Group-IB ranks 10 cyber threat actors in 2026 report

Group-IB has unveiled its Top 10 Masked Actors for 2026, a ranking of cyber threat actors that the company said reflects changes in cybercrime operations globally. Group-IB said the list is based on its High-Tech Crime Trend Report 2026, more than 1,550 frontline investigations, and monitoring of the criminal underground.

According to Group-IB, the supply chain was cybercrime’s most exploited attack surface in 2026. The company said threat actors are increasingly embedding themselves into trusted infrastructure and third-party ecosystems instead of targeting victims in isolation, allowing attacks to cascade across multiple organizations and industries.

The ranking uses what Group-IB described as an adversary-centric methodology. The company said each group was scored across six dimensions: financial impact, victims, volume of threats during the operational lifespan, novelty of technical evolution, growth of affiliates, and notoriety.

The 2026 Top 10 Masked Actors

Scattered Spider

Scattered Spider was named first in the 2026 Top 10 Masked Actors ranking by Group-IB. The company linked the decentralized cybercriminal community to a 2025 operation that compromised more than 130 organizations across the technology sector.

Lazarus

Lazarus was named second in the ranking by Group-IB. Group-IB described Lazarus as a state-linked actor combining cyber espionage and large-scale financial crime, and attributed more than $6.5 billion in cryptocurrency theft during its lifespan to the group, including more than $2.02 billion in 2025 alone.

MuddyWater

MuddyWater was listed as a state-aligned cyber espionage group targeting government, financial services, and logistics sectors across 113 countries. Group-IB said the group deployed three new malware variants between October 2025 and March 2026.

Tycoon 2FA

The list also includes Tycoon 2FA, which Group-IB said controls 89% market share of the adversary-in-the-middle phishing-as-a-service segment. The company said the platform’s SaaS subscription model has enabled credential theft campaigns across cloud environments.

GoldFactory

GoldFactory, first identified by Group-IB in 2024, was described as a technically advanced threat cluster that steals biometric data to bypass facial recognition authentication in mobile banking fraud. The company said it is operating 15 infections per day across active campaigns and has shown signs of geographic expansion through Spanish-language code artifacts.

TX-NFC

TX-NFC was described as a commercialized ecosystem that emulates contactless payment systems on fraudsters’ devices. Group-IB said access is offered through subscriptions ranging from $45 per day to $1,050 for three months, with expansion into English- and Russian-speaking cybercrime ecosystems.

Shadow Silk

According to Group-IB, Shadow Silk was among the most operationally mature actors on this year’s list. The company said the financially motivated group specializes in obfuscation and long-duration evasion, and has remained concealed for more than 12 months in one documented instance involving critical infrastructure and government entities.

Bloody Wolf

Bloody Wolf was described as a persistent threat group focused on long-term access and surveillance, primarily in Central Asia and with a focus on government organizations. Group-IB said the group uses geo-fenced delivery infrastructure to maintain targeted, low-profile access.

Teste PHP

Teste PHP was listed as a financial crime operation that expanded across five Spanish-speaking countries in under a year. Group-IB said the group uses malicious browser extensions to harvest credentials in real time.

DarkBlinders

According to Group-IB, DarkBlinders was the actor with the highest TTP evolution score on this year’s list. The company said the emerging cluster targets aviation and telecommunications sectors in the Middle East and adapts its tactics, techniques, and procedures to invalidate existing detection signatures.

“The supply chain has become cybercrime’s most powerful multiplier,” Dmitry Volkov, Chief Executive Officer of Group-IB, said. Volkov said defenders need an adversary-centric response that focuses on how specific actors evolve and how AI-driven intelligence can help predict future behavior.