116 Gawler Place, Adelaide SA 5000 1800 818 875 [email protected]

Notorious Cyber Crime Gangs

The 10 most notorious cyber crime gangs in the world

Roughly four in five breaches emanate from organised crime.[i]

Cyber crime has escalated dramatically over the past few years with sophisticated criminal gangs leveraging world events to create chaos.

The current spike began during the COVID-19 pandemic when there was a mass shift of employees working from home. This meant many employees were using their own devices and did not have enough cyber security protection to stop malware. Further, gangs also targeted employees via phishing scams that leveraged COVID-19 misinformation.

More recently, the Russian invasion of Ukraine has resulted in a subsequent cyber-war. This has seen Russian attackers targeting Ukraine ally businesses and government infrastructure in a bid to weaken the defenders.

This has resulted in the growth of sophisticated cyber gangs. These infamous gangs are coordinated, strategic, and some have even amassed large followers.  However, like their ‘famous counterparts’ infamous gangs can also fall from grace.

Below we list the current most dangerous cyber crime gangs that business owners need to look out for. (Note, gangs are not in any particular order)

The 10 most dangerous cyber crime gangs

#10: Conti

Conti was a powerful cyber gang believed to have originated in Russia in 2020. The gang had an impressive following and was previously considered one of the largest threats to business and governments. However, in March 2022, the formidable gang posted its support of the Russian invasion of Ukraine. Days later, the gang lost most of its online support. Despite this, experts state the gang is still influential and is undergoing a ‘rebrand’.[ii]

BIGGEST KNOWN ATTACK: Costa Rica Government May 2022: the gang encrypted systems from multiple government bodies causing the country’s president to declare a national state of emergency.

CYBER ATTACK STRATEGY: Phishing emails to companies to download aggressive ransomware.

#9: REvil

The REvil model primarily uses Ransomware-as-a-Service (RaaS). Providers of RaaS rely on other hackers to distribute the ransomware and then they receive a ‘cut’ of the extortion fee. This is roughly 20%-30%. IBM Security X-Force states that REvil targets wholesale, manufacturing, and professional services industries. Further, the group focus on attacking US, UK, Australia and Canada.[iii]

BIGGEST KNOWN ATTACKS: JBS meat processing attack which affected the global beef supply chain and a $50m ransom for technical data stolen from Quanta Computer in Taiwan.

CYBER ATTACK STRATEGY: Ransomware-as-a-service (Raas)

#8: SideCopy

SideCopy was first noticed in 2020 and appears to be following in the footsteps of the now dormant Syrian Electronic Army. SideCopy is believed to be a Pakistani Threat Actor. The group has targeted both Afghan and Indian governments.  The gang uses a range of attacks but focuses on targeting personnel working in government organisations to convince them to open/download malicious files. The gang also uses platforms like Facebook to connect with its victims.

BIGGEST KNOWN ATTACK: Continuous attacks on the Indian Government.

CYBER ATTACK STRATEGY: Sophisticated targeted phishing and social engineering to trick the user into downloading a malicious payload.

#7: Clop (aka Cl0p)

Like many cyber gangs, Clop was first cited in 2019 but grew in 2020 by preying on entities that deal with highly sensitive information such as the healthcare and finance industries. The group focus on a double-extortion strategy. This means after they gain access to data, they demand a ransom for the data to be decrypted, as well as demand a fee for the data to not be released publicly.

Clop has also been known to perform repeat attacks on businesses that have weak cyber security and don’t upgrade their system after an attack.

BIGGEST KNOWN ATTACK: $23m ransom on German software giant AG, one of the 10 largest software vendors in Europe.

CYBER ATTACK STRATEGY: Spear-phishing emails and exploiting old programs to discover vulnerabilities in order to upload ransomware.

#6: Cosmic Lynx

This Russian based gang targets businesses worldwide by compromising corporate email accounts (known as Business Email Compromise (BEC)) and pretending to be the CEO or a business executive. The cyber gang seems to focus on law firms, the education sector, and larger businesses. In each scenario, the gang employs a dual impersonation scheme. They then create a sophisticated story regarding a merger or business expansion. Leveraging multiple ‘credible’ accounts, the hacker then convinces the employee to give the hacker access to financial accounts and/or to download malicious files.

BIGGEST KNOWN ATTACK: The group focuses on smaller attacks and is known for its high earnings of US$1.27m per BEC attack. This is phenomenally higher than the global average of $80k per BEC attack.[iv]

CYBER ATTACK STRATEGY: BEC: the gang impersonates high-level executives to trick employees into compromising company security.

#5: DarkSide

DarkSide is a Russian-linked cyber crime gang. The group offers ‘ransomware-as-a-service, carrying out attacks on behalf of other criminals. “DarkSide’s services include providing technical support for hackers, negotiating with targets like the publishing company, processing payments, and devising tailored pressure campaigns through blackmail and other means, such as secondary hacks to crash websites.[v]

The gang typically focuses on larger companies that are more likely to pay large ransom fees. However, they still pose a potential threat to smaller businesses that may be affiliated with the larger targets.

BEST KNOWN FOR: The US Colonial Pipeline ransom attack in May 2021.

CYBER ATTACK STRATEGY: Ransomware-as-a-service (Raas)

#4: Evil Corp

Evil Corp is a well-established cyber gang since circa 2009. The Russian-based leaders of Evil Corp allegedly live ‘millionaire’ lifestyles due to their ability to extort more than $100m from corporate victims.[vi]

The gang is not only highly organised, but continuously leverages new technology to outsmart victims and evade authorities.  Over the past 12 years they have used strategies such as macro viruses, malicious photo attached to phishing emails, trojan targeting the banking industry, brute-force attacks, clickbait, and recently, leveraging Ransomware as a Service.

BEST KNOWN FOR: global expansion of it’s malware, stealing $100m across more than 40 countries.

CYBER ATTACK STRATEGY: Various, currently the most common is Ransomware-as-a-service (Raas)

#3: LockBit 3.0

The LockBit 3.0 cyber gang is effective, efficient, and highly active. The group continues to strategise to reinvent themselves, enabling them to leverage system vulnerabilities. The group also employs a ‘bounty program’ offering rewards ranging from $1,000 to $1 million to individuals who find exploits, personal data on potential victims, information on high-value targets, or ideas for improving the operation.[vii]

BEST KNOWN FOR: Stealing 78GB of data from Italy’s tax agency and demanding ransom for safe return.

CYBER ATTACK STRATEGY: Ransomware-as-a-service (RaaS)

#2: Lapsus$

Lapsus$ is a new gang in the market that focuses on data theft and extortion. As a new group, the gang is not as organised as its experienced counterparts, but leaders rose to fame for compromising Microsoft. The gang also breached Samsung and Nvidia. In March 2022, seven group leaders were arrested in London. However, the Lapsus$ attacks continued after the arrest showing that the gang is still active and growing.

BEST KNOWN FOR: Breaching Microsoft’s systems via social engineering

CYBER ATTACK STRATEGY:data theft of confidential files and extortion

#1: FIN7

Since 2012, FIN7 has been a powerhouse cyber ‘villain’. The sophisticated Russian gang operates like a business using multiple strategies to leverage stolen data. Like many of the advanced gangs, FIN7 continues to evolve its strategies to stay ahead of authorities and victims with outdated systems. The gang focuses on obtaining customer credit card records via compromising point of sale tools and e-commerce sites. They then maximise the financial return of the data by: a) asking the company for a ransom for the data back, b) threatening victims who they have the credentials of c) selling the confidential data to a third party. The group is thought to have amassed billions of dollars via its cybercrimes.

BEST KNOWN FOR: Spear phishing campaign targeting United States Securities and Exchange Commission (SEC) filings in order to steal highly confidential business information that could be monetarised.

CYBER ATTACK STRATEGY: evolving, but focused on gaining consumer credentials via vulnerable ecommerce systems.


  1. https://abovethelaw.com/2022/06/the-godfathers-of-cybercrime-the-2022-verizon-report/[i]
  2. https://www.techtarget.com/searchsecurity/news/252520573/AdvIntel-Conti-rebranding-as-several-new-ransomware[ii]
  3. https://www.csoonline.com/article/3597298/revil-ransomware-explained-a-widespread-extortion-operation.html[iii]
  4. https://www.zdnet.com/article/average-bec-attempts-are-now-80k-but-one-group-is-aiming-for-1-27m-per-attack/[iv]
  5. https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html[v]
  6. https://grahamcluley.com/on-the-trail-of-russias-100-million-evil-corp-hacking-gang/[vi]
  7. https://www.theregister.com/2022/07/26/lockbit-italy-ransomware-attack/[vii]

Related Posts:

Google Rating
Based on 36 reviews
Have questions? Search our knowledgebase.