What is a hacker group?
Hacker groups are usually decentralized organizations that exploit security flaws of computer systems or entire networks, often by installing malware or performing DDoS attacks. The hackers carry out such attacks for profit, to steal or alter sensitive data, for political reasons, or, as our list of funniest hacks proves, just for fun.
What do hacker groups do?
Hacker groups are cooperatives of cyberenthusiasts and professionals who use their knowledge and expertise in hacking to manipulate computer systems vulnerabilities. Hackers often target systems of national importance, government institutions, energy providers, companies, or organizations.
Hacking groups inject malware into devices to gain access to the systems/applications and compromise websites, networks, banking, or defense systems by performing distributed denial of service (DDoS) attacks. The idea of a DDoS attack is to overflow a system with large amounts of requests to overwhelm it and prevent it from responding to legitimate inquiries.
Hacking groups target entire industries or hack specific organizations whose politics and values are at odds with their own. Sometimes cyberattacks performed by hacking groups are not explicitly related to a company’s philosophy but rather to the beliefs of its customers or partners.
Cyberterrorism often includes cyberterrorists announcing the planned cyberattacks to attract media attention and affiliates to their group. Once hackers carefully arrange their ambush, they strike with full power. The attack might continue for a few hours or days, or last up to several weeks until the campaign is over.
The 11 most famous hacking groups
Various hacker groups operate in cyberspace every day. Some we know and talk about, while others remain secretive and inconspicuous. The following are some of the most prominent hacker groups.
Anonymous
Anonymous is probably the most notable hacking group on this list. It is not an organization but a decentralized, non-hierarchical movement with no single leader pulling the levers. The Anonymous hackers are all united by a common goal – “justice” – reflected in the group’s frightening motto, "We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us."
Called digital Robin Hoods by supporters and cyberterrorists by critics, Anonymous made its first notable appearance in 2008. Hackers performed a series of actions, known as Project Chanology, against the Church of Scientology. Anonymous published a video threatening to destroy the Church of Scientology, calling its members enemies of the truth.
Later, the group continued its operations and declared cyberwar on the Ku Klux Klan, ISIS, child pornography, and the Pentagon. Its latest appearance in cyberspace was related to the current Russia-Ukraine war. Anonymous hacked RT (a Russian state-controlled international news television network) and the website of the Defence Ministry, leaked emails, hacked into Russian TV channels, and showed uncensored footage from the war in Ukraine.
Dragonfly
Dragonfly, also known as Berserk Bear, Crouching Yeti, DYMALLOY, or Iron Liberty, is a Russian cyberespionage group believed to be composed of Federal Security Service of the Russian Federation (FSB) hackers. Dragonfly has compromised critical infrastructure entities in Europe and North America as well as targeted defense and aviation companies and government systems since at least 2010. The squad carried out the breaches by performing spear phishing and drive-by compromise attacks. However, no events are officially associated with the group’s activity.
The Dragonfly, allegedly associated with the Russian government, has attacked water and energy-distributing companies in Germany, Turkey, Switzerland, Ukraine, and the US. Ukraine was targeted twice, in 2015 and 2016, when hackers conducted a DDoS attack by injecting the BlackEnergy trojan into multiple power companies in Ukraine. The cyberattack caused a blackout for thousands of citizens right before Christmas.
Legion of Doom
Legion of Doom first appeared in 1984 and was most active until the late 2000s. Founded by Lex Luthor and named after the American TV series Challenge of the Super Friends, this hacker group consisted of the Legion of Doom and Legion of Hackers (for more skilled hackers). Besides hacking, this group is renowned for publishing Legion of Doom technical journals, which share hacking knowledge with an interested audience.
Considered the most capable hacking group of all time, Legion of Doom was involved in a conflict with another notable gang, Masters of Deception. Both parties continuously attacked each other’s networks across the internet, X.25, and telephone networks. Some even call the conflict the Great Hacker War.
DarkSide
DarkSide is a malicious hacking group allegedly based in Russia and Eastern Europe and famous for performing ransomware attacks. It is considered one of the most dangerous hacker groups. Even though it was only established in 2020, it has already managed to cause severe damage.
On May 8, 2021, the Colonial Pipeline, supplying the American East Coast with gasoline, diesel, and jet fuel, was forced to close its 5,500 miles of pipeline infrastructure due to a DarkSide cyberextortion attempt. This attack caused panic buying and shortages of fuel in the area, while DarkSide made its name as a notorious hacker group.
Morpho
Morpho is a corporate cyberespionage group known as Butterfly, Wild Neutron, and Sphinx Moth. The group is financially motivated rather than state sponsored and has compromised multibillion dollar corporations like Microsoft, Apple, Twitter, and Facebook to steal confidential information and intellectual property.
Morpho is more technically proficient than an average cybercrime gang and is not interested in your credit card details or home address. It is focused on high-level corporate data and usually targets tech giants like Microsoft and Apple by utilizing zero-day vulnerabilities.
Like what you’re reading?
Get the latest stories and announcements from NordVPN
We won’t spam and you will always have the choice to unsubscribe
Lapsus$
Lapsus$ is an international extortion-focused hacking group targeting companies and government agencies. The group pursues its goals by using social engineering tactics, stealing employee credentials for targeted corporations and extorting sensitive data. It has performed data breaches through a similar attack vector since 2021, including those on Microsoft, Nvidia, Uber, Rockstar Games, and Samsung, which resulted in arrests by the City of London Police.
Lapsus$, unlike other cybercriminal groups, uses a Telegram channel to hire accomplices and post stolen information. The channel has gathered nearly 50,000 subscribers, who participate in polls about what Lapsus$ should target next.
Conti
Conti is one of the largest RaaS ransomware hacker groups in existence. This group is known to be behind many high-profile hacks that have affected notable companies, Peru’s and Costa Rica’s governments, multiple retailers, and the Irish healthcare service. In early May 2022, the US government promised up to a $10 million reward for information about Conti.
Besides gaining access to a victim’s network, encrypting essential files or services, and demanding ransom in exchange, Conti makes sure that the ransomware spreads further. In short, it shares access to extremely damaging ransomware with partners in return for a share of the ransom payments collected, making the malicious software available to other hacking groups.
Hafnium
Hafnium is a cyberespionage group and an advanced persistent threat linked to the Chinese government. It is technically skilled and sophisticated, targeting entities in the United States and allegedly accountable to China’s Ministry of State Security. According to Tom Burt’s blog post, the Hafnium group targeted "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs."
Hafnium and at least nine other hacking groups were responsible for the 2021 Microsoft Exchange Server data breach. Although the Chinese government denied involvement, Microsoft claims China perpetrated the breach.
LulzSec
LulzSec, also known as Lulz Security, is a group of black hat hackers disrupting the day-to-day work of high-profile organizations and companies. The group is responsible for compromising PlayStation Network user accounts in 2011, taking down the CIA, United States Senate, Minecraft, and League of Legends websites as well as hacking several Government of Portugal websites. LulzSec took all of the websites offline with DDoS attacks.
Through its malicious activities, LulzSec drew the attention of cybersecurity professionals to insecure systems and the risks associated with password reuse. The group also attracted the attention of law enforcement. One of the group’s founders, Hector Monsegur, alias Sabu, helped the police catch several group members.
REvil
REvil, also called Ransomware Evil and Sodinokibi, is a Russia-based hacking group running ransomware-as-a-service (RaaS) operations on high-level organizations. REvil hacks into systems, encrypts files and information, and then demands a ransom in exchange for data. The fact that its ransomware code is similar to the code used by DarkSide suggests that REvil is an offshoot of DarkSide.
REvil has stolen tech giant Apple’s confidential schematics for upcoming products, solicited $42 million from former US President Donald Trump, leaked 2.4 gigabytes of Lady Gaga’s data, and threatened to do the same to Madonna. On July 7, 2021, REvil published defense contractor HX5 documents related to the US Army, Navy, Air Force, and NASA.
USDoD
USDoD is a very recent but notorious hacker group that has quickly gained attention in cyberspace. This threat actor was first noticed in December 2022 and has since been linked to several significant breaches.
Previously known as NetSec, USDoD first made headlines with the “#RaidAgainstTheUS campaign,” which targeted the U.S. Army and defense contractors. The group has also been involved with a number of other high-profile data breaches, such as hacking Airbus in September 2023 and offering a U.S. criminal database containing 70 million records for sale in May 2024. In December 2023, USDoD attempted to sell InfraGard’s user database for $50,000.
One of the largest data breaches involving the USDoD hacker group was the National Public Data breach, in which nearly 2.7 billion records of personal information were leaked on a hacking forum. USDoD put the data up for sale for $3.5 million and claimed that it contained records for every person in the U.S., U.K., and Canada.
These leaked records included sensitive personal information such as Social Security numbers, physical addresses, and possible aliases. The data originated from National Public Data, a company that collects and sells personal data for background checks and criminal records. Although the breach occurred in April 2024, the data was leaked on forums only in August of the same year.
The most notorious hacker groups in history
Every 39 seconds, a cyberattack happens somewhere in the digital space. Some perpetrators cannot be found, while others fall into the hands of law enforcement, and their crimes are immediately exposed.
PlayStation will long remember 2011 because Anonymous launched a DDoS attack against this computer-game giant and stole personal information, including the names and addresses of around 77 million people. The hack resulted in a 20-day shutdown of the company and a loss of about $171 million.
With ShadowCrew behind him, Albert Gonzalez committed the most significant example of identity theft by exploiting the company’s insecure Wi-Fi using SQL injection. The attackers stole more than 140 million credit card numbers from TJX, Barnes & Noble, Heartland Payment Systems, and Hannaford Bros. TJX and Hannaford Bros alone experienced losses of $250 million. Gonzalez went to jail for 20 years.
2011 was a fruitful year for cybercriminals. In March 2011, Epsilon was hacked. It is the world’s biggest email marketing company, which handles more than 40 billion emails every year and organizes campaigns for more than 2,000 brands, including Marks & Spencer and JP Morgan Chase. The company fell for a spear phishing attack and the hackers stole the names and email addresses of 5 million people worldwide. The attack was one of the most significant data breaches of all time and cost Epsilon between $225 million and $4 billion.
Active hacker groups
Some famous hacking groups mentioned above have long been inactive, but some are still going strong and capable of large-scale and dangerous attacks.
- 1.Chaos Computer Club is the largest European hacker collective. This group was founded in 1981 and is still active today.
- 2.Morpho is a hacking group that appears to still be active and has previously targeted both Apple and Microsoft.
- 3.Anonymous is the overarching name for a loose global network of hackers and hacktivists and is probably the most well-known hacker group among the general public.
- 4.Dragonfly has been active for more than a decade and is known to have targeted companies in the energy sector.
- 5.APT28/Fancy Bear is a Russian hacking group that is likely to be associated with GRU, a Russian military intelligence agency.
- 6.Lazarus Group is a highly effective hacking collective that is thought by many experts to be backed and funded by the government of North Korea.
- 7.LockBit is both a ransomware and a term for the notorious group that is known to operate said ransomware.
- 8.IT Army of Ukraine is a group of hackers and cybersecurity experts formed to protect Ukraine from Russian cyberattacks and to launch counter operations against Russia.
- 9.Xenotime is a group with links to Russia that is thought to have launched a Triton attack against Middle East oil and gas infrastructure in 2017
- 10.Syrian Electronic Army formed around 2011 and works to support Syrian President Bashar al-Assad.
Should I be afraid of hacker groups?
Hacker groups usually target high-profile companies, national institutions, critical infrastructure, and governments. Ordinary people going about their daily business should not be afraid. However, we should all still remain vigilant and learn to make educated choices to protect our privacy.
VPN services like NordVPN offer additional security solutions, and Threat Protection Pro is one of them. It is a security feature that keeps you safe when browsing and protects you from malware. It scans your files during download and blocks malicious content before it reaches your device.
Online security starts with a click.
Stay safe with the world’s leading VPN