Cybercriminal gangs have been in operation for decades but have become an increasingly sophisticated threat that challenges every organisation, no matter the size or the sensitivity of its data.

There is a worrying trend emerging whereby smaller cybercriminal gangs are banding together to form more prominent organisations. Some operate privately, while others offer to sell their tools as Ransomware as a Service (RaaS), ideal for any criminal entity wishing to instigate a ransomware attack.

These international cybercriminal gangs model their operations after legitimate business organisations, offering their services as any other Software as a Service (SaaS) provider would. They often have websites on the dark web, customer service lines, service level agreements, and even provide training for new members.

Below are six of the most notorious cybercriminal gangs upsetting the digital world and prompting an increased effort by international law enforcement agencies to protect businesses on a global scale.

1. DarkSide

DarkSide is a relatively new group, gaining momentum since August 2020. They mainly initiate ransomware cyberattacks and target businesses throughout the United States and Europe. They extort money by encrypting and locking their victims’ data, threatening to leak or destroy that data if the ransom is not paid.

This hacking group has a RaaS model complete with a website on the dark web that has a mailing list, press room, and training information. They sell their attack tools to anyone wishing to carry out ransomware attacks. The ransom demands range from $100,000 to $5 million. The group seems to be based in Russia.

DarkSide appears to have a code of ethics of sorts in that they vow never to attack schools, hospitals, non-profits, universities, and government agencies. In addition, they typically target only English-speaking nations.

Their most notable attack is on the Colonial Pipeline in June 2021 (read the BBC article), which shut down the pipeline and created fuel shortages across the Eastern Coast of the US. They accomplished this attack using a single compromised password.

Interestingly, DarkSide claims to donate a portion of its proceeds to charity organisations. However, it’s been reported that charities have refused the donation upon learning that it’s from a criminal organisation.

2. GozNym


GozNym is an international criminal gang that has allegedly used malware to steal more than $100m (£77m) from over 40,000 victims until caught and dismantled in 2019. Law enforcement officials conducted an unprecedented, collaborative investigation that led to the capture across the US, Germany, Bulgaria, and Ukraine. Like Darkside, members meet on online forums.

The gang is thought to have infected devices with GozNym malware that captured online banking details and accessed bank accounts. GozNym is a hybrid of two other pieces of malware called Gozi and Nymaim. 

Gozi, which has been in use since 2007, is “dropper” software that sneaks other malware onto a device and installs it. The programming has evolved over the years, but always with the aim of stealing financial information, usually focused on US banks. 

Nymaim was used primarily to get ransomware onto devices. Unsuspecting users click on what they think is a simple link, though the result is giving the hackers access to account details.

3. Evil Corp

Security researchers believe that Evil Corp is potentially conducting cyber espionage operations. The group has been active since 2009 and is sometimes referred to as TA505. They are known to employ the Dridex banking Trojan as well as ransomware like Bart, Jaff, Locky, BitPaymer, WastedLocker, and Hades.

One notable SolarWinds attack involved a drive-by download that installed a backdoor into the network. From there, hackers installed and deployed the Cobalt Strike malware, compromising the entire network. They installed the Wasted Locker ransomware a month after the initial breach.

During this time, they gathered data from user profiles, network share, browser histories, and cloud-based mailboxes. Eventually, they mined user credentials and the locations of the backup files, which they then deleted. The group is thought to have deployed financial malware that caused millions in losses.

4. Lazarus Group

Lazarus Group, which also goes by Guardians of Peace or Whois Team, is a cybercrime supergroup whose members are unknown. Nonetheless, many cyberattacks have been attributed to them over the past ten years.

One of their earliest attacks is “Operation Troy,” which occurred from 2009 to 2012. As a cyber-espionage campaign, it involved unsophisticated distributed denial-of-service attack (DDoS) techniques against the South Korean government in Seoul. They were most likely also responsible for an attack in 2007, again against South Korea.

A more notable attack attributed to Lazarus Group is the 2014 attack on Sony Pictures. The group used advanced techniques and demonstrated how advanced they have become. To date, the Lazarus Group has stolen $12 million from the Banco del Austro in Ecuador and another $1 million from Vietnam’s Tien Phong Bank. They have also hit banks in Mexico, Poland, Bangladesh, and Taiwan.

Over time, Lazarus Group attacks have become more sophisticated and their tools more effective. In 2011, the “Ten Days of Rain” attack targeted South Korean infrastructure, using sophisticated DDoS attacks. The attacks continued through 2013 with a wiper attack called DarkSeoul that targeted South Korean broadcast companies and an ISP. 

Their most current known attack was in 2020, amidst the COVID-19 pandemic. Group members posed as health officials sent phishing emails to pharmaceutical company employees, including AstraZeneca. However, it is yet unknown what the true intent of these attacks was.

5. Wizard Spider

Wizard Spider

Wizard Spider is a cybercrime group thought by security analysts to be based near Saint Petersburg in Russia, though some members are likely based globally. Researchers estimate that there are about 80 members, though some may not realise their employer is a criminal organisation.

The group is suspected of being behind the 2021 Irish Health Service Executive cyberattack and the WannaCry ransomware attack in 2017 that impacted the NHS. The FBI, Europol, and Interpol are all investigating Wizard Spider.

Unlike some of these other groups that sell RaaS, they do not appear to advertise on the dark web, perhaps only work with criminals they trust. They are considered the most prominent member of the first global ransomware cartel, called the Ransom Cartel or Maze Cartel. Other well-known members include Viking Spider, Twister Spider, SunCrypt, and Lockbit.

6. MageCart

Magecart is an expanding cybercrime syndicate comprised of subgroups that specialise in digital credit card theft. Cyberattacks of this nature involve skimming online payment forms from e-commerce websites. 

Magecart takes its name from the JavaScript code the group injects into its victims’ systems. In doing so, Magecart agents gain access to websites directly or through third-party services and then steals sensitive data that shoppers enter into online checkout pages.

If Magecart operatives don’t breach sites directly, they do so by supply chain attacks. Supply chain attacks focus on third parties that supply code to websites, such as third party plugins. These third parties integrate with hundreds or thousands of websites by design. Thus, when one supplier is compromised, groups like Magecart can breach all the sites instantly.

One of the group’s most notable attacks was in 2018 when Ticketmaster announced that their systems were compromised. Magecart were stealing payment information from Ticketmaster’s multiple websites through a third-party supplier known as Inbenta. The attack affected over 800 e-commerce sites globally.


As cybercriminal gangs are constantly refining their skills to exploit cracks in the latest technologies, are you working to stay one step ahead?  If you have yet to establish a dedicated security team for your operation, then you are leaving your business exposed to an ever-evolving threat.  Augmenting your current IT team with the security skills on offer from Securus Communications is a fast and effective way to boost your network security.

Securus Communications can help you quickly and efficiently secure your entire businesses IT operation. We can work alongside you, assisting with enhanced email filtering, SASE, SWG, and private cloud backups with immutable data locks and airgap technology. We also offer staff security training and cyberthreat awareness. For more information please get in touch.

Technology Insights Newsletter

Includes our FREE 10-page SASE Report

The Securus Technology Insights monthly newsletter for IT decision-makers who need to stay well-informed. We update you on key business areas relating to the technology landscape, best practices and insightful news. Don’t get left behind.

You will also have our insightful Complete Guide To SASE article sent to you for FREE. This is a 10-page deep-dive into the SASE technology, exploring how it can help your business.

By subscribing to our hugely popular monthly Technology Insights newsletter you will receive the 10-page Securus Communications Complete Guide To SASE article direct to your email inbox, right now!

You can unsubscribe at any time, and we never share your information, here is our Privacy Policy.

Further Technology Articles