Hacker and Ransomware Groups Explained: Qilin, Anonymous, and Attacks on Japan

You see names like "the ransomware group Qilin" or "the international hacker collective Anonymous" in the news, but who they are, where they came from, and what they are after is rarely clear. This article organizes the world's best-known hacker and cybercrime groups, one by one, into four types: (1) money-driven ransomware groups, (2) state-backed groups, (3) youth-led social-extortion crews, and (4) politically-motivated hacktivists.

For each, we look at where it was born, roughly how many people, what kinds of individuals, which famous companies it has hit, what it means for ordinary life, where it sits within its scene, and what tactics it favors. This site reports daily on new vulnerabilities (CVEs) and cyberattacks; this article is a single map of the "attacking side." Groups that struck Japan's Asahi Group, KADOKAWA and local governments also appear.

Note that the head counts, victim totals, identities and state ties of these groups are, by their nature, mostly "estimates," "attackers' claims," or "attributions by governments." This article avoids assertions throughout, consistently using "is said to" and "is reported to."

Hacker groups fall into four broad types

"Hacker group" covers wildly different aims. Do they want money, are they acting on a state's orders, or do they want to make a political point? Grasping these four types first makes each group easier to place.

• Ransomware groups: money-driven groups that take data "hostage" by encrypting it and demand a ransom. Most run on the "RaaS" division-of-labor model (below).
• State-backed (APT): groups said to have a particular country's government, military or intelligence service behind them. They handle espionage, sabotage, or earning foreign currency.
• Social-extortion crews: mostly English-speaking youths who hijack IDs through human-deception ("social engineering"), steal data and extort.
• Hacktivists: groups that attack for political or social causes, mainly via DDoS that temporarily knocks sites offline.

First, the term "RaaS (Ransomware-as-a-Service)" that recurs below. It is a model where a "core team" that builds the ransomware and "affiliates" who actually break into companies divide the work. The core provides the tools and negotiation site; affiliates break in, take the ransom, and remit a cut (often around 20%) to the core. Think of it like a franchise. This division let people without high skills join in, and victims surged.

Quick-reference table

Before the main text, here is a list of the major groups covered. Jump to whichever section interests you.

Now, one by one in detail.

A. Money-driven ransomware groups

These are the most active in the world today and the ones inflicting direct financial damage on companies. Most run on the RaaS model and use "double extortion": encrypt the data, then also threaten to publish what they stole. They are the type that stopped Japan's Asahi Group and KADOKAWA.

Qilin

Qilin has the most momentum right now. It appeared in 2022 as "Agenda," soon renamed Qilin, and is a RaaS said to be Russian-speaking. It splits into a core team and affiliates, with affiliates taking around 80%, as reported by Group-IB, which infiltrated it. By victims posted on leak sites it was the world's #1 in 2025 with over 1,000 a year, and is reported to have kept the top spot into 2026.

Symbolic of the impact on ordinary life is the June 2024 attack on Synnovis, a London hospital lab provider. Blood and pathology testing at major hospitals was paralyzed, large numbers of surgeries and outpatient visits were canceled, and a severe shortage of type-O blood ensued. In 2025 a hospital confirmed that the testing delays were a contributing factor in a patient's death—a rare case of ransomware being linked to a death. In Japan, this is the group that attacked beer giant Asahi Group in September 2025 (see our deep dive on the Asahi case). It enters via phishing, VPN-device flaws and stolen IDs, and encrypts not only Windows but Linux and server virtualization platforms.

LockBit

Until a few years ago, LockBit was called the "king of ransomware." A Russia-based RaaS that appeared in 2019, it notably excluded former-Soviet (CIS) countries from its targets. The US DOJ says it caused over 2,500 victims across 120-plus countries. With an unusual scheme where affiliates receive the ransom first, it gathered many operators, armed with extremely fast encryption and the dedicated data-theft tool "StealBit."

Victims include the UK's Royal Mail (international post halted for weeks), aerospace giant Boeing, and the US arm of ICBC. Yet when it hit Toronto's SickKids children's hospital, it issued a rare apology, blaming an affiliate's rule violation, and released a free decryptor. The turning point was "Operation Cronos" in February 2024: led by the UK's NCA with around 10 countries, it seized servers and recovered over 1,000 decryption keys. In May 2024 the ringleader "LockBitSupp" was identified and charged as Russian national Dmitry Khoroshev (said to be at large in Russia). It has since lost momentum, ceding the top spot to Qilin and Akira.

Cl0p

Cl0p is a Russian-speaking extortion group known for hitting many organizations at once by exploiting unknown flaws (zero-days) in "products companies use to transfer files." It is usually quiet, then a few times a year explodes in victims by punching through one product's hole. It often skips encryption and merely threatens to publish stolen data.

Emblematic is the 2023 mass exploitation of MOVEit Transfer (a file-transfer product), which affected about 2,773 organizations and roughly 95.8 million people—one of the largest data breaches ever. Employee data from the BBC, British Airways and US agencies leaked via a payroll provider. Targeting such file-transfer products (Accellion, GoAnywhere, MOVEit, Cleo) is its consistent method. If supply-chain attacks interest you, see our OSS supply-chain scanner.

ALPHV/BlackCat

Appearing in 2021, ALPHV (aka BlackCat) was a pioneering ransomware written in the Rust language, widely assessed as the successor/rebrand of DarkSide, which shut a US oil pipeline. It was known for "triple extortion" (encryption + data leak + DDoS) and skilled impersonation calls to help desks.

Its biggest incident was the February 2024 attack on US health-IT giant Change Healthcare. Medical billing, pharmacies and payments were disrupted nationwide for weeks, and ultimately about 190 million people's data leaked—one of the largest breaches in US healthcare history. Right after, ALPHV pulled an "exit scam": after receiving about $22 million, it stiffed its affiliate's cut, posted a fake FBI seizure banner, and vanished. The betrayed affiliates are said to have flowed to the successor, RansomHub. It was a finale that captured how criminal groups cannot even trust their own.

Akira

Appearing in 2023, Akira climbed to #2 by volume in just a few years. Said to be Russian-speaking, it is noted for code similarities to the defunct Conti, though that is only an analytical inference. Its 1980s-style green-on-black terminal leak site is a hallmark. US CISA reported impact on 250-plus organizations by early 2024, and a 2025 update estimated about $244 million extorted cumulatively.

Crucially, it enters via VPN devices without multi-factor authentication (MFA), using vulnerabilities in Cisco or SonicWall VPNs and stolen IDs to break in fast. This is the same entry path as the Asahi case (VPN breakthrough) and the most urgent route to watch today. We also report on perimeter-device flaws like VPN holes abused by ransomware groups.

Conti/REvil — defunct "legends"

Gone now, but indispensable to ransomware history, are Conti and REvil. Conti, a Russia-based group that appeared around 2020, was unusual for being organized like a company. A 2022 internal leak revealed salaried programmers, an HR department that recruited and trained, even an "employee of the month." In 2022 it attacked Costa Rica's government, prompting the country to declare a state of emergency (said to be the first country to do so over ransomware). Conti also paralyzed Ireland's national health IT for months. Right after declaring support for Russia's invasion of Ukraine, an insider leaked over 60,000 chats, and it disbanded in 2022; its people scattered to Black Basta, Royal (later BlackSuit) and others.

REvil, a Russia-based RaaS from 2019, symbolized the "ransomware as critical-infrastructure threat" era. In 2021 it exploited a zero-day in the IT-management software Kaseya, spreading via about 50 providers to up to 1,500 downstream firms at once. The world's largest meatpacker JBS paid $11 million, and Sweden's Coop supermarket closed about 800 stores. In 2022 Russia's FSB detained members, effectively ending it; the Ukrainian who carried out the Kaseya attack got 13 years and 7 months in the US.

RansomHub

RansomHub appeared in February 2024 and rose to the top tier in under a year. It set the affiliate cut at a striking ~90% and made "affiliates get paid first," turning the distrust from ALPHV's exit scam to its advantage. This let it absorb strong affiliates from the defunct LockBit and ALPHV. US CISA reported impact on 210-plus organizations within six months of launch.

Victims include oil-services giant Halliburton and US pharmacy chain Rite Aid (about 2.2 million records reportedly leaked). In the Change Healthcare case above, after ALPHV's exit scam the stolen data reportedly passed to RansomHub for a second round of extortion. It exploits known vulnerabilities and uses a dedicated tool to disable security products (EDR). But its infrastructure was reported to go dark in April 2025, with affiliates moving to Qilin and others. The speed of rise and fall is a hallmark of this scene.

DragonForce

DragonForce emerged in 2023 and rose sharply in 2025. Its big feature is "going cartel." In 2025 it announced it would drop centralized operation and let affiliates rent DragonForce's backend (infrastructure, negotiation site, key management) for a fee while running their own brand names. Aiming for a franchise-HQ position, it is also known for the roughness of attacking and defacing rival groups' sites in turf wars.

Reported in Japan too was the April–May 2025 attack on UK's Marks & Spencer (M&S;) and Co-op. M&S;'s online sales stopped for weeks, with the hit to operating profit estimated at about £300 million (~$400 million). The execution is reported to have been by the social-extortion crew Scattered Spider, deploying DragonForce's ransomware—a notable example of the "cartel" model (though this is reporting, not official confirmation). Note that the similarly named pro-Palestinian hacktivist group "DragonForce Malaysia" is a separate entity.

Black Basta

Black Basta, which appeared in April 2022, is a Russian-speaking RaaS widely assessed as the successor to the defunct Conti. US CISA reported impact on 500-plus organizations by mid-2024, with an estimated $100 million-plus extorted since 2022. In its May 2024 attack on US health giant Ascension, 19 states and about 140 hospitals were disrupted, reverting to paper as ambulances were diverted and electronic records went down. About 5.6 million records were later confirmed leaked.

What made it famous was the February 2025 mass leak of internal chats. About 200,000 messages exposed phishing methods, victim IDs, members' roles, even the scammy internal practice of "take the ransom without handing over the key." The leaker claimed the motive was "revenge for attacking Russian banks." After this, Black Basta stopped showing new attacks and is considered effectively dormant. Its method featured "vishing (voice phishing)": blasting emails, then calling or using Microsoft Teams while posing as "IT support" to get remote-control software installed.

Play, Medusa, INC Ransom, BlackSuit (the high-volume regulars)

Beyond the big names above, several groups are regulars near the top of victim rankings. Here are four together.

Play, from 2022 and said to be Russia-linked, is a "closed" group that does not take public affiliates. The FBI counted about 900 organizations by May 2025; it leaked about 65,000 Swiss government documents and halted Krispy Kreme's online ordering. Medusa, a RaaS from around 2021, is known for "triple extortion" (demanding more after payment); US CISA reported 300-plus victims including critical infrastructure in 2025, with victims including Toyota's overseas finance arm, a US ambulance operator and an imaging company.

INC Ransom, from mid-2023, hit Scotland's NHS (patient-data leak) and US grocery giant Ahold Delhaize (about 2.2 million affected). Its source code was reportedly sold for $300,000 and spun off into another group, Lynx. Most familiar to Japanese readers is BlackSuit (formerly Royal). Said to be led by ex-Conti members, it is known for the June 2024 attack on KADOKAWA, which took Niconico fully offline for weeks. In the US it also hit the City of Dallas (police comms down, 911 on paper) and the auto-sales system CDK Global (about 15,000 North American dealers stopped). In July 2025 "Operation Checkmate" seized its infrastructure, but with no arrests, and it is suspected to have moved to a new brand.

Hive — when authorities "fought back"

Hive appeared in 2021 and is said to have hit 1,500-plus victims across 80-plus countries and extorted over $100 million—but the reason to feature it is the story of the side that got "hit back." Hive attacked Costa Rica's national health system and multiple US hospitals, paralyzing care. Its method was to hunt down and delete backups to thwart recovery.

Against it, the FBI lawfully infiltrated Hive's network for about seven months from July 2022 under court warrant. It quietly obtained decryption keys and gave them to 300-plus victims under active attack and 1,000-plus past victims, said to have prevented about $130 million in ransom payments. In January 2023, a US-Germany-Netherlands operation seized servers and shut Hive down. The deputy attorney general put it as "we hacked the hackers." Alongside the LockBit takedown, it is a symbolic case of authorities' counterattack paying off. You can also track actively-exploited vulnerabilities on our CISA KEV dashboard.

B. State-backed groups (APT)

Here the character shifts. These groups are said to act not for money but at the will of a state. Technically called "APT (advanced persistent threat)," they wield ample funds and high skill. Note that every country denies its own involvement; the "affiliations" below are all attributions by governments and security firms.

Russia: Fancy Bear, Cozy Bear, Sandworm

Fancy Bear (APT28) is a group that governments attribute to a unit of Russia's military intelligence (GRU). Known for the 2016 US election interference (said to be the breach of the Democratic Party HQ) and the takedown of France's TV5Monde, it is said to focus on espionage and influence operations. Cozy Bear (APT29), said to be part of Russia's foreign intelligence (SVR), sticks to long, stealthy espionage. Its hallmark is the SolarWinds incident revealed in 2020, planting a backdoor in IT-management software updates to breach many organizations including US agencies.

The most destructive is Sandworm. Said to be another GRU unit, it specializes in sabotage. The 2017 NotPetya abused a Ukrainian accounting-software update to spread data-destroying malware worldwide, paralyzing shipping giant Maersk and pharma giant Merck, with total damage estimated over $10 billion. It also attacked Ukraine's power grid, actually causing city blackouts—one of the few "cyberattacks that caused physical damage."

China: Volt Typhoon, Salt Typhoon, APT41

Volt Typhoon, attributed by the US government and Microsoft to a China-based state actor, was disclosed in 2023. Its feature is not flashy attacks but long, quiet "pre-positioning" inside US critical infrastructure like telecom, power and water. It is said to be building footholds to disrupt infrastructure at any time in a crisis, using home routers as stepping stones and moving with legitimate tools to avoid detection. Salt Typhoon, revealed in 2024, breached US telecom giants like Verizon and AT&T;, even reaching lawful-intercept systems, with politicians' calls reportedly targeted.

APT41 is a bit different, said to mix state espionage with personal money-making (a "two-sword" style). Known for supply-chain attacks that slip malicious code into software updates (abusing CCleaner and ASUS updates to reach many users), it is also alleged to have defrauded over $20 million from US COVID relief. A singular actor that lines its own pockets between state missions.

Iran: MuddyWater, Charming Kitten

MuddyWater is attributed by governments to a subordinate element of Iran's intelligence ministry (MOIS). Centered on the Middle East, it conducts espionage against government, telecom, defense and oil & gas, favoring the legitimate tool PowerShell to hide. Charming Kitten (APT35), seen as a proxy of Iran's Revolutionary Guard (IRGC), is notable for aiming at people.

Specifically, it favors spear-phishing aimed at journalists, researchers, dissidents and officials, building trust over time via fake LinkedIn accounts before hijacking accounts. Microsoft reported it also targeted US presidential campaigns in 2019–2020. Persistently aiming at "individuals" rather than organizations, threatening their speech and safety, is this group's danger.

North Korea: Lazarus, Kimsuky

Lazarus is a highly unusual group the US government attributes to North Korea's intelligence apparatus (the RGB). Beyond espionage and sabotage, it handles large-scale theft of money and crypto to fund the state—decisively different from other state groups. Known for the 2014 Sony Pictures attack, the 2017 WannaCry that disrupted hospitals and firms worldwide, and historic crypto heists. In 2025, about $1.5 billion was stolen from the crypto exchange Bybit, with the FBI attributing it to Lazarus-linked actors. The proceeds are said to fund North Korea's weapons programs, and it favors the "Operation Dream Job" tactic of deceiving engineers with fake job offers.

Kimsuky is also said to be under North Korea's RGB, but it specializes in information-gathering (espionage) over money. Centered on South Korea, it targets security experts, diplomats, researchers and journalists; in 2014 a phishing attack on a South Korean nuclear operator reportedly leaked internal data and blueprints. Lazarus as the "earner," Kimsuky as the "spy"—a division of roles comes into view.

C. Youth-led social-extortion crews

Most feared recently is this type, centered on English-speaking teens to early twenties. Rather than advanced malware, they hijack IDs with the art of human deception (social engineering), steal data and extort. With a "log in, don't hack in" mindset, they hit a company's weakest point: people.

The Com — less a group than an "ecosystem"

Before the individual crews, a word on their parent body, The Com. It is not a single organization but a leaderless, loosely connected huge online community (ecosystem) of English-speaking youths (US, UK, Canada). The FBI is reported to see the age range as roughly 11–25 and the scale in the thousands.

From this ecosystem came famous "crews" like Scattered Spider and LAPSUS$. Per the FBI, it spans a layer that profits from corporate hacking, a layer that extorts, and even a layer that provides real-world violence (threats, assaults), with warnings of sextortion of victims as young as nine. Recruiting more teens with stolen money, victims drift into becoming perpetrators—closer to a dangerous youth "subculture" than a "group."

Scattered Spider

The most famous crew from The Com is Scattered Spider. Appearing around 2022, it is said to center on US/UK residents in their late teens to early twenties. Its weapon is thorough social engineering: calling a company's IT help desk posing as an employee to get past passwords and MFA. It also uses "SIM swapping" to hijack phone numbers and floods MFA prompts until someone approves.

In September 2023 it hit Las Vegas casino giants MGM Resorts and Caesars. MGM saw chaos with hotel key cards and ATMs disrupted, and Caesars reportedly paid about $15 million. It is also said to have been the executor in DragonForce's M&S; attack above. Arrests have followed: a Florida man got 10 years for crypto theft, and a Scottish man was extradited to the US. Young but not to be underestimated—one of the most dangerous active crews.

LAPSUS$ and ShinyHunters

LAPSUS$, appearing in 2021, was an extortion group said to center on teens in the UK and Brazil. Stealing data and dangling its release, it preyed on big names one after another: Okta, Nvidia, Microsoft (about 37GB of source code), Samsung, and the leak of unreleased footage of the game GTA VI. Shockingly, it even paid insiders at companies to help via social media. The ringleader is said to have been a 16-year-old UK boy, arrested in 2022.

ShinyHunters, active since 2020, specializes in large-scale data theft and sale; the name is said to derive from "shiny" hunting in Pokémon. It stole the personal data of hundreds of millions—Indonesia's Tokopedia (about 91 million) and the writing site Wattpad (about 270 million)—and sold it on dark sites. In 2025, the emergence of a "Scattered Lapsus$ Hunters (Trinity of Chaos)" alliance of Scattered Spider, LAPSUS$ and ShinyHunters was reported, said to have launched mass extortion via the Salesforce CRM (victim scale is attackers' claim).

D. Politically-motivated hacktivists

Finally, groups that attack for beliefs rather than money. Their method centers on DDoS that briefly makes sites unreachable, prioritizing "standing out" and "delivering a message" over data destruction. Groups that targeted Japan's government and local-government sites belong here too.

Anonymous and LulzSec

Anonymous is a leaderless, decentralized hacktivist collective born around 2003 from the 4chan image board. With no membership—"declaring yourself" is participation—the Guy Fawkes mask became its symbol. From protests against the Church of Scientology and attacks on PayPal and Visa to activity around the Arab Spring and the Ukraine invasion, it has used DDoS and data leaks to protest censorship and wrongdoing. For better or worse, it symbolizes the debate over "internet freedom."

LulzSec was a small group (core of 6–7) that split from Anonymous and rampaged for just about 50 days in 2011. Under the banner "for the lulz," it attacked Sony Pictures, the CIA's public site and an FBI-affiliated group. It is also famous for the arc where its central figure "Sabu" became an FBI informant after arrest, leading to his comrades being identified one by one. More mischief than ideology—a "rascally origin point" of hacktivism.

Killnet and NoName057(16) (pro-Russia, targeted Japan too)

Not someone else's problem for Japan are these two pro-Russia hacktivists. Killnet, formed in 2022, ran a named DDoS attack on Japan in September 2022. The government portal e-Gov (down about 6 hours), the local-tax eLTAX, the credit brand JCB, and the Tokyo and Osaka metros—about 20 sites including four ministries—saw disruption. The motive was said to be "Japan's support for Ukraine" and the Northern Territories issue, and it reportedly posted a Japanese-language "declaration of war" video. Its founder went by "KillMilk" and later announced turning hacking into a commercial business.

NoName057(16), also pro-Russia, is characterized by a crowdsourced model where supporters install a dedicated tool, "DDoSia," on their own PCs to join the DDoS. In October 2024 it ran a large DDoS against about 40 Japanese domains, roughly half in logistics/manufacturing (ports, shipbuilding), then government and local bodies. The motive is said to be backlash against Japan's defense-spending increase and counterstrike capability. In July 2025 it faced a major takedown via the EU-led "Operation Eastwood" but reportedly declared it would continue. Even with limited real damage to core functions, it shows that "site downtime as a political message" is now aimed at Japan too.

IT Army of Ukraine (a new form: openly mobilized by a state)

Finally, a wholly new kind of hacktivist. The IT Army of Ukraine was formed right after Russia's February 2022 invasion when Ukraine's digital-transformation minister Fedorov openly called on hackers worldwide to join via social media—a state-mobilized volunteer group. Reportedly hundreds of thousands registered at peak; the government distributes target lists, and Ukrainian and foreign volunteers attack Russian banks, payments and government sites.

This is said to be "the first time in history a state openly mobilized the world's hackers," a break from traditional hacktivism. It raises questions about civilians joining a war and about international humanitarian law, and in 2023 prompted the ICRC to issue a code of conduct for hacktivists. No cases of targeting Japan have been confirmed—a contrast with Killnet and NoName057(16) above. It symbolizes how cyberattacks are becoming both a "tool of states" and a "battlefield citizens join."

Ties to Japan

Seemingly a distant foreign story, these groups reach Japan for sure. To organize: Qilin stopped beer giant Asahi Group and drove it to an earnings cut; BlackSuit (formerly Royal) took KADOKAWA/Niconico down for weeks. Killnet (2022) and NoName057(16) (2024) both ran DDoS against Japan's government and local-government sites. Medusa is also said to have hit Toyota's overseas finance arm.

A common thread: the entry point is vulnerabilities in perimeter devices like VPNs or social engineering that deceives people. This is exactly the territory our daily CVE alerts cover. See related explainers such as our detailed Asahi case, ransomware's concentration on manufacturing, and how AI is accelerating attacks. Knowing the enemy's names and methods is the first step to protecting yourself and your organization.

Summary

"Hacker groups" span money-driven ransomware crews, state-directed APTs, youth social-extortion crews and cause-driven hacktivists—utterly different in motive and method. And the striking thing is how violently fortunes rise and fall. The king LockBit was taken down, ALPHV betrayed its own and vanished, Conti collapsed under an internal leak, and Qilin now sits on top. Authorities' "counterattacks" (the Hive and LockBit takedowns) are steadily paying off too.

Names change, but the weaknesses they exploit are remarkably consistent: unpatched perimeter devices, weak passwords, and human lapses. So, knowing the enemy map, sealing vulnerabilities, enabling multi-factor authentication and doubting suspicious contact—stacking these basics is the surest defense. We will update this article as the situation evolves.

Frequently asked questions

Sources

• ▸US CISA #StopRansomware advisories (Qilin/LockBit/Cl0p/Akira/RansomHub/Black Basta/Play/Medusa/Volt Typhoon/Salt Typhoon, etc.)
• ▸MITRE ATT&CK; Groups (APT28/29/Sandworm/APT41/MuddyWater/Charming Kitten/Lazarus, etc.)
• ▸UK NCA - LockBit leader unmasked and sanctioned (Operation Cronos)
• ▸Krebs on Security - ALPHV/BlackCat exit scam
• ▸TechCrunch - Cl0p's MOVEit mass hack by the numbers
• ▸The Record - FBI's Hive infiltration and key distribution
• ▸BBC - DragonForce/Scattered Spider attack on M&S;
• ▸Flashpoint - Understanding The Com ecosystem
• ▸NETSCOUT - NoName057(16) DDoS against Japan
• ▸WIRED - Sandworm and the NotPetya damage