TI News Feed · Threat Intelligence Guides

The Top 20 Most Dangerous Threat Actors of All Time (2026 Edition)

From Russia's Sandworm to North Korea's Lazarus Group and the LockBit ransomware empire, these are the 20 most dangerous threat actors of all time — ranked by real-world damage, with aliases, motives, and the billions they've cost.

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Not all threat actors are created equal. A handful of groups — some run by nation-state intelligence services, others by Russian-speaking cybercrime syndicates — have caused damage measured in billions of dollars, crippled hospitals and pipelines, and rewritten how the world thinks about cyber conflict. This 2026 edition ranks the 20 most dangerous threat actors of all time by their real-world impact: financial destruction, victim count, strategic reach, and staying power.

Each entry lists the group's known aliases (the same actor is often tracked under a dozen different names by different vendors — see cyber attribution for why), their country or affiliation, their main objective, and the best publicly reported estimate of the money they've stolen or destroyed. Attribution is hard and estimates vary by source, so we focus on scale and documented impact rather than false precision.

How this ranking works

Ranking threat actors is not a pure dollar exercise. A ransomware crew that extorts $500M is enormously damaging, but a state-sponsored advanced persistent threat (APT) that wipes critical infrastructure or steals a decade of intellectual property can be far more consequential even when no ransom changes hands. Our ranking weighs four factors:

  • Financial destruction or gain — direct theft, ransom paid, and collateral damage from destructive attacks.
  • Scale — number of victims and breadth of sectors and countries hit.
  • Strategic impact — damage to national security, critical infrastructure, or entire industries.
  • Persistence — how long the group has stayed active, evolved, or survived law-enforcement takedowns.

1. Sandworm (APT44 / Voodoo Bear / Seashell Blizzard)

Country: Russia (GRU) · Status: Active ·Objective: Destructive cyberwarfare and infrastructure disruption.

Sandworm — tracked as APT44, Voodoo Bear, Telebots, and Seashell Blizzard — is the most destructive threat actor in history. Operated by Russia's GRU military intelligence, the group caused the NotPetya attack of 2017, a wiper disguised as ransomware that spread globally and inflicted an estimated $10 billion in worldwide damage. The U.S. Department of Justice noted NotPetya caused nearly $1 billion in losses to just three named victims. Sandworm also triggered the first confirmed power-grid blackouts caused by a cyberattack, in Ukraine. It sits at number one because it demonstrated that code can cause physical, geopolitical, and economic destruction at national scale.

2. Lazarus Group (Hidden Cobra / APT38 / BlueNoroff)

Country: North Korea (DPRK) · Status: Active ·Objective: Crypto theft, sanctions evasion, espionage.

Lazarus Group — also tracked as Hidden Cobra, APT38, BlueNoroff, TraderTraitor, and Andariel — is North Korea's state-sponsored money engine. Chainalysis attributes roughly $6.75 billion in all-time crypto theft to DPRK-linked hackers, including about $2.02 billion stolen in 2025 alone. The group funds the regime and its weapons programs through record-breaking crypto-exchange heists, fraudulent IT-worker schemes, and the WannaCry ransomware outbreak. No other financially motivated actor has stolen as much, making Lazarus the most successful cyber-theft operation ever run by a government.

3. REvil (Sodinokibi / GandCrab lineage)

Country: Russian-speaking cybercrime · Status: Brand disrupted; ecosystem persists ·Objective: Ransomware-as-a-service extortion.

REvil (Sodinokibi), descended from the GandCrab crew, defined the modern big-game ransomware era. The DOJ tied the operation to more than $700M in ransom demands across 2,500+ attacks, including the Kaseya supply-chain attack that hit thousands of downstream businesses in one stroke. Though the brand was disrupted by arrests and infrastructure seizures, its affiliates and code lineage seeded much of today's ransomware ecosystem.

4. FIN7 (Carbanak / Cobalt Group / Sangria Tempest)

Country: Eastern Europe / Russian-speaking · Status: Active and evolved ·Objective: Bank theft, card theft, ransomware enablement.

FIN7 — also Carbanak, Cobalt Group, Carbon Spider, and Sangria Tempest — is one of the most financially prolific cybercrime organizations ever. Europol attributed more than €1 billion in losses to the financial industry from the Carbanak and Cobalt campaigns, which drained banks by manipulating ATMs and payment systems. FIN7 has since pivoted into ransomware enablement and continues to evolve, operating with the discipline of a legitimate business — even running fake security companies to recruit talent.

5. LockBit (LockBitSupp)

Country: Russian-speaking cybercrime · Status: Degraded but still relevant ·Objective: RaaS double extortion.

LockBit was the world's most active ransomware-as-a-service brand for years. DOJ and UK NCA reporting tied it to more than $120M in ransom payments received, over 2,000 victims, and hundreds of millions in demands. Its 2024 disruption by international law enforcement (Operation Cronos) seized infrastructure and unmasked its leadership, but the brand's affiliate model and prolific output make it one of the most damaging ransomware operations in history.

6. ALPHV / BlackCat (Noberus)

Country: Russian-speaking RaaS ecosystem · Status: Brand collapsed after 2024 ·Objective: Ransomware and data extortion.

ALPHV, also called BlackCat or Noberus, was a technically sophisticated RaaS written in Rust. The FBI attributed more than $300M in ransom payments from 1,000+ victims. Its most infamous hit — Change Healthcare — caused multi-billion-dollar disruption across the U.S. healthcare payment system before the group performed an apparent exit scam and collapsed in 2024. Its affiliates scattered into other operations.

7. Conti (Wizard Spider / TrickBot / Ryuk)

Country: Russia-based cybercrime · Status: Conti brand inactive; alumni active ·Objective: Ransomware, botnets, extortion.

Conti — linked to Wizard Spider, the TrickBot botnet, and Ryuk ransomware — ran ransomware like a corporation, complete with salaries and HR. The DOJ tied it to more than $150M in ransom payments across 1,000+ victims, including attacks that paralyzed Costa Rica's government. After leaked internal chats exposed the operation in 2022, the brand dissolved — but its alumni seeded Black Basta, Royal, and other successors, making Conti the most influential ransomware "family tree" in the ecosystem.

8. Cl0p (TA505 / FIN11 / Lace Tempest)

Country: Russian-speaking cybercrime · Status: Active and evolving ·Objective: Mass data theft, zero-day exploitation, extortion.

Cl0p (CLOP) — tied to TA505, FIN11, and Lace Tempest — perfected mass extortion through supply-chain zero-days. By exploiting a single flaw in the MOVEit file-transfer tool, the group breached thousands of organizations at once; the MOVEit campaign alone was estimated to potentially yield up to $100M in extortion payments. Cl0p pioneered the shift from encryption to pure data-theft extortion, weaponizing zero-days in managed file-transfer software to industrialize breaches.

9. APT41 (Winnti / Wicked Panda / Double Dragon)

Country: China-linked · Status: Active ·Objective: Espionage, IP theft, supply-chain attacks, game-sector theft.

APT41 — also Winnti, BARIUM, Double Dragon, and Wicked Panda — is unusual for blending state espionage with personal financial crime. The DOJ charged its members in connection with intrusions at 100+ organizations worldwide, spanning healthcare, telecoms, and the video-game industry (where they stole in-game currency). There's no clean public dollar figure, but its dual espionage-and-profit model and global victim count make it one of China's most dangerous and versatile actors.

10. Evil Corp (Indrik Spider / Dridex)

Country: Russia-based cybercrime · Status: Active via rebrands ·Objective: Banking theft, ransomware.

Evil Corp — Indrik Spider, of Dridex and Bugat fame — stole more than $100M from banks and financial institutions via the Dridex banking trojan, per the U.S. Treasury, which sanctioned the group. To evade those sanctions (which make paying their ransoms illegal), Evil Corp has repeatedly rebranded and cycled through affiliate operations such as UNC2165, making it a case study in how sanctioned actors persist.

11. Black Basta

Country: Russian-speaking; Conti-linked · Status: Brand weakened; members likely active ·Objective: Ransomware extortion.

Black Basta emerged from the Conti diaspora and quickly became a top-tier RaaS, hitting healthcare, manufacturing, and critical infrastructure. Public estimates vary, but the group is credibly tied to $100M+ in payments and hundreds of millions in demands. Leaked internal chat logs in 2025 exposed its operations and strained the brand, but its experienced members remain a threat across successor operations.

12. Akira

Country: Likely Russian-speaking cybercrime · Status: Active ·Objective: RaaS extortion.

Akira is one of the most active ransomware operations of the mid-2020s, favoring VPN and remote-access weaknesses for initial access. TRM Labs profiled roughly $244M in total proceeds by late 2025, including about $150M in 2025 alone. Its aggressive targeting of small and mid-sized businesses — often with weak defenses — has made it a persistent, high-volume threat.

13. DarkSide / BlackMatter

Country: Russian-speaking cybercrime · Status: Brand inactive; successors persist ·Objective: Big-game ransomware.

DarkSide became a household name after the 2021 Colonial Pipeline attack, which triggered fuel shortages across the U.S. East Coast and put ransomware on every government's agenda. Elliptic tracked more than $90M in Bitcoin ransom payments from around 47–50 victims. The intense law-enforcement heat that followed pushed the group to rebrand as BlackMatter before shutting down — a landmark case in how one attack can reshape national policy.

14. Scattered Spider (UNC3944 / Octo Tempest / The Com)

Country: Mostly English-speaking cybercrime · Status: Active despite arrests ·Objective: Social engineering, SIM swap, cloud takeover, extortion.

Scattered Spider — UNC3944, Octo Tempest, Muddled Libra, part of the loose "The Com" collective — proved that elite social engineering beats malware. Young, native-English-speaking members talk their way past IT help desks, hijack SIM cards, and seize cloud environments. Reuters reporting in 2026 tied the group to $100M+ in ransom payments and extensive additional damage, including high-profile casino and retail breaches. Even after multiple arrests, the decentralized crew keeps operating.

15. Hive

Country: RaaS cybercrime · Status: Disrupted in 2023 ·Objective: Ransomware extortion.

Hive was a prolific RaaS that the DOJ tied to more than $100M in ransom payments from 1,500+ victims, heavily targeting hospitals and healthcare. It's notable for how it ended: the FBI covertly infiltrated Hive's infrastructure for months, quietly handing out decryption keys to victims before seizing the operation in 2023 — a landmark example of proactive disruption rather than after-the-fact prosecution.

16. Royal / BlackSuit

Country: Conti-linked · Status: Active and evolved ·Objective: Ransomware extortion.

Royal, which later rebranded as BlackSuit, is another Conti-lineage operation. FBI and CISA reporting tied it to more than $275M in ransom demands from 350+ victims, including attacks on U.S. critical infrastructure and city governments. Its high per-victim demands and focus on essential services make it one of the more damaging successor brands to emerge from the Conti collapse.

17. ShinyHunters (Bling Libra / UNC6040)

Country: International cybercrime · Status: Active ·Objective: SaaS/cloud data theft, extortion, database resale.

ShinyHunters — Bling Libra, UNC6040 — specializes in stealing and reselling massive databases from cloud and SaaS platforms. The Snowflake-linked campaign reportedly affected around 165 customer accounts, including major breaches such as Ticketmaster and a large telecom, largely by abusing stolen credentials without needing malware. There's no single clean payout total, but the group's volume of leaked records — often dumped or sold on cybercrime forums — is staggering.

18. APT29 (Cozy Bear / Midnight Blizzard / Nobelium)

Country: Russia (SVR) · Status: Active ·Objective: Strategic espionage, supply-chain compromise.

APT29 — Cozy Bear, Midnight Blizzard, Nobelium, The Dukes — is Russia's premier espionage service, run by the SVR foreign intelligence agency. It executed the SolarWinds supply-chain compromise, backdooring a signed software update that reached ~18,000 organizations. There's no clean actor-level dollar figure — SolarWinds-related cyber-insurance impact alone was estimated at $90M+ — but the true intelligence damage of a stealthy, years-long campaign against governments is impossible to price.

19. APT28 (Fancy Bear / Sofacy / Forest Blizzard)

Country: Russia (GRU Unit 26165) · Status: Active ·Objective: Espionage, influence operations, military targeting.

APT28 — Fancy Bear, Sofacy, Pawn Storm, STRONTIUM, Forest Blizzard — is the GRU's long-running hack-and-leak and espionage unit, tied to election interference, military targeting, and disinformation campaigns across the West. There's no clean dollar total; its ranking reflects strategic impact and persistence rather than audited financial gain. Few actors have done more to weaponize stolen data for political ends.

20. APT10 (Cloud Hopper / Stone Panda / MenuPass)

Country: China (MSS) · Status: Lower public signal; historically major ·Objective: Economic espionage, MSP supply-chain compromise.

APT10 — Cloud Hopper, Stone Panda, MenuPass, Red Apollo — pioneered the managed-service-provider (MSP) supply-chain model of espionage. By compromising IT providers, the group reached their many downstream clients at once. The DOJ says APT10 targeted MSPs and 45+ technology companies over more than a decade. The value is stolen IP and data rather than ransom, so there's no clean dollar figure — but Cloud Hopper's blueprint of "hack the provider to reach everyone" reshaped how the world thinks about third-party risk.

Patterns across the top 20

Step back and clear patterns emerge from this list:

  • Two dominant camps. Nation-state APTs (Russia, North Korea, China) pursue destruction, espionage, and sanctions evasion; Russian-speaking cybercrime syndicates pursue extortion. North Korea uniquely blends both — a state stealing crypto to fund itself.
  • Ransomware is a franchise business. Conti alone seeded Black Basta, Royal/BlackSuit, and others. Brands die under law-enforcement pressure, but the people and code lineage survive and rebrand — see ransomware-as-a-service.
  • Supply-chain leverage scales damage. NotPetya, SolarWinds, MOVEit, Kaseya, and Cloud Hopper all show that compromising one trusted vendor or tool multiplies reach enormously.
  • Social engineering rivals malware. Scattered Spider proved that talking past a help desk can be more effective than any exploit.
  • Takedowns work but rarely kill. LockBit, Hive, ALPHV, and REvil were all disrupted — yet the ecosystem adapts. Attribution and arrests raise costs without ending the threat.

How to defend against these actors

You will not out-spend a GRU unit, but the vast majority of these groups exploit the same fixable weaknesses. The highest-leverage defenses are consistent across the entire list:

  • Phishing-resistant MFA everywhere — it blunts Scattered Spider, ShinyHunters, and credential-driven ransomware.
  • Patch internet-facing systems fast — Cl0p, Akira, and APT actors live on unpatched VPNs, file-transfer tools, and edge devices.
  • Segment networks and limit lateral movement — to stop one foothold from becoming an enterprise-wide encryption event.
  • Vet third parties and monitor your software supply chain — the lesson of SolarWinds, MOVEit, and Cloud Hopper.
  • Offline, tested backups and a rehearsed incident-response plan — so extortion loses its leverage.
  • Track the actors targeting your sector — map their known TTPs with the MITRE ATT&CK framework and turn attribution into concrete detections.

Attackers are also moving faster with automation and AI — see how attackers use AI — which makes early warning more valuable than ever.

The bottom line

The 20 most dangerous threat actors of all time range from Russia's infrastructure-wrecking Sandworm and North Korea's $6.75-billion Lazarus Group to the ransomware empires of LockBit and Conti and the smooth-talking crews of Scattered Spider. Together they've caused tens of billions in damage and reshaped national security policy. Knowing who they are, how they operate, and what they want is the first step to defending against them. To track the campaigns these groups are running right now, follow our live threat intelligence feed, aggregated from dozens of authoritative sources, and dig deeper into threat actor types, APT groups, and ransomware statistics.

Frequently asked questions

Who is the most dangerous threat actor in the world?

By sheer destruction, Sandworm (APT44), a unit of Russia's GRU military intelligence, ranks first. Its 2017 NotPetya attack caused an estimated $10 billion in global damage, and it triggered the first power-grid blackouts ever caused by a cyberattack. By financial theft, North Korea's Lazarus Group leads, with roughly $6.75 billion in all-time crypto theft attributed to DPRK-linked hackers.

What is the difference between a nation-state threat actor and a cybercriminal group?

Nation-state actors (APTs) like Sandworm, APT29, and APT41 are backed by governments and pursue espionage, sabotage, or strategic disruption, often without a direct profit motive. Cybercriminal groups like LockBit, Conti, and Akira are financially motivated, using ransomware and data theft for extortion. North Korea's Lazarus Group blurs the line — a state actor that steals cryptocurrency to fund the regime.

Which ransomware group has stolen the most money?

Among ransomware brands, LockBit is tied to $120M+ in confirmed payments across 2,000+ victims, and REvil to $700M+ in ransom demands. ALPHV/BlackCat took $300M+ from 1,000+ victims. Exact totals vary because many ransoms go unreported, but these are among the most financially damaging ransomware operations documented by the DOJ and FBI.

Are these threat actors still active in 2026?

Many are. Sandworm, Lazarus Group, APT41, APT29, APT28, Cl0p, Akira, and Scattered Spider remain active. Others — LockBit, ALPHV, Conti, REvil, Hive — have had their brands disrupted by law enforcement, but their members, affiliates, and code lineage persist through rebrands and successor operations, which is why the ransomware ecosystem is so resilient.

Why do threat actors have so many different names?

Different security vendors and governments independently track the same group and assign their own naming conventions — for example, one actor may be called APT29, Cozy Bear, Midnight Blizzard, Nobelium, and The Dukes. This reflects the difficulty of cyber attribution: analysts group activity by observed tradecraft and infrastructure, and only later confirm that separate clusters are the same actor.

How can organizations defend against advanced threat actors?

The same core controls stop most of these groups: phishing-resistant MFA, fast patching of internet-facing systems, network segmentation to limit lateral movement, strong third-party and supply-chain vetting, offline tested backups, and a rehearsed incident-response plan. Mapping the specific actors targeting your sector to the MITRE ATT&CK framework turns attribution into concrete detection and response.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources: