New report highlights global threat actors behind the most prolific and sophisticated attacks
Cybersecurity firm Group-IB has released its list of the Top 10 Masked Actors for 2025, spotlighting the most dangerous cybercriminal groups that businesses worldwide need to watch. The ranking is part of the company’s new High-Tech Crime Trends 2025 report and is based on data from over 1,550 successful high-tech crime investigations.
Topping the list is RansomHub, a ransomware-as-a-service (RaaS) group that filled the void left by ALPHV (BlackCat) and now accounts for nearly 20% of global ransomware victims. Close behind is GoldFactory, the threat actor behind GoldPickaxe.iOS, the first iOS trojan capable of harvesting facial recognition data for deepfake financial fraud.
“We’ve identified the most dangerous cybercriminal groups shaping the threat landscape in 2025.”
— Nick Palmer, VP of Global Sales, Group-IB
Other groups in the spotlight include Lazarus, known for its $1.3 billion crypto thefts; DragonForce, an aggressive hacktivist and ransomware group; and Team TNT, notorious for cryptojacking Kubernetes and Docker environments.
Emerging regional actors like Ajina and Brain Cipher also feature prominently, pointing to an increasingly fragmented but potent global cybercrime landscape.
“These groups are not just launching attacks—they’re redefining the cybercrime economy,” said Nick Palmer, VP of Global Sales at Group-IB. “Our mission is to arm organizations with the intelligence to act before it’s too late.”
To dive deeper into these threat actors, Group-IB is launching a new Masked Actors podcast series. The debut episode, focusing on GoldFactory, is now live on major streaming platforms.
The full report offers a deep dive into each actor’s methods, targets, and impact, providing essential insights for cybersecurity teams worldwide.
