Thought Leadership
A new ranking reveals that hacker groups are increasingly targeting supply chains and relying on rented infrastructure with market shares of up to 89 percent.
A new ranking reveals that cybercriminals are increasingly targeting supply chains and relying on rented infrastructure with market shares of up to 89 percent.
IT security company Group-IB has released its annual report on global threat actors. The analysis examines more than 1,550 investigations and highlights a structural shift in the strategies of organized cybercrime. Criminal groups are increasingly targeting IT supply chains, shared infrastructure, and trusted third-party providers instead of attacking organizations directly. By compromising a single access point, attackers can extend the impact to downstream systems across entire industries while reducing detection windows.
Commercialization of Phishing and Payment Fraud Services
A key factor behind the growing efficiency of attacks is the ongoing commercialization of malware and criminal infrastructure on the underground market. The Tycoon 2FA platform, for example, controls an 89 percent market share in the automated phishing service segment (Phishing-as-a-Service). The platform intercepts authentication tokens and can therefore bypass the protection mechanisms of multi-factor authentication.
Another commercial system, TX-NFC, enables criminals to simulate contactless payment transactions at physical point-of-sale terminals using stolen card data. The service is available through a daily subscription model starting at $45.
Dmitry Volkov, Chief Executive Officer of Group-IB, commented on the development:
“The supply chain has become the most powerful multiplier of cybercrime. What our investigators documented in more than 1,550 cases over the past year shows us that attacks no longer target individual victims in isolation – they embed themselves in trusted infrastructures and third-party ecosystems in order to spread across entire industries simultaneously. A single point of compromise reached more than 130 organizations in one operation we tracked.
At the same time, the commercialization of attack infrastructure – phishing platforms with an 89 percent market share, subscription-based NFC fraud – is rapidly closing the capability gap between highly developed and less technically skilled threat actors. For defenders, the response must be adversary-focused: understanding how these specific adversaries evolve, not only what they did last quarter, but using AI-powered insights to predict what they will do next.”
Dmitry Volkov, Chief Executive Officer of Group-IB
The Complete Ranking of Hacker Groups
The ranking evaluates hacker groups based on factors including financial impact, number of victims, technical evolution, and geographic reach:
1. DarkBlinders
DarkBlinders demonstrates the highest adaptability in its tactics and targets the aviation and telecommunications sectors in the Middle East.
2. Scattered Spider
Scattered Spider operates as a decentralized network and compromised more than 130 technology companies through their trusted supply chains.
3. Lazarus
Lazarus operates with state backing and has stolen more than $6.5 billion worth of cryptocurrency over its lifetime, including $2.02 billion in 2025 alone.
4. MuddyWater
MuddyWater stands out for its rapid evolution, deploying three new malware variants across more than 113 countries between October 2025 and March 2026.
5. Tycoon 2FA
Tycoon 2FA controls an 89 percent market share in automated phishing services designed to steal corporate credentials.
6. GoldFactory
GoldFactory uses specialized malware to steal biometric data and specifically bypass facial recognition systems used in mobile banking.
7. TX-NFC
TX-NFC provides a commercial subscription-based system for simulating contactless payments at physical terminals using stolen card data.
8. Shadow Silk
Shadow Silk specializes in stealth operations and remains undetected in critical infrastructure and government environments for more than twelve months.
9. Bloody Wolf
Bloody Wolf focuses on long-term system access and strategic monitoring of government organizations in Central Asia.
10. Teste PHP
Teste PHP uses malicious browser extensions to steal credentials in real time across five Spanish-speaking countries.
(ll/Group-IB)
