Malware doesn’t come out of thin air, nor does it spontaneously birth itself from the bowels of the net. Every single strain that’s ever existed was made by someone, either lovingly hand-crafted from scratch or quickly edited from existing code in an effort to sneak past antivirus sensors. But while there are (literally) countless cybercriminals on the web, only a few elites have earned the right to call themselves the most dangerous hackers in the world. And today, we thought we’d compile a list of some of these individuals, groups, and organizations. The people who will always be trying to do you harm. The people who’ll ensure we’ll always have jobs.
… that said, you’ll find this list lacking in one regard: the most successful cybercriminals are the ones who take great care to never get caught, or even leave a clue as to their presence. That means that most lists like these are composed of organizations who wanted the world to know they were there, or people who are currently being investigated for being careless. Which is all well and good — no one’s going to deny that Gary McKinnon hacking into the NSA and costing the US $700,000 is problematic. But in the wider world of hacking, he and others like him are more of an annoyance than a mastermind, at least compared to the still unknown author of the SoBig.F Worm, which did $37.1 billion in damages around the globe.
That said, here are some of the most powerful and dangerous groups and hackers we know of today.
Elliott Gunton: Youth in Revolt
Technical genius combined with youthful rebellion (or a general apathy to the misery of others) is a dangerous combination, one that 19-year-old Elliott Gunton embodies perfectly. He started his career of cybercrime at the young age of 16, when he was caught hacking TalkTalk, a telecommunications firm. The strong talking-to he got wasn’t enough to scare him straight, and since then, he’s been accused in the UK of everything from stealing personal data to commit forgery, laundering money with cryptocurrency, offering his services as a criminal-for-hire, hacking famous instagram accounts and selling them to other hackers, and hosting… ‘indecent’ pictures of children in his home PC.
But like most cybercriminals, his activities transcends his nation’s borders: over in the US, he stands accused of identity theft and hijacking EtherDelta, a currency exchange site, via their web host Cloudshare, and defrauding people out of millions of dollars over a period of nearly two weeks.
In fact, authorities claim that he’s managed to swipe up to $800,000 from just one of the many, many people he’s tricked.
It’s quite the list of crimes. Unfortunately, if you’re hoping for a happy ending, it seems unlikely: even after pleading guilty to the crimes he was accused of in the UK, he only spent 20 months in prison (which, for the UK, is actually quite a lot) and was fined a comparatively measly £407,359. Plus, he has to spend three and a half years with restricted computer and software privileges.
In the United States, his crimes could net him 20 years behind bars, but that’s still a big ‘if’ at this point. Ever since the United States and the UK first signed their extradition treaty in 2004, only 77 UK citizens have ever been extradited to the US for their crimes. It’s entirely possible that they won’t bother sending him over for a trial at all, and even then they’d need to find him guilty.
In the end, Elliot Gunton isn’t the most dangerous hacker in the world, but he stands as a perfect example of what one man with a little know-how, a good PC, and a total lack of empathy can accomplish… and how frequently hackers can escape any meaningful punishment for their crimes.
Evgeniy Mikhailovich Bogachev: Real-Life Cronos
It’s very rare that a cybercriminal of this skill ever gets discovered, but then, malware of the magnitude and destruction of GAmeover ZeuS is rare as well.
The botnet this fellow authored managed to infect millions of computers around the globe and infect them with ransomware, as well as steal all the data they had stored on their system. Not only did this make him an insane amount of money and do over $100 million in damages, it also earned him the attention of the Russian government, who appear to have tapped into his network in order to survey and possibly meddle with international affairs.
It took the FBI and other international crime organizations two years just to get this guy’s name, and now they’re offering three million dollars — the biggest bounty ever posted on a cybercriminal — to anyone who can help bring him to justice. Unfortunately, thanks to his partnership with Russian authorities, that looks unlikely to ever happen. While he may have once been a skilled cybercriminal, he now lives openly in Anapa, a run-down resort town on the Black Sea in southern Russia with a number of luxury cars and his own private yacht.
Of course, the Russian government has never admitted to working with him. But between the refusal to arrest him and his sudden excess free time and money, it seems a likely case.
These days, he operates under usernames like slavik, lucky12345, pollingsoon, and others. As for what his next big move will be? It’s very likely we’ll never know.
The Equation Group & The Shadow Brokers: Yang & Yang
Couldn’t talk about famous, dangerous hackers without talking about the state-sponsored ones.
The Equation Group is the informal name of the Tailored Access Operations (or TAO) unit of the US’s National Security Agency, or the NSA. And I know that’s a lot of proper nouns but I promise it only gets more confusing from here. First founded circa 2001, the group was a closely-held state secret until it was “discovered” in 2015, and two types of spying malware — EquationDrug and GrayFish — were linked to the organization. It also came out that they hoarded known vulnerabilities to to ensure their hacks could go undetected, and it’s theorized they were behind Stuxnet, the worm that took down Iran’s nuclear program for a time.
Like most state actors, the Equation Group exists to promote their national agenda at home and abroad, with a majority of their ‘handiwork’ found in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali. And perhaps that could have been the end of it — there’s nothing unusual about state hackers and they were doing a pretty good job of keeping a lid on their activities.
But then the Shadow Brokers happened.
The origin of the Shadow Brokers is something of a mystery. “Discovered” in 2016, it’s suggested that their sinister name is actually a superbly nerdy reference, inspired by an information broker with a similar name from the Mass Effect video game series. We’re not sure if that’s intentional or not, because just like their origin — with experts hypothesizing everything from an NSA insider to foreign spies (with Russia, of course, being the primary suspect) — it’s all a mystery to us. If nothing else, this group lives up to their name in one regard: they leave us grasping at shadows.
But while their nature is shrouded in mystery, their activities have been all too real. In August of 2016, a Twitter handle apparently owned by the group, @shadowbrokerss, announced a webpage and a GitHub repository that apparently contained instructions on how to participate in an auction where the winner would receive a number of tools used by — drumroll please — the Equation Group! At the time, this “auction” was highly suspect, but now we know exactly what they were offering: EternalBlue, EternalRomance, and other exploits that were essential to the creation of some of the most dangerous malware attacks of 2017, including the infamous Wannacry and NotPetya ransomware.
The Shadow Brokers feed off the Equation Group — selling off their secrets to the highest bidder
But their actions didn’t end there. In the coming months they went on to reveal a list of servers and tools used by the Equation Group, and offered a “data dump of the month” to anyone willing to pay the fees — Illustrating their seemingly unrestricted access to the NSA. And since we apparently have no leads as to who these people are, all we can do is speculate and try to prepare for their next attack.
Since then, the Shadow Brokers have gone silent, which either means they’re satisfied with the chaos they’ve wreaked, they’re not advertising their latest activities, or they’re waiting for the next opportunity to strike. Any of the explanations are as likely as they are unsatisfying, but that’s the sad reality of hacking groups: they tend to be as temporary as they are dangerous.
Bureau 121: Hack-is of Evil
While their nuclear ambitions have, thankfully, been quelled significantly from political pressure, North Korea’s digital ambitions have been growing thanks to a growing hacker army that works day and night to raise money for the regime and sow chaos against state enemies. While their hacking branch, called Bureau 121, has doubtless been responsible for countless cyberattacks and crimes, they have performed a few high-profile attacks that warrant special mention.
The first and perhaps most famous was the Wannacry ransomware attack, which the US recently sanctioned North Korea for. While the Shadow Brokers may have co-created it thanks to their access to NSA cyber-warfare tools, it was the North Koreans who crafted and deployed it, infecting around 300,000 devices and causing four billion dollars in damages. They were also responsible for a massive data leak at Sony Pictures in 2014, a retaliatory attack following the production of a Seth Rogen comedy about the humiliation and assassination of “dear leader” Kim Jong Un. In this attack, countless personal emails and details were leaked to the public, and Sony spent around fifteen million dollars repairing damage.
North Korean hackers are just as much victims as the rest of the population
But before we start villainizing the hackers themselves, remember they’re every bit the victims of the regime as every other North Korean citizen. Stuffed in crowded, often overheated apartments with heavy security and limited freedom, the average North Korean hacker is expected to “earn”, then hand over, between $60,000 to $100,000 a year through any means necessary. Failing to hit that mark will lead to a predictably grim outcome.
If there was ever a time it was appropriate to say “don’t hate the players, hate the game”, it would be now.
Fancy Bear: Putting the Paws on Democracy
Now that’s a charming name, isn’t it? If only the group itself more closely resembled the mental image their name conjured, then this list might not be quite so depressing. Unfortunately, that’s not the world we live in…
Fancy Bear (which also works under a bunch of other names) is a group that we’re 90% sure is cooperating with the Russians and supporting their cyberwarfare activities. While they don’t encompass everything Russia does online (what single group ever does, for a world power?), they’re the most dangerous and have been responsible for some of the most high-profile hacks of the decade.
They got their start in 2008, hacking the Georgian government to throw it into chaos just before the Russian army invaded the country. And since then, they’ve been involved in countless controversies and conflicts in that region, doing everything from threatening anti-kremlin journalists and protesters, hacking the German Parliament for over six months in 2014, making death threats to the wives of US Army personnel, disabling 20% of Ukraine’s artillery via a corrupted app, and famously leaking emails from the Democratic National Convention… which would hardly be the first or last time the group had been tied to elections, as their efforts to manipulate democracy have been discovered in German, French, and Ukranian elections.
Fancy Bear has made its name meddling in elections
Despite being one of the most disruptive hackers in the world, Fancy Bear almost never takes credit for their own work: more often than not they operate under the alias of Anonymous or ISIS. However, a little bit of digging into their methodology and tools typically betrays the true face of the attacker. Of course, Moscow has denied that Fancy Bear is affiliated with them in any way, which is why we cannot be absolutely certain all the above activities were authored by Russian authorities… but we’re pretty damn confident.
Regardless, Fancy Bear doesn’t seem to be going anywhere anytime soon, and with so many elections coming up, it’s no doubt they’ll wind up in the headlines sooner rather than later.
Alexsey Belan: Ya-who?
At 29 years old, this Latvian has certainly rustled his fair share of jimmies. Well before the hacks that put him in the public eye, he was famous in hacker circles working under the moniker M4G, who was a regular in hacker communities and even ran a semi-popular blog on hacking, albeit one that didn't detail his more illicit activities. On top of hacking video game servers, a cloud computing supplier based in Israel, and websites devoted to ICQ communications, he started earning a pretty penny acting as a consultant for other hackers, and selling people’s private data online. By 2011 he was on law enforcement’s radar, and by 2012 he was officially wanted for his crimes.
Alexsey Belan stole data from over 700 million accounts from 2013 to 2016
The Yahoo hack of 2013 was easily the biggest data breach in history, with every one of Yahoo’s three billion accounts having their data stolen. However, he wasn’t responsible for that, as far as we know: rather, he was behind the 2014 hack, which saw over 500 million accounts leaked. It is tame by comparison… but, it was part of a three-year hacking spree Alexsey Belan is said to have engaged in between 2013 to 2016, targeting e-commerce websites in California and Nevada, including the aforementioned Yahoo. During this time, he hacked and stole data from a grand total of 700 million accounts: 500 million from Yahoo, and 200 million from other, miscellaneous sources. That’s a lot of private data.
When international law enforcement came a-knocking, though, he had already made a clean getaway. And while no one knows for sure where he might be hiding... current evidence suggests Russia. Because of course it’s Russia.
Unit 8200: Kosher Cracking
There’s never been a more inspiring — yet more terrifying — group than Unit 8200, the pseudo-clandestine cyberintellegence branch of the Israeli government. Unit 8200 is a model of efficiency and skill, with a proven track record in public service and counter-terrorism activity, and remarkably for the cybersecurity world, actually has more women members than men. They’re also responsible for some of the most terrifyingly efficient malware ever produced, and the mass spying and even exploitation of governments and civilians alike, the scale of which is unprecedented anywhere in the civilized world.
According to experts, Unit 8200 are the elite of the elite
While first founded in 1952 as the 2nd Intelligence Service Unit, it has since expanded into the largest Unit in the Israeli Defense Force. While many of their activities are clandestine (which is sort of the MO for organizations like this), a few of their exploits have slipped to the surface. They’ve foiled terrorist attacks around the globe, helped develop the Stuxnet virus, and produced a bit of malware called Duqu 2.0, spying malware that was so advanced Kaspersky called it several generations ahead of its time. They also engage in active battle against pro-Palestinian hacktivists, like during the 2013 #OpIsrael attacks.
Unit 8200 are the elite of the elite, and that can best be summarized with a quote by Peter Roberts, senior research fellow at Britain’s Royal United Services Institute: “Unit 8200 is probably the foremost technical intelligence agency in the world and stands on a par with the NSA in everything except scale. They are highly focused on what they look at — certainly more focused than the NSA — and they conduct their operations with a degree of tenacity and passion that you don’t experience elsewhere.”
PLA Unit 61398: Cyber-Commies
We’ve spent a lot of time looking at the many state-sponsored hackers around the globe, but it wouldn’t be a complete list without a visit to our friends in China.
Up until recently, China had categorically denied being involved in illicit online activities or even having a hacker group operate to their benefit. That all changed quite abruptly in 2015 where China just openly admitted it had a cyberdefense team, but refused to go into any detail about what they actually did. That deniability is perfectly normal, but we do have a fairly good idea of what kind of shenanigans they get up to.
Perhaps the biggest scandal associated with the group is Operation Shady RAT, which is quite possibly the largest state-sponsored online attack ever executed: during a span of five years, from 2006 to 2011, PLA Unit 61398 infiltrated and stole data from over 70 global companies, governments and non-profit organizations.
PLA Unit 61398 seems to be focused solely on stealing data from governments, corporations and non-profits
By and large, however, that’s the limit of what PLA Unit 61398 does: steal data from important international actors. For example, in 2014 they were blamed for a hack that saw countless sensitive documents stolen regarding Israel's missile defense system. They’ve started hacking US companies again after a brief hiatus, and they were recently linked to Huawei, which is a brand that’s been showing up more and more recently in the news.
In the end, PLA Unit 61398, is large (it’s estimated they use well over a thousand servers), focused, and possibly just the tip of the iceberg. Or, more exactly, the elites of a massive online army of hackers that can be deployed at a moment’s notice.
That’s not a fun thought, is it?
Machete: Putting the “Hack” in “Hacker”
It’s rare for hacking groups not directly sponsored by a government power to last for long. Most groups, like Lulsec, form up and fall apart in a matter of months. A few, such as Lizard Squad, last a few years before ringleaders are arrested and their underlings scatter. And even the most famous hacking group in the world, Anonymous, only lasted about five years before it eventually crumbled from within due to its unsustainable claim that anyone and everyone could join.
So the fact that Machete, a South-American based hacking group, could last for a decade and counting is nothing short of miraculous.
Machete, like any good hacking group that managed to last so long, is absolutely shrouded in mystery. They were discovered in 2014 by Kaspersky, but they’ve been active for far longer, spreading malware, stealing information, and generally being the kingpins of cyber crime in Venezuela, although their victims can be found in Ecuador, Colombia, and Nicaragua as well.
They seem especially interested in targeting the Venezuelan military, using cleverly disguised phishing attacks to steal critical information such as files describing navigation routes and positioning using military grids. Even more cunningly, to ensure that these phishing emails are read, they craft them by hand using previously stolen information to make it look authentic. And when they steal new information, they can use it to craft yet more convincing phishing emails, creating a perpetual loop that’s allowed them to steal "gigabytes of information each week”, by some reports.
As of right now, the only thing authorities can definitively say about Machete is that they seem to speak Spanish, based on some clipboard and keystroke data. Beyond that, they remain elusive, unknowable, and for the time being, unstoppable.