Report an incident

Get 24/7 incident response assistance from our global team

x
Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

Group-IB Reveals Top 10 Masked Actors for 2025

Media Center Press Releases
May 13, 2025 · 3 min to read
Crime Report
Crime Trends
cybercrime
Cybercriminal
Cybersecurity strategy
Financial Crime
High Tech Crime
RaaS
Ransomware-as-a-Service

Singapore – May. 13th, 2025 – Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, unveils its list of the Top 10 Masked Actors for 2025 – the most prolific cybercriminal groups shaping the global threat landscape. With this new ranking, Group-IB arms businesses with critical intelligence to better anticipate threats, strengthen their defences, and stay one step ahead of cybercrime.

The findings are drawn from Group-IB’s latest High-Tech Crime Trends Report, which delivers in-depth analysis, forecasts, and actionable insights from over 1,550 successful high-tech crime investigations.

Group-IB identified the 2025 Masked Actors through extensive intelligence, highlighting the scale, sophistication, and impact of these active threat groups across sectors and geographies. The 2025 Top 10 Masked Actors include:

  1. RansomHub – The Ransomware-as-a-Service (RaaS) operation that surfaced after ALPHV (BlackCat) disappeared. Accounting for nearly a fifth of (571) ransomware victims between February and September 2024, it has quickly become a dominant force, targeting industrial manufacturing and healthcare sectors.
  2. GoldFactory – A nefarious mobile banking malware group responsible for GoldPickaxe.iOS, the first known iOS trojan designed to harvest facial recognition data for deepfake-enabled financial fraud.
  3. Lazarus – A North Korea-linked nation-state threat actor responsible for high-profile attacks on financial institutions and cryptocurrency platforms, with over $1.3 billion stolen in 2024 alone.
  4. DragonForce – An emerging hacktivist and ransomware group possibly linked to DragonForce Malaysia, that’s rapidly expanding its operations globally. It targets governments and corporations across multiple industries – one of the most lucrative attacks on a Saudi firm led to the theft of 6TB of data.
  5. OilRig – An Iranian state-sponsored cyber espionage group linked to Iran’s Ministry of Intelligence and Security (MOIS) that’s been active for over a decade. OilRig specialises in increasingly sophisticated phishing attacks to gain intelligence from finance, energy, telecom, and government entities.
  6. MuddyWater – Another Iranian nation-state actor, believed to be affiliated with Iran’s MOIS. MuddyWater focuses on cyber espionage campaigns targeting NATO-affiliated nations, particularly through spear-phishing campaigns.
  7. Brain Cipher – A new Ransomware-as-a-Service (RaaS) group that surfaced in mid-2024. It made headlines after demanding an $8 million ransom following an attack on Indonesia’s national data center.
  8. Boolka – Representing a new wave of cybercriminals, Boolka specialises in exploiting website vulnerabilities. The group’s evolving stealth tactics and ability to adapt and deploy modular malware causes significant financial and reputational damage that’s likely affected thousands of businesses and users worldwide.
  9. Ajina – A rapidly growing Central Asian cybercrime group targeting everyday users of banking apps through sophisticated Android malware campaigns. Group-IB analysed over 1,400 unique samples, suggesting a significant number of affected users and an increasing global reach.
  10.  Team TNT – Likely the most prolific Masked Actors in crypto crime, Team TNT has gained infamy for its relentless cloud-focused cryptojacking and brute-force attacks, targeting Kubernetes, Redis, and Docker environments.

To delve into the inner workings of each of these threat groups, Group-IB is launching the Masked Actors podcast series, hosted by Gary Ruddell, a cyber threat intelligence expert, and Nick Palmer, a highly experienced financial crime fighter and Group-IB’s VP of Global Sales. The first episode will focus on the Gold Factory threat group and premieres today, May 13th, available on all major listening platforms.

A detailed overview of the top global threats, key threat actors, and their evolving tactics is available in the full High-Tech Crime Trends 2025 report. The report provides in-depth insights into the evolving threat landscape, equipping businesses and cybersecurity professionals with the intelligence to stay safe.

About Group-IB

Founded in 2003 and headquartered in Singapore, Group-IB is a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime. Combating cybercrime is in the company’s DNA, shaping its technological capabilities to defend businesses, citizens, and support law enforcement operations.

Group-IB’s Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, Central Asia, and Asia-Pacific to help critically analyze and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.

Group-IB’s decentralized and autonomous operational structure helps it offer tailored, comprehensive support services with a high level of expertise. We map and mitigate adversaries’ tactics in each region, delivering customized cybersecurity solutions tailored to risk profiles and requirements of various industries, including retail, healthcare, gambling, financial services, manufacturing, crypto, and more.

The company’s global security leaders work in synergy with some of the industry’s most advanced technologies to offer detection and response capabilities that eliminate cyber disruptions agilely.

Group-IB’s Unified Risk Platform (URP) underpins its conviction to build a secure and trusted cyber environment by utilizing intelligence-driven technology and agile expertise that completely detects and defends against all nuances of digital crime. The platform proactively protects organizations’ critical infrastructure from sophisticated attacks while continuously analyzing potentially dangerous behavior all over their network.

The comprehensive suite includes the world’s most trusted Threat Intelligence, The most complete Fraud Protection, AI-powered Digital Risk Protection, Multi-layered protection with Managed Extended Detection and Response (XDR), All-infrastructure Business Email Protection, and External Attack Surface Management.

Furthermore, Group-IB’s full-cycle incident response and investigation capabilities have consistently elevated industry standards. This includes the 77,000+ hours of cybersecurity incident response completed by our sector-leading DFIR Laboratory, more than 1,400 successful investigations completed by the High-Tech Crime Investigations Department, and round-the-clock efforts of CERT-GIB.

Time and again, its solutions and services have been revered by leading advisory and analyst agencies such as Aite Novarica, Gartner®, Forrester, Frost & Sullivan, KuppingerCole Analysts AG, and more.

Being an active partner in global investigations, Group-IB collaborates with international law enforcement organizations such as INTERPOL, EUROPOL and AFRIPOL to create a safer cyberspace. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Read next
Group-IB and VAS Integrated Solutions Sign MoU
December 25, 2025
Group-IB and VAS Integrated Solutions Sign MoU to Enhance Cybersecurity Cooperation in the Kingdom
Zero-Day
December 18, 2025
Group-IB Red Team discovers zero-day vulnerabilities in Cisco UCCX and IBM Sterling
Press release CFIP
December 2, 2025
Group-IB launches Cyber Fraud Intelligence Platform – a first-of-its-kind, GDPR compliant solution for real-time fraud intelligence sharing
November 27, 2025
Ukuk and Group-IB Strengthen Cooperation to Enhance the National Cyber Defense of the Kyrgyz Republic
Top Women in Security ASEAN Awards 2025
November 13, 2025
Group-IB’s High-Tech Crime Investigations team triumphs at Top Women in Security ASEAN Awards 2025
October 21, 2025
Group-IB launches Asia-Pacific’s first Cyber Fusion Center in Singapore
Go to all Press Releases →