Top 10 Types of Cybercriminal Categories and Notorious Criminal Groups

Cybercriminals are most undoubtedly wanted for their cybercriminal activities, causing havoc and disruptions amongst organizations. This can imply a variety of activities, such as data encryption, data theft, or denial of services. Motivated by a variety of reasons, mostly financial or political agendas, we have tried to enlist the top 10 types of cybercriminal categories and notorious criminal groups.

Top 10 Types of Cybercriminal Categories and Notorious Criminal Groups: Ransomware Operators (LockBit3.0 Cl0p, Play, 8base), Hacktivist Groups (Anonymous), Access Brokers, Data Breach Culprits, Advanced Persistent Threat APT Groups (Stuxnet worm), Insider Threat Actors, Malware Creators (Zeus, Gozi, DanaBot, TrickBot), Dark Web Marketplace Creators and Operators (Conor Brian Fitzpatrick, alias "pompompurin"), Spammers (Gamaredon), Botnet and DDoS Attackers (Mantis, Emotet, Mirai)

Top 10 Most Wanted Cyber Criminals

Here, we are understanding why they are most wanted and some reputed names in the category of listed cyber criminals. The list is heavily based on the popularity of the attackers in the dark web forums and communities.

Ransomware Operators

Ransomware operators are the ones who work together to gain profits by locking sensitive files in a company and asking for ransom in exchange. This is done by deploying a specific type of malware that steals the data or encrypts it with a particular extension. Then, it drops a ransom note explaining to the victim that they have been targeted and should pay ransom to get their files back. A ransomware attack leads to multiple losses, such as financial and reputational losses, and an affected consumer base.

Some of the leading names in ransomware groups are:

  1. LockBit3.0
  2. Cl0p
  3. Play
  4. 8base

More can be read here on Dark Feed.

Hacktivist Groups

Hacktivist groups work for a personal or geopolitical agenda that might have extreme or opposite views of theirs. They often conduct a variety of attacks that are a part of their “operations” against a country or the government. These can be DDoS, data breaches, access sharing, defacing government and other websites at a mass scale to be noticed and bring some attention to their retaliation.

A leading name in the hacktivist community is Anonymous, who operate in association across the globe. More new groups can be read here on Zone-H.

Access Brokers

An access broker is one who sells, buys, and trades access to companies for personal or financial reasons. These accesses can be of VPN or RDP and are often found by stealing them from legitimate users by setting up a fake website or malware. Some accesses are sold for as low as $10, giving access to extremely critical documents and data not exposed to the internet or the public. Criminals leverage such exploited credentials by extorting more money after stealing information.

Data Breach Culprits

Data breach culprits are those who are able to infiltrate a system and compromise the data. This is achieved by stealing access, exploiting vulnerability, and illegally scanning across multiple devices. Once this data is stolen, these culprits sell it to potential buyers. This data then attracts the attention of other criminals interested in purchasing financial data, passwords, and personal information interested in conducting more fraudulent activities.

APT Groups

An APT stands for Advanced Persistent Threat and is a group of the most sophisticated cybercriminal groups that are into long-term operations with high-level technologies. They are named after the techniques they use and the campaign methods followed. APTs are mostly in the category of state or non-state-sponsored. One of the biggest APT and first known attacks recorded was the Stuxnet worm on the Iranian nuclear program.

Some of the leading names in most wanted APT groups are present here. There are various APT groups recorded operating through particular countries and against other regions.

Insider Threat Actors

Insider threats come in two ways: intentional and unintentional. Employees and associated teams can turn rogue for many reasons and intend to harm the organization. This is done by secretly or publicly giving out confidential information or exploiting the privileges assigned to the user. In recent times, various insider threats were caught and charged guilty of extorting or damaging sensitive data.

While not wanted, recently two Tesla employees leaked sensitive information revealing PII such as name, address, SSN, etc. A cloud engineer in another reputed firm deleted sensitive code repositories as a method to exact revenge after termination.

Malware Creators

Malware creators develop different types of malicious software, such as adware, spyware, ransomware, DDoS tools, etc. Eventually, their goal is to sell it to advanced criminal groups for financial gains or likely spread it themselves for fun and profits. Various malware are meant to target employees or banking applications running on devices.

Some of the leading names in wanted malware creators are banking malware such as Zeus, Gozi, DanaBot, TrickBot, etc.

Dark Web Marketplace Creators and Operators

The dark web marketplace creators and operators provide a space for cybercriminals to come together, discuss, and collaborate on different types of attacks. Many security defenders think of it as a space for cybercriminal breeding. They are enablers and propagators of different kinds of crimes and ensure their safety by maintaining anonymity, thus being indirectly involved in a crime.

Recently, a most wanted cybercriminal forum called Breach Forums, which was formed after seizing Raid Forums, was held. This involved capturing its operator, Conor Brian Fitzpatrick, alias “pompompurin.” It had over 3,00,000 subscribers at this point.


A spammer is a type of cybercriminal who aims to flood your communication channels with irrelevant but malicious content. It can be one of those offers that drops a malicious link and asks you to forward it to other people for some money. Their idea is to form a chain and get maximum victims in one cycle of malicious operations.

Different groups have deployed phishing as their way of spamming in targeted attacks. A group called Gamaredon has been sending spear phishing emails containing malware against Ukraine. Also, in 2021, five Sacramento County’s employees revealed their credentials to criminals after a series of phishing attacks.

Botnet and DDoS Attackers

Botnet networks and DDoS attacks are largely linked to hacktivist groups who damage government and consumer-facing infrastructure. They target multiple computer devices, making them a part of a botnet network, and send huge amounts of traffic through them to make the service unavailable. However, another type of crime associated with botnets are the criminals who develop such tools and sell them to buyers on a premium subscription or product basis.

Some of the biggest damaging botnets still available as of today are:

  1. Mantis
  2. Emotet
  3. Mirai

Wrapping up

These are the top 10 most wanted cybercriminal categories, out of which we tried mentioning specific groups that have been causing extreme damage in cyberspace. As an individual, we must be vigilant towards any suspicious activities happening around us, both in the personal and digital world, to identify a breeding criminal mindset or attack that targets us or other masses. With this, we hope you liked this article. Do let us know what you think in the comments.

Rishika Desai- Cyber Intelligence Threat Researcher

Author Bio: This article has been written by Rishika Desai, B.Tech Computer Engineering graduate with 9.57 CGPA from Vishwakarma Institute of Information Technology (VIIT), Pune. Currently works as Cyber Threat Researcher at CloudSEK. She is a good dancer, poet and a writer. Animal love engulfs her heart and content writing comprises her present. You can follow Rishika on Twitter at @ich_rish99.

You might also like

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top