Threat Groups

APTs, ransomware cartels, and sanctioned actors — merged from MITRE ATT&CK, MISP, ransomwatch and OFAC/UK-NCA sanctions lists. Featured nation-state briefings first, then the full searchable database.

Featured Briefings

DPRK Crypto Heists

$3.04B

stolen, tracked

major heists

named units

Top heists, by USD at time of theft

$1.46BBybitExchangeLazarus / TraderTraitor2025-02 source
$624MRonin Network (Axie Infinity)ValidatorLazarus / APT382022-03 source
$281MKuCoinExchangeLazarus (suspected)2020-09 source
$235MWazirXExchangeLazarus (suspected)2024-07 source
$200MAlphaPo / CoinsPaid / Atomic WalletWalletBlueNoroff2023-07 source
$100MAtomic Wallet usersWalletLazarus2023-06 source
$100MHarmony Horizon BridgeBridgeLazarus / TraderTraitor2022-06 source
$41MStake.comExchangeLazarus2023-09 source

Known DPRK cyber units

Unit	Tags	Affiliation	Activity
Lazarus GroupOFFICIALaka HIDDEN COBRA · APT38 (umbrella) · Guardians of Peace · ZINC · Diamond Sleet	OFAC 2019MITRE G0032	Reconnaissance General Bureau (RGB)	Umbrella for DPRK state-sponsored cyber ops; financial theft + espionage. Hit Sony, WannaCry, plus the bulk of the heists below.
APT38aka BeagleBoyz · Bluenoroff (operational arm) · Stardust Chollima	MITRE G0082	Lazarus / RGB	Bank-heist specialists. Original SWIFT attacks (Bangladesh Bank $81M, 2016) and the original FASTCash ATM cash-outs.
BlueNoroffaka APT38 sub-unit · Stardust Chollima · Sapphire Sleet · TA444	MITRE G1032	Lazarus / RGB	Crypto-exchange and DeFi operator since ~2018. SnatchCrypto campaign, fake-VC LinkedIn lures. Behind Ronin and AlphaPo.
AndarielOFFICIALaka Silent Chollima · PLUTONIUM · Onyx Sleet · Stonefly	OFAC 2019MITRE G0138	Lazarus / RGB	Mixed: Maui ransomware against US healthcare, dual-use crypto theft for revenue.
Kimsukyaka Velvet Chollima · Black Banshee · Emerald Sleet · THALLIUM	MITRE G0094	RGB (separate from Lazarus)	Espionage-focused (think tanks, defectors, nuclear policy) but increasingly mixes in crypto-credential theft.
AppleJeus / TraderTraitorOFFICIALaka Lazarus crypto trojan campaign	—	Lazarus	Long-running fake crypto-trading-app campaign (UnionCryptoTrader, JMTTrader). FBI publicly tied to Harmony Bridge theft.

China State APTs — Espionage + Pre-Positioning

Actor	Tags	Affiliation	Activity
Volt TyphoonOFFICIALaka VANGUARD PANDA · BRONZE SILHOUETTE · Insidious Taurus	MITRE G1017	PLA / MSS-aligned (CISA assesses)	Pre-positions in US critical infrastructure (energy, water, transport, comms) using living-off-the-land techniques. Goal: disruptive options in a Taiwan crisis. CISA + FBI + NSA joint advisory Feb 2024.
Salt TyphoonOFFICIALaka GhostEmperor · FamousSparrow · Earth Estries	—	MSS-linked	Breached at least 9 US telecom carriers (Verizon, AT&T, T-Mobile, Lumen…) in 2024 — accessed CALEA wiretap systems and intercepted communications of Trump/Harris campaigns and senior US officials. Largest-ever US telecom hack per FCC.
APT41OFFICIALaka BARIUM · Winnti · Wicked Panda · BRONZE ATLAS	DOJ-indicted 2020MITRE G0096	Chengdu 404 (DOJ-indicted, 2020)	Dual hat — state espionage by day, cybercrime by night (game-studio supply-chain hits, crypto theft). 5 members indicted by DOJ Sept 2020.
APT1OFFICIALaka Comment Crew · PLA Unit 61398 · Comment Panda	DOJ-indicted 2014MITRE G0006	PLA Unit 61398 (Shanghai)	First publicly-attributed PLA APT — Mandiant 2013 report exposed 7-year IP-theft campaign across 141 victims. 5 PLA officers DOJ-indicted 2014.
Mustang PandaOFFICIALaka RedDelta · BRONZE PRESIDENT · TA416 · Earth Preta	MITRE G0129	MSS-linked	PlugX backdoor specialist; targets European governments, EU foreign ministries, NGOs working in Asia. DOJ + FBI court-authorized takedown of PlugX on 4,200+ US machines, Jan 2025.
APT40OFFICIALaka Leviathan · BRONZE MOHAWK · GADOLINIUM · TEMP.Periscope	DOJ-indicted 2021MITRE G0065	MSS Hainan Provincial State Security Dept	Maritime/naval espionage. 4 MSS officers DOJ-indicted 2021 for hacking 12+ countries' research orgs.

Russia State APTs — GRU + SVR + FSB

Actor	Tags	Affiliation	Activity
APT28OFFICIALaka Fancy Bear · Sofacy · STRONTIUM · Forest Blizzard · Pawn Storm	OFAC 2016MITRE G0007	GRU Unit 26165 (85th GTsSS)	Election interference (DNC 2016), WADA, OPCW. 7 GRU officers DOJ-indicted 2018; EU + UK sanctioned 2020.
APT29OFFICIALaka Cozy Bear · The Dukes · NOBELIUM · Midnight Blizzard · BlueBravo	OFAC 2021MITRE G0016	SVR (Foreign Intelligence Service)	SolarWinds supply-chain compromise (2020) — 18,000 orgs poisoned, 9 federal agencies confirmed breached. Re-emerged 2024 to breach Microsoft corporate email (HPE, Microsoft executives).
SandwormOFFICIALaka BlackEnergy · Voodoo Bear · TeleBots · IRIDIUM · Seashell Blizzard	DOJ-indicted 2020MITRE G0034	GRU Unit 74455 (Main Centre for Special Technologies)	The destructive arm. Ukraine power-grid attacks (2015, 2016), NotPetya ($10B+ damage, 2017), 2018 Olympics opening-ceremony wiper. 6 GRU officers DOJ-indicted 2020.
TurlaOFFICIALaka Snake · Venomous Bear · Uroburos · Secret Blizzard	MITRE G0010	FSB Center 16	Quietest of the three — 25+ year run. Snake malware dismantled by FBI Operation MEDUSA, May 2023.
Gamaredonaka Primitive Bear · Trident Ursa · Aqua Blizzard · ACTINIUM	MITRE G0047	FSB Center 18 (Crimea)	Ukraine-focused since 2014; high-volume / lower-stealth. Most prolific actor against Ukrainian government per CERT-UA.

Iran State APTs — IRGC + MOIS

Actor	Tags	Affiliation	Activity
APT33aka Elfin · Refined Kitten · Magnallium · Peach Sandstorm	MITRE G0064	IRGC-linked	Aerospace + petrochemical targeting (US/Saudi). Linked to the Shamoon wiper that destroyed 30,000 Saudi Aramco workstations (2012).
APT34aka OilRig · Helix Kitten · Hazel Sandstorm · Cobalt Gypsy	MITRE G0049	MOIS	Long-running Middle-East telecom + financial espionage. Source code leaked publicly via 'Lab Dookhtegan' Telegram, 2019.
APT35OFFICIALaka Charming Kitten · Phosphorus · Mint Sandstorm · Newscaster	DOJ-indicted 2024MITRE G0059	IRGC-IO	Spear-phishes academics, journalists, US officials and 2020 / 2024 election campaigns. DOJ-indicted 4 IRGC members Sep 2024 for hacking Trump campaign.
MuddyWaterOFFICIALaka Static Kitten · Mango Sandstorm · TEMP.Zagros · Mercury	MITRE G0069	MOIS	Government-targeting espionage across Middle East + Asia. CYBERCOM publicly attributed 2022.
Pioneer KittenOFFICIALaka Fox Kitten · PARISITE · UNC757 · Lemon Sandstorm	—	IRGC-affiliated contractor	Initial-access broker — sells footholds to ransomware affiliates (NoEscape, RansomHouse, ALPHV). FBI flash advisory Aug 2024.

Ransomware Cartels

Cartel	Status	Est. revenue	Current state	Notable hits
LockBitOFFICIALaka LockBit 2.0/3.0/Black	DISRUPTED	$120M+ (DOJ est.)	Op Cronos (NCA + FBI + Europol, Feb 2024) seized infra, leaked decryptors. Admin 'LockBitSupp' (Dmitry Khoroshev) doxxed + sanctioned May 2024. Limping but not dead.	Largest RaaS by volume 2022–2024. Hit Boeing, ICBC, UK Royal Mail, US/UK governments via ConnectWise.
ALPHV / BlackCatOFFICIALaka Noberus	EXIT-SCAMMED	$300M+ (FBI)	Exit-scammed Mar 2024 after collecting $22M ransom from Change Healthcare and stiffing affiliate. Operators rebranded as RansomHub.	First major Rust-based ransomware. Hit Change Healthcare ($22M paid), MGM Resorts, Reddit.
Cl0pOFFICIALaka TA505 affiliate	ACTIVE	—	Pivoted to mass-exploitation of file-transfer 0-days: Accellion FTA, GoAnywhere, MOVEit (2,700+ victims), Cleo (2024).	MOVEit campaign (May 2023) hit US DoE, BBC, British Airways, Shell — possibly the most prolific single ransomware op ever.
ContiOFFICIALaka Wizard Spider (lineage)	REBRANDED	$180M (Chainalysis 2021)	Imploded May 2022 after pro-Russia stance triggered 'Conti Leaks' (insider dumped chats + source). Affiliates respawned as BlackBasta, Karakurt, Royal/BlackSuit, Akira.	Hit Costa Rica's government (forced national emergency, 2022) and Ireland's HSE healthcare system.
RansomHubOFFICIALaka ALPHV reboot	ACTIVE	—	Ascendant 2024–2025. Picked up the affiliates orphaned by ALPHV exit-scam and LockBit takedown.	Hit Halliburton, Frontier Comms, Christie's, Patelco Credit Union.
PlayOFFICIALaka PlayCrypt · Balloonfly	ACTIVE	—	Closed-shop crew (no public affiliates). 300+ victims since 2022 incl. Rackspace, Arnold Clark, City of Oakland.	Steady drumbeat of mid-market victims; less flashy than LockBit but very persistent.
AkiraOFFICIALaka Conti splinter	ACTIVE	—	Conti-lineage operators. FBI / CISA estimate $42M+ collected from 250+ orgs as of early 2024.	Heavy on small/mid US + EU manufacturers and law firms.
Scattered SpiderOFFICIALaka UNC3944 · Octo Tempest · 0ktapus · Muddled Libra	ACTIVE	—	Native English-speaking teen/young-adult crew (US + UK). Social-engineers help-desks for MFA reset; partners with ALPHV / RansomHub for the encryptor.	MGM Resorts ($100M cost), Caesars ($15M paid), Marks & Spencer, Coop UK, Snowflake-customer mass campaign.

Landmark Campaigns

2025-02
Bybit $1.46B heistLazarus / TraderTraitor (DPRK)
Largest crypto theft in history; multi-sig wallet UI compromise, drained ETH to mixers within hours.
2024-10
Salt Typhoon US telecom breachSalt Typhoon (PRC)
Compromised 9+ US carriers, accessed CALEA lawful-intercept systems, snooped on senior officials and presidential campaigns.
2024-06
Snowflake customer breachesScattered Spider / UNC5537
Stolen credentials → no-MFA Snowflake tenants. 165+ orgs (AT&T, Ticketmaster, Santander, Advance Auto Parts) lost data.
2024-03
XZ Utils backdoor (CVE-2024-3094)'Jia Tan' (suspected state-aligned long-con)
Multi-year social-engineering of an open-source maintainer to plant SSH-bypass backdoor in xz/liblzma. Caught by Microsoft engineer pre-release.
2024-02
Change Healthcare ransomwareALPHV / BlackCat
$22M ransom paid; 100M+ patient records leaked when ALPHV stiffed its affiliate. Disrupted US pharmacy/insurance billing for weeks.
2023-09
MGM + CaesarsScattered Spider + ALPHV
Help-desk vishing → admin reset → encryption. MGM lost $100M; Caesars paid $15M.
2023-05
MOVEit Transfer mass-exploitCl0p
0-day SQLi (CVE-2023-34362) used to exfil data from 2,700+ orgs incl. US DoE, BBC, British Airways, Shell, Sony.
2022-03
Ronin Bridge $624MLazarus / APT38 (DPRK)
Compromised 5 of 9 validator keys via fake-job lure on Sky Mavis engineer. First $-billion-class crypto heist.
2021-12
Log4Shell (CVE-2021-44228)Multiple (criminal + state)
Trivial RCE in Log4j logging library; near-universal Java exposure. Patched globally over months; long-tail exploitation continues.
2021-05
Colonial PipelineDarkSide
Single leaked VPN password → 5-day shutdown of US East-Coast fuel supply. $4.4M paid; FBI clawed back $2.3M.
2020-12
SolarWinds / SUNBURSTAPT29 (SVR)
Trojanized SolarWinds Orion update reached 18,000 orgs; 9 US federal agencies + Microsoft, FireEye confirmed breached.
2017-06
NotPetyaSandworm (GRU)
Wiper disguised as ransomware via M.E.Doc supply chain in Ukraine; spread globally. Maersk + Merck + FedEx-TNT alone took ~$3B in damage. Total: $10B+.
2017-05
WannaCryLazarus (DPRK)
EternalBlue worm + leaked NSA exploit. 200K+ machines in 150 countries; UK NHS hardest hit.

All Threat Actors

MITRE ATT&CK + MISP + ransomwatch + sanctions