THREE PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.
THREE PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.

Top 10 Most Notorious Hacker Groups in History

Hacker groups exploit weaknesses in software and systems. They're clandestine collectives whose size can range from a few operators to sprawling criminal networks spread out across the globe. But they're typically united by a single goal or methodology.

Of course, not all hackers operate with malicious intent. Many "white hat" or "ethical hackers" work to strengthen digital defenses, using their skills to protect systems from the predatory activities of their "black hat" counterparts.

Here, we're going to talk about hacker groups that have engaged in criminal activity, regardless of motive. The groups below aren't penetrating defenses just for the challenge.

What Do Hacker Groups Do?

Hacker groups exist for many reasons: financial gain, political motives, social justice advocacy, cyber espionage, or simply the desire to sow chaos.

Their methods are diverse and often sophisticated. They can deploy malware or ransomware to corrupt systems, conduct phishing operations to steal sensitive information or launch Distributed Denial of Service (DDoS) attacks to overwhelm targeted networks.

They may exploit zero-day vulnerabilities or use advanced persistent threats (APTs) for extended surveillance or data theft. Attackers may use other tactics, such as defacing websites to spread messages and doxing, which involves making private information public.

The 10 Most (In)Famous Hacking Groups

Below are ten of the most infamous hacker groups in history, along with the damage they're believed to have caused ranging from vital infrastructure attacks to disrupting global order.

1. Anonymous

Anonymous is a good example of a hacktivist collective that believes its work makes the world a better - or at least fairer - place. You may recognize their symbols - Guy Fawkes masks and the slogan "We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us." They have claimed their work is about advocating for freedom of speech, government transparency, internet freedom, and social justice.

The methods of Anonymous involve deploying Distributed Denial of Service (DDoS) attacks to overwhelm websites and make them inaccessible. They have also engaged in data theft and leaked sensitive information from various organizations.

They gained notoriety during events like Occupy Wall Street and the Charlie Hebdo attacks. They're also the masterminds behind Operation Payback, which targeted PayPal, Visa, and Mastercard after the companies cut off payment services to Wikileaks. Anonymous played a significant role in the  Arab Spring uprisings, creating tools like Tor and VPNs to help protestors organize and share information while disabling and defacing government websites.

Authorities have arrested hackers who claim to be part of Anonymous over the years, but the group's decentralized nature makes tracking down or prosecuting members challenging. LulzSec, a spin-off group, has been linked to Anonymous due to the similar nature of their attacks, and some of its members were arrested and prosecuted for high-profile attacks, including hacks against Sony and News International.

2. Fancy Bear, APT29 (Cozy Bear), and Pawn Storm

Fancy Bear (also known as APT28, Cozy Bear, Pawn Storm, Sednit, STRONTIUM, and Sofacy) is a cyber espionage group believed to have ties to the Russian military agency GRU. While they remain a threat, Ukrainian hacktivists Kiber Sprotyv claim to have identified its leader.

The group has been active in some form since 2004 and has targeted government entities, defense contractors, news media, politicians, healthcare, and financial institutions. Their most notorious escapade is the 2016 hack of the Democratic National Committee (DNC) during the U.S. presidential election.

Fancy Bear earned recognition for crafting a custom malware arsenal, including XAgent, X-Tunnel, WinIDS, Foozer, and DownRange. They also employ spear-phishing campaigns and exploit zero-day vulnerabilities to gain unauthorized access to systems.

3. Lazarus Group

Lazarus Group is a notorious North Korean hacker group known for its destructive cyberattacks. They gained worldwide attention for its 2014 hack of Sony Pictures in retaliation for the movie The Interview.

The group is also responsible for the global WannaCry ransomware attack in 2017 that encrypted users' files, demanding a ransom in Bitcoin for decryption. 

Lazaruas Group has stolen billions of dollars from banks in Ecuador, Vietnam, Poland, Mexico, and Bangladesh. They use a variety of tactics in their operations but are best known for their spear-phishing campaigns leading to the installation of their own custom malware, such as Destover and Joanap.

Silent Chollima, DarkSeoul, and Whois Team are also thought to be North Korean hackers, and some experts believe they might be sub-groups or different names used by Lazarus Group. Their targets have included government agencies, media organizations, defense contractors, and supply chains

4. Carbanak (Anunak)

Carbanak, also known as Anunak, operates out of Eastern Europe and has targeted banks and other financial institutions worldwide, resulting in the theft of over $1 billion. Later, Carbanak expanded its attacks to target hospitality and retail sectors, compromising point-of-sale (POS) systems and stealing credit card data.

This group employs a combination of social engineering, spear-phishing, and malware deployment, such as remote access Trojans (RATs), to execute fraudulent transactions, manipulate account balances, and access sensitive financial data. They typically transfer stolen money to dummy accounts or pre-paid debit cards, but they've also engaged in manipulating ATMs.

The primary members of the groups were arrested and sentenced in 2018, but POS attacks later that year indicated that they could still pose a threat under the name FIN7.

5. The Dark Overlord

The Dark Overlord group gained notoriety for its ruthless extortion and high-profile data breaches. They target organizations and individuals to steal sensitive data and then use that information to blackmail them. They have focused on medical databases and Hollywood production studios, often demanding large sums of money in exchange for not releasing the stolen data to the public.

One of their most infamous attacks was the hack of Netflix's show "Orange Is the New Black," where they leaked unreleased episodes and demanded ransom. But among their most sinister are the attacks on healthcare providers, during which they stole sensitive patient information and threatened to expose it (even selling some on the dark web) unless their demands were met, as well as threats sent to school districts to extort parents.

Their methods involve sophisticated cyber-espionage tools as well as social engineering, spear-phishing, exploiting zero-day exploits, and deploying ransomware.

While Nathan Wyatt has been identified as The Dark Overlord and sentenced to prison, some cyber researchers believe the original culprits have gone on to found the hacking groups Gnostic Players, NSFW, and Shiny Hunters.

6. The Equation Group

The Equation Group is a cyber-espionage group believed to be linked to the United States National Security Agency's (NSA) Tailored Access Operations (TAO) unit. Active since at least 2001, they are suspected of being involved in the Stuxnet worm attack on Iran's nuclear facilities and have also targeted governments, military organizations, financial institutions, and telecommunications companies in Russia, Pakistan, Afghanistan, India, Syria, and Mali.

One of their primary methods is using zero-day vulnerabilities to gain access to systems, allowing them to implant highly sophisticated and persistent malware like Flame, EquationDrug, and GrayFish, capable of reprogramming hard disk drive firmware to create hidden disk areas and virtual disk systems. The group's name originated from its extensive use of encryption, which makes detection challenging.

In 2015, a group known as the Shadow Brokers claimed to have hacked the Equation Group and released some of their hacking tools, causing significant concern in the cybersecurity community.

7. TA505 (Evil Corp)

TA505, also known as Evil Corp, has been active since at least 2009. The group has been linked to Russia and is known for its cyberattacks on financial institutions in the United States, United Kingdom, and Germany, as well as healthcare organizations, government agencies, and educational institutions.

One of their primary tools is the Dridex banking Trojan, which they have used to steal login credentials, financial information, and other sensitive data from banks and financial institutions. TA505 has engaged in extensive wire fraud to steal from victims.

TA505 also uses social engineering techniques to send millions of malicious emails, often impersonating well-known companies or entities to deceive victims into opening malicious attachments or clicking on malicious links to deliver various ransomware strains.

The group is still active and evolving.

8. DarkSide

DarkSide is believed to be operating in Eastern Europe, specifically Russia. Their tools are ransomware attacks and extortion. In fact, this group operates using a "ransomware as a service" model, where they provide affiliates with access to their ransomware in return for a percentage of the ransom payments. These have been reported to be around 25% for amounts under $500,000 and 10% for larger sums above $5 million.

DarkSide claims to be apolitical, and they avoid targeting certain geographic locations to exclude former Soviet countries. They also refrain from attacking healthcare centers, schools, and non-profit organizations.

Their most notorious attack was the Colonial Pipeline cyberattack, after which they announced they were shutting down operations and disbanding their affiliate program. However, cybersecurity experts have suggested this might be a ploy to allow the group to reemerge under a different name.

9. Morpho

The origins and exact location of Morpho remain largely unknown. Capitalizing primarily on zero-day vulnerabilities, they target the intellectual property of government agencies, financial institutions, technology companies, and healthcare providers. Their most well-known attacks against Microsoft, Apple, Twitter, and Facebook took place in 2013.

Morpho also uses social engineering and custom-built malware to breach the defenses of its targets and remain undetected for extended periods.

Apprehending members of Morpho has proven challenging for cybersecurity experts and law enforcement agencies.

10. Lapsus$

Lapsus$ (aka DEV-0537) is an international hacker group with a focus on extortion. The group uses Telegram for public communication with its 50,000+ subscribers, including recruitment and posting sensitive data from their victims.

In 2021, the group attacked the Brazilian Health Ministry, took down the website, and deleted sensitive data. More brazen attacks took place in 2022, first against large tech companies like Microsoft, Nvidia, and Samsung in March, and then again in September against Uber and Rockstar Games.

Lapsus$ used social engineering to hack into access management company Okta, gain unauthorized access to Nvidia's systems, and access user data from the Mercado Libre online marketplace. They've also employed multi-factor authentication (MFA) fatigue as a tactic in their attack on Uber.

The group's mastermind turned out to be a 16-year-old from Oxford, England. While he was arrested in 2022, Lapsus$ remains a threat, and its members appear to be primarily teenagers from England and Portugal.

Pentesting for Cybersecurity Against Hackers

These 10 groups show just how creative and relentless attackers can be, and their actions highlight the need for robust and proactive cybersecurity measures. They also make clear that cybersecurity isn't just a one-time solution, but rather an ongoing and adaptive process that organizations need to keep up with to protect data, money, property, and infrastructure.

The lessons learned from studying hacker groups' tactics underscore the value of proactive and anticipatory cybersecurity approaches like pentesting. By employing penetration testing services first, organizations can strengthen their defenses, mitigate risks, and stay one step ahead of ever-present cyber threats.

Read more about famous attackers with Top 10 Most Famous Female Hackers.

Live pentest demo

Back to Blog
About Jacob Fox
Jacob Fox is a search engine optimization manager at Cobalt. He graduated from the University of Kansas with a Bachelor of Arts in Political Science. With a passion for technology, he believes in Cobalt's mission to transform traditional penetration testing with the innovative Pentesting as a Service (PtaaS) platform. He focuses on increasing Cobalt's marketing presence by helping craft positive user experiences on the Cobalt website. More By Jacob Fox