Hackers without rules: when attacks are driven by profit, chaos, or ideology
Not all hacker groups work for governments. Some operate independently — driven by profit, ideology, or pure chaos. They extort hospitals, target critical infrastructure, and manipulate the public sphere. Here are five groups from the cyber underworld, along with their tactics and motivations. Get to know them — and hope they never decide to get to know you.
While state-sponsored APT groups operate covertly and with clearly defined objectives, the world of cybercrime is far more chaotic — driven by immediate profit or ideological pressure. These attackers tend to be faster, less predictable, and more destructive. They are not always after classified documents, but rather direct financial gain, media attention, or the sheer destruction of a target. This category of actors is diverse — ranging from highly organized ransomware gangs with corporate-like structures to anonymous protest movements with no clear leadership.
Operational patterns of cyberattacks
These groups share one key trait: they know how to exploit system vulnerabilities, human error, and technology itself to their advantage. A cyberattack is not always defined primarily by its target, but by the method through which it is carried out. Attackers choose their operational style based on what they seek — money, attention, or pure disruption. Below, you’ll see how these approaches differ in practice.
How non-state actors attack? Technical variants!
Cybercrime is rarely about subtle espionage. These attackers go after immediate value — access, influence. Yet their toolbox often looks surprisingly similar to that of state-sponsored APT groups…
|
|
Brute force |
Command & Control (C2) |
Reconnaissance |
Privilege Escalation |
|
Type |
A destructive attack with no masking.
|
Remote control through a channel.
|
Silent reconnaissance, environment mapping. |
Privilege escalation after initial access. |
|
|
Disable servers, |
Maintain control over the botnet, coordinate malware propagation, and launch the attack. |
Maintain control over the botnet, coordinate malware propagation, and trigger the attack. |
Obtain admin privileges, access sensitive data, and gain full control of the system. |
|
Method |
Deploy ransomware, conduct massive password attacks (brute force/spraying), and launch DDoS assaults; disrupt services. |
C2 servers and domains; encrypted tunneling, module downloads, command execution, and coordination of lateral movement. |
OSINT, passive monitoring, fingerprinting, port scanning — in practice, this means watching traffic and behavior to prepare the attack. |
Exploiting vulnerabilities and misconfigurations (zero-days, kernel flaws, UAC bypass), token theft/credential dumping, abuse of services and schedulers. |
1 / Ransomware-as-a-Service (RaaS)
An organized model where the “core” team develops the encryption tool and runs the infrastructure (command-and-control servers, leak sites), while their partners handle intrusions and negotiators push for payment. The typical sequence: gaining network access → privilege escalation → data exfiltration → encryption. The pressure is usually twofold/threefold: ransom payment + threat of data publication and/or DDoS.
2 / Hacktivism
These attacks are used to promote a cause and gain attention. The targets are usually symbolic institutions (public authorities, media, companies) to maximize media impact. The approach is often straightforward: overloading services (DDoS), defacing websites, sometimes leaking selected data, combined with an intensive campaign on social networks. The emphasis is on rapid disclosure and publicity, not on long-term stealth.
3 / Hybrid Warfare
A cyberattack as part of a broader conflict. It combines technical operations with information pressure. The goal is to disable services, undermine trust, and influence public opinion. Typical steps include targeted phishing emails, network intrusion, destructive malware that wipes systems, service overloads (DDoS), and interference with industrial systems — accompanied by information leaks and manipulation campaigns.
Attacks are happening all the time…
Before we move on to the groups themselves, let’s pause for a moment to look at the attacks. They happen 24/7. See for yourself on an online Cyber Map. This live map, based on data from security sensors, shows where attacks are heading and how quickly they accumulate. The geolocation is only approximate — treat it as a barometer of what’s happening beneath the surface, not as a full map of the cyber underworld.
Key actors
Each of these groups operates with its own logic, tools, and objectives.
WIZARD SPIDER: a spider with a corporate structure
“In our web, every strand ends in ransom.”
- Motive: profit from ransomware and extortion
- Territory: worldwide, with a focus on the U.S. and Europe
- Specialization: high-value extortion targets — corporations, hospitals, critical infrastructure
WIZARD SPIDER is a coldly profit-driven cyber outfit operating like a “company.” It gains access to networks through malware (such as TrickBot or QakBot), spreads silently using offensive tools, steals sensitive data, and then pressures the victim — either by encrypting systems and demanding ransom or by extorting them with the threat of publishing the stolen information. Its operations have hit healthcare, logistics, and government institutions across the world. In 2021, the group crippled Ireland’s Health Service Executive with a Conti ransomware attack that shut down hospitals, disrupted medical care, and held patient data hostage. Another major operation followed in 2022, when the group launched a cyber campaign against Costa Rican government agencies, again using Conti ransomware. The attackers compromised dozens of ministries, including the Ministry of Finance, halting tax collection and freezing payroll for public employees. The government was forced to declare a national state of emergency — the first ever in the country’s history due to a cyberattack. The group demanded a $20 million ransom, and after refusal, began gradually publishing the stolen data. This confirmed that Wizard Spider is capable of paralyzing an entire state.
ANONYMOUS: The Shadow That Gives the Internet a Voice
“We are legion. We do not forgive. We do not forget.”
- Motive: ideological activism — fighting censorship, corruption, government surveillance
- Territory: global, without borders or hierarchy
- Specialization: DDoS attacks, data leaks, website defacements, online campaigns
ANONYMOUS is not a traditional “organization” but a loose movement united by the Guy Fawkes mask and the idea of resisting censorship and abuses of power. Born on the 4chan forum, it evolved from pranks and protests against Scientology into a global hacktivist network without leaders or borders. They entered history through attacks on institutions they saw as standing in the way of a free internet. In 2010, they launched Operation Payback, using DDoS attacks against Visa, Mastercard, and PayPal after these companies blocked payments to WikiLeaks; the campaign disrupted their websites and drew massive public attention. After Russia’s invasion of Ukraine in 2022, they initiated the large-scale Operation Russia, in which they breached databases of the Russian Ministry of Defense, state television, and industrial enterprises, leaking tens of gigabytes of internal emails and documents. Anonymous operates without command, but with a unified purpose — wherever propaganda spreads, opposition is silenced, or truth disappears, their symbol tends to appear.
SANDWORM: a worm from the depths
“We don’t collect data. We shut down nations.”
- Motive: sabotage and hybrid destructive operations against infrastructure
- Territory: primarily Ukraine and European targets, with operations that have global impact
- Specialization: attacks on critical infrastructure (power plants, distribution networks), destructive malware
SANDWORM is not a cyber defense unit — it is a destructive force. It became known through a series of devastating attacks against Ukraine’s energy sector, when in December 2015 and again in subsequent years it damaged distribution networks and caused power outages, demonstrating the reality of “cyber-physical” warfare. In 2017, their tactics culminated in NotPetya — a destructive malware that spread like wildfire within hours and caused global damage worth billions. This was no longer espionage, but a deliberate attempt to paralyze operations. At the start of the Russian invasion, an attack on Viasat’s KA-SAT satellite network crippled tens of thousands of modems in Ukraine and parts of the EU, temporarily cutting off internet access for civilians and government offices. The primary goal was to disrupt Ukrainian military command. The attackers deployed malware that wiped the modems’ software, making physical replacement the only recovery option. It was a stark demonstration that a single, well-aimed strike can shut down an entire state within minutes.
LAPSUS$: the boldness that breaks through firewalls
“We don’t care about secrets — we want what sells.”
- Motive: intimidation and pressure through the publication of sensitive source code and data
- Territory: primarily major tech companies and service providers (U.S., Europe)
- Specialization: social engineering, theft of internal tools and data, followed by public leaks
LAPSUS$ is a loosely organized group known for boldly surfacing wherever a quick reputational payoff is possible. Instead of relying on classic technical backdoors, they depend on social engineering and the compromise of support accounts to gain access to source code and internal data. In 2022, LAPSUS$ drew global attention with a series of audacious attacks on major tech companies. The group claimed responsibility for stealing nearly 1 TB of internal data from NVIDIA, including employee credentials and sensitive GPU driver source code. They demanded that NVIDIA remove limitations on cryptocurrency mining — otherwise they would begin publishing the data, which they did, step by step. Shortly afterward, they breached the internal systems of Okta, a major identity and access management provider, and published screenshots from the company’s internal support console. The incident shook the confidence of organizations worldwide that rely on Okta to manage user accounts. These cases showed that LAPSUS$ does not wield sophisticated cyberweapons or military-grade capabilities — its strength lies in brazenness, speed, and the ability to exploit human error as an entry point.
NONAME057(16): a swarm of bots in the service of propaganda
“We don’t fight with weapons — we fight with connectivity.”
- Motive: attacks on countries supporting Ukraine, NATO, sanctions against Moscow
- Territory: Europe, North America — particularly NATO member states
- Specialization: DDoS attacks, website defacements, and the spread of propaganda
NONAME057(16) after the start of the Russian invasion in 2022 quickly emerged as one of the most active pro-Russian hacktivist groups — targeting symbolic institutions to deliver “digital retaliation” against countries supporting Ukraine. In 2023, they struck Polish and Czech government websites as well as portals of transport companies and airports, later expanding their campaign to the Baltic states and energy firms, focusing on visible political impact rather than covert intrusions. During Finland’s accession to NATO in April 2023, they launched a targeted DDoS attack against the websites of the parliament and the prime minister’s office. Their operations are frequently accompanied by propaganda videos and statements distributed through Telegram — a channel that serves simultaneously as PR, recruitment space, and coordination hub. They do not conduct sophisticated espionage — instead, they rely on fast and highly visible attacks designed to create panic and influence public opinion.
A few final words…
