The top 14 hacker groups: what, when, and why do they hack? - Hitecher
The top 14 hacker groups: what, when, and why do they hack?

The top 14 hacker groups: what, when, and why do they hack?

by Evan Mcbride

Recently, the hacker group Anonymous declared a "cyberwar" against Russia. Subsequently, the hackers hacked the websites of some of the leading Russian publications, placing political slogans on their main web pages. It is not the only incident that has made the group famous: Anonymous had previously hacked into the websites belonging to the government of Minneapolis (the very same city where a police officer killed George Floyd), the government portals in Egypt and Tunisia, as well as Visa, MasterCard, and PayPal. So, what other hacker groups are famous worldwide, and for what are they renowned? We have gathered some top groups and explored their "career path."


Let us start with probably the most legendary crew, which differs from the rest with its infamous style of wearing a Guy Fawkes mask from the movie "V for Vendetta." They were established in 2003 and, even then, referred to themselves as decentralized and disconnected from politics. For almost 20 years, Anonymous has managed to hack into the resources of terrorist organizations, drug cartels, and pornography providers, as well as the websites of Visa, MasterCard, PayPal, PlayStation, and the Egyptian and Tunisian governments. Nevertheless, the members of the group remain anonymous today. They hack sites using DDoS attacks - submitting to the site a vast number of identical requests that exceed the network bandwidth. Do you remember how portals usually begin to "lag" when simultaneously visited by several thousand people? A DDoS attack is pretty much the same, although much more substantial.


Here we have a relatively young group, primarily involved in extorting money or data from large companies. It is replacing DarkSide and REvil, which attacked the resources of oil suppliers. BlackMatter specializes in finding corporate employees willing to provide internal data access for a hefty reward, anything from $3,000 to $100,000. Due to this, the hackers release viruses and trojans on the intranet (the internal Internet network accessible to employees). The group is only interested in large organizations with more than $100 million annual income.

ART31, Hurricane Panda or Zirconium

Yes, you have read this correctly; this group has three names. Firstly, it is not entirely clear why they are so secretive: hackers have long been known for numerous attacks on government agencies and voters in power. For example, in 2020, during the US presidential election, the group, according to Microsoft, hacked the accounts of about a thousand American voters and political and educational organizations. Before this, the hackers concentrated on the government websites of Norway, Finland, and Germany. Finally, their ART31 attacks are conducted using APT attacks. APT is an acronym for Advanced Persistent Threat. This is the name of a constant targeted attack by a hacker on a user's device. This kind of attack is designed to locate confidential information on devices. A hacker breaks into a smartphone, tablet, or laptop network and spends a lot of time monitoring the user's activity and studying the data available on the network. The group's arsenal also includes phishing emails with links to fake websites.

Lizard Squad

The members of this team have long since been arrested, although that does not diminish their reputation worldwide. Interestingly, all the members of the Lizard Squad were between 15 and 17 years old at the time of their arrest. This did not stop them from attacking the game servers of large projects using DDoS attacks, hacking Sony, PlayStation, and Xbox (by disclosing the company's confidential information), and openly supporting terrorist organizations banned in Russia. The group was not particularly hiding, demonstrating their successes on social media. Which likely led to the arrest of the community members.

Syrian Electronic Army

Another group that openly supports a particular political regime. In this instance, the cyber war is being waged against the enemies of the rulers of Syria. The Syrian Electronic Army is attacking the "Arab Spring" organizers, which include the United States, Qatar, and Saudi Arabia, for some reason. Even news sites where hackers publish fake information and the portals of Syrian rebels are getting into hot water. The group's tools are quite familiar: DoS attacks (this is about the same as DDoS but on a smaller scale) and phishing operations.

Bronze Union, LuckyMouse, or Iron Tiger

This group has eight alternative names, where even cybercrime experts can easily get lost. Still, it has been in business since 2010 and is still actively encrypted! While the primary team member's location has been long known, they live in China. The hackers attack the government, industrial sectors, and the media. Their main goal is considered to be espionage, and between their actions, representatives of the group extort money. By 2020, the group likely has received additional funding from a source interested in the stolen data. Bronze Union uses APT attacks, phishing, and infected websites, which victims frequently visit. Hackers from this group could work as marketers: they skillfully track the actions of users and easily predict which resource they might want to see.


They refer to themselves as a "group with Asian roots"; they attack government portals and search for classified data. Analysts have no information whatsoever about the third parties receiving this data. Although, there is information regarding the programs used by cybercriminals. A few of them are used only by Chinese-speaking hackers, indicating the nationality of the team members. Calypso has existed since 2016 and was just discovered in 2019; since its creation, hackers have managed to hack the websites of government agencies in Russia, India, Kazakhstan, Brazil, Turkey, and Thailand using network administration services.


They are yet another "spy" group that uses APT attacks as its primary offensive tool. They appeared in 2019 but began their "promotion" amongst colleagues in 2021. Then the hackers created a dozen websites - clones of TrendMicro, Microsoft, IBM, McAfee, and Google services. Their activities did not end there: members of the group put at risk the data of subsidiaries of companies they were targeting, using vulnerabilities found in their codes to compromise the portals. Then they stole the data found on the intranet (and elsewhere.)


The group was primarily interested in stealing money from financial institutions, which they have been attacking since 2016. The hackers mostly use inaccuracies in the code of payment system portals. Still, sometimes they hack cash machines or steal money from bank cards. Some of the group members probably had already participated in the activities of the Carbanak cybercriminal community, where they acquired knowledge about the operation of bank websites and their intranet. "Carbanak," incidentally, also deserves some attention. The group was discovered in 2014 by Kaspersky Lab. And while its leader was arrested in 2018 by Europol (the EU police service), the group still exists. Over 8 years, they have stolen more than nine hundred million dollars. Cobalt did not stop when one of its leaders was arrested in 2018. Furthermore, they hacked into the Unistream payment system a few months later.

CozyDuke, The Dukes, or Group 100

This group has six alternative names, one of which is consistent with ART31 - ART29. This tradition, incidentally, can be traced back to other communities of hackers who hack sites using APT attacks. CozyDuke preys on sensitive data from organizations in the government and financial sectors. Even pharmaceutical companies and logistics firms which manage supply chains have suffered from these attacks. Apart from standard ART hacks, the hackers use their technologies: they have an impressive arsenal of malware (malicious software) created from scratch.

Fancy Bear

They will attack anything from government websites to the portals of research companies. The final goal of the group is, of course, data. Preferably classified and confidential. The hackers are well organized, use many cross-platform tools, and coordinate skillfully. It is almost as if they are all sitting in the same office during the attacks on their victims. In its time (and the group has existed for 18 years!) Fancy Bear has attacked WADA, DNC, and the French TV channel TV5Monde. The user's country of residence or the company's home does not make any difference: the hackers do not care whether they hack into an American company or a Belarusian one. The group chooses phishing sites and spearfishing as their main tools.


This cyber-espionage group has existed since 2009. The hackers attack government and public organization portals, including North Korea's businesses. Poland, China, Japan, and Russia are among their interests. Community members distribute emails with malicious content capable of launching applications and performing specific actions in them without the user's knowledge. Information gathered by the virus is automatically sent to the hackers.

Dark Side

Almost every American president has continuously mentioned Russian hackers over the past 15 years. However, not all hackers have Russian citizenship, perhaps because they have a famous reputation. DarkSide has been around since 2020. Over several years of its operation, it managed to hack a site or steal data and stop the American company Colonial Pipeline's actual pipeline, which supplies 45% of the fuel to the United States East Coast. A ransom of five million dollars helped re-establish the work. It was transferred within a couple of hours following the hack and paid in cryptocurrency. The group then spread a message in the media that most of the funds the team takes or receives as a ransom are donated to charity.


Represents one of the most notorious hacker groups in "professional circles." All of the members were caught back in 2012. However, the group's name is still on everyone's lips. The hackers entered the US Senate, Sony, Nintendo, and AT&T websites and stole confidential company data. They were managed by Hector Xavier Monsegur, a 28-year-old New Yorker with incredible managerial talents. However, FBI agents recruited him. It emerged that LulzSec hackers were spread worldwide, which did not prevent them from working in coordination during attacks on company websites. The hackers used to hack just for a laugh, although after a short while, they refocused on crimes for political reasons. A year before their capture, one of the members even gave an interview to The Associated Press, warning the public that the group was about to release more than a dozen government documents.

New hacker groups spring up frequently, although not all are made public. We keep track of the most intriguing news from the world of technology, including cybercrime news – check back with us often to keep up to date with articles about new international hackers!

Share this with your friends!

Evan Mcbride

Evan Mcbride

Hitecher staff writer, high tech and science enthusiast. His work includes news about gadgets, articles on important fundamental discoveries, as well as breakdowns of problems faced by companies today. Evan has his own editorial column on Hitecher.

All posts by Evan Mcbride

Be the first to comment