

Most Notorious hacker groups

Delve into the dark side of the digital world in this list as we explore ten of the most notorious hacker groups, exploring the string of cyber attacks that made them infamous.


Bian Lian’s adaptability makes them unpredictable, as they constantly evolve tactics, tools, and targets. The criminal group has targeted organisations in the critical infrastructure sectors of the US and Australia. BianLian has been able to exploit security vulnerabilities and place encryptions on sensitive data within breached networks by using an open-source ransomware variant. They utilize multi-pronged extortion, combining data encryption with the threat of leaks, and have a global reach.  BianLian has been able access to victim systems through valid Remote Desktop Protocol (RDP) credentials and then extort money by threatening to release the stolen data if a payment is not made. 

Victims have been reported across sectors with a typical focus on media and entertainment, as well as examples in healthcare, manufacturing and education. Their technical proficiency, including leveraging legitimate tools for malicious purposes, and shifting from ransomware to data extortion, highlights their evolving tactics.


BlackByte operates under the RaaS (ransomware-as-a-service) model, they offer their custom ransomware. This model allows them to distribute the technical burden and profit from attacks without directly carrying them out themselves. They seem to primarily target manufacturing and energy sectors, suggesting potential insider knowledge or exploiting specific vulnerabilities within these industries.

In 2021, Trustwave publicly released a BlackByte decrypter. However, BlackByte developers quickly released newer versions that used multiple keys, even warning victims against using the decrypter. BlackByte leverages technical expertise, including exploiting legitimate software, and employs "double extortion" tactics to maximize pressure on victims.

Vice Society

Vice Society has gained notoriety for targeting schools and universities. They exploit vulnerabilities in these educational institutions, often using pre-existing ransomware like HelloKitty, before resorting to "double extortion" tactics. Unlike other groups, Vice Society doesn't operate a RaaS (Ransomware-as-a-Service) model. This means they generally carry out the attacks themselves, demonstrating a higher level of technical sophistication and coordination. Vice Society’s initial ransom demands have exceeded $1 million. 

The cyber gang gained significant press attention in early 2023 because of a series of high-profile attacks including the San Franciso rapid transit system. Vice Society's exploitation of vulnerable sectors highlights the critical need for increased cybersecurity funding in the education sector, especially for smaller schools and districts


Royal ransomware has gained notoriety for targeting critical infrastructure and employing multi-extortion" tactics. They focus on phishing campaigns with 66% of their initial access is done through phishing, and have shown a global reach despite US-centric targeting.

Royal is estimated to have attacked over 350 victims, demanding ransom payments exceeding $275 million collectively. They have also been observed reinfecting victims months after their initial malware has been cleared. 

Black Basta

Black Basta quickly gained notoriety for its rapid attacks, sophisticated ransomware, and "double extortion" tactics. Despite initial reports of targeting English-speaking countries, Black Basta has expanded its reach, attacking organizations worldwide

Their first major attack targeted the American Dental Association (ADA) leading to the shut down of multiple systems. Just four days after the data was allegedly stolen it appeared on the Black Basta leak site. Operating on a RaaS (Ransomware-as-a-Service) model, they target organizations globally with their custom C++ ransomware, leaving little time for victims to react. 


REvil operated as a Ransomware-as-a-Service (RaaS), providing their tools and infrastructure to other cybercriminals for a cut of the profits. This model allowed them to widespread their reach and impact, targeting high-profile organizations. REvil was known for its ruthless tactics and high ransom demands, often targeting critical infrastructure and causing significant disruption.

REvil employed the "double extortion" tactic, not only encrypting data but also stealing it and threatening to leak it publicly. In 2022, the Russian Federal Security Service stated that they had dismantled REvil and criminally charged several of its members.

Evil Corp

Evil Corp, believed to operate from Russia, gained notoriety for developing and deploying the Dridex banking Trojan. This malware specifically targets financial institutions and individuals, maximizing potential ransom payouts and operational disruption. Through this method, Evil Corp has been responsible for stealing millions of dollars through fraudulent transactions and credential theft

Authorities in the US and UK authorities have alleged that Evil Corp operates with support from the Russian government, allowing them to function with a degree of impunity within Russian borders. Some analysts argue that Evil Corp's attacks align with Russian strategic interests, such as targeting Western critical infrastructure and institutions.


Also known as ALPHV and Noberu, BlackCat is known for its sophistication and effectiveness. They have demonstrated adaptability, constantly evolving their tactics, tools, and targets. This makes it particularly challenging to detect and defend against compared to other ransomware strains.

They employ a "triple extortion" tactic, not only encrypting data and threatening to leak it but also offering to launch Denial-of-Service (DoS) attacks against the victim. This overwhelms a website, server, or network with excessive traffic, making it unavailable, further amplifying pressure and potential damage. The hacker group is one of the most well-known ransomware gangs as it operates a public data leak site that further pressures victims to pay ransom demands. As of February 2024, the US government is offering up to $10 million in rewards for leads that could identify Blackcat gang leaders. The hacker group’s most recent cyber attack impacted thousands of pharmacies across the US after the gang claimed responsibility for a cyber attack on the health tech firm Change Healthcare.


CLOP, also known as CL0P, is a ransomware gang that has been prominent since 2019. It utilizes both traditional data encryption and "encryption-less" extortion, often targeting universities and employing advanced techniques to evade detection. Clop is most famous for its exploit of a critical vulnerability in Progress Software's MOVEit – a widely used managed file transfer (MFT) platform. The attack impacted over 2,700 organizations and 62 million individuals worldwide Based on the number of confirmed organizations affected, the cost of the MOVEit incident stands at around $9.9 million. However, considering not all victims have reported the number of individuals impacted, the potential cost could continue to rise to as much as $65 million. 

The US Cybersecurity and Infrastructure Security Agency (CISA) states that CLOP is a key driver of trends in malware distribution. It also typically avoids targets in former Soviet countries, with its malware unable to breach a computer that operates primarily in Russia.Their adaptability and willingness to shift strategies mean that institutions must implement robust cybersecurity measures to stay protected.


LockBit is largely considered to be the most notorious hacker gang known for using the Ransomware-as-a-Service (RaaS) model. It develops and distributes ransomware software that other threat actors can use to target and extort victims Since 2021, LockBit has employed a "double extortion" tactic, where they not only encrypt data but also exfiltrate it before threatening to leak it publicly if the ransom isn't paid. This increases pressure on victims to comply. In February 2024, a significant development occurred when international law enforcement agencies collaborated to seize control of LockBit's dark web infrastructure, disrupting their operations.

LockBit is responsible for numerous large-scale ransomware attacks against businesses, and organizations, with victims including the UK Ministry of DefenceRoyal Mail and the NHS, and it has racked up victims in recent months with companies and organisations from around the world falling victim to its onslaught. The group has far outpaced other ransomware gangs since it emerged in late 2019, with researchers at Recorded Future attributing nearly 2,300 attacks to the group. For comparison, CLOP – the second most notorious gang – has only been several hundred attacks. LockBit’s website was recently taken down in “Operation Cronos” – a joint move by the UK’s National Crime Agency (NCA), the FBI, and Europol to disrupt its operations. It’s yet to be seen if LockBit will remain the most notorious hacker group as we head into 2024 because of this.