Malware doesn’t come out of thin air, nor does it spontaneously birth itself from the bowels of the net. Every single strain that’s ever existed was made by someone, either lovingly hand-crafted from scratch or quickly edited from existing code in an effort to sneak past antivirus sensors.

But while there are (literally) countless cybercriminals on the web, only a few elites have earned the rights to call themselves the most dangerous hackers in the world. And today, we thought we’d compile a list of some of these individuals, groups, and organizations. The people who will always be trying to do you harm.

… that said, you’ll find this list lacking in one regard: the most successful cybercriminals are the ones who take great care to never to get caught, or even leave a clue as to their presence. That means that most lists like these are composed of men and organizations who were either careless or wanted the world to know they were there. Which is all well and good — no one’s going to deny that Gary McKinnon hacking into the NSA and costing the US $700,000 is problematic. But in the wider world of hacking, he and others like him are more of an annoyance than a mastermind, at least compared to the still unknown author of the SoBig.F Worm, which did $37.1 billion in damages around the globe.

That said, here are some of the most powerful and dangerous groups and hackers we know of who are still a threat today.


The Anonymous Guy Fawkes mask

Perhaps the best-known group on the list, Anonymous might not be the most terrifying or threatening hackers, but their mere existence has proven to be a troubling sign of what protest and rebellion will look like in our increasingly technology-reliant world.

Started in 2003 on famous internet garbage pit 4chan, this group got its name from the fact that anyone who posted on their forums without a proper username was credited as “Anonymous”. However, they weren’t a proper group back then: merely a collective of bored users who would come together to pull harmless pranks. For example, in 2006 they invaded Finnish social networking site Habbo Hotel and used identical looking avatars to block the digital pool. They would also occasionally broadcast prank phone calls over skype.

They didn’t really come together as a group with a clear goal until 2008 with Project Chanology, a “declaration of war” against the increasingly aggressive Scientology group, sending prank calls, DDoS attacks, and ink-wasting “black faxes” in an effort to annoy and impede the church. They continued their social crusade with Operation Payback in 2010, where they battled with copyright holders over the shutdown of Pirate Bay.

In 2011 they backed the Arab Spring uprisings and the Occupy Wall Street movements, and in 2012 they shut down Hunter Moore’s revenge porn site. In 2014 they shut down Ferguson City Hall’s internet following the shooting of Michael Brown, and uncovered the personal information of the police officer who shot and killed 12-year-old Tamir Rice. And in the years following, their activity has only grown, targeting everyone from North Korea to online child pornography sites.

The danger with Anonymous is that all participants, no matter how extreme their acts, are legitimate by definition

But the real danger of Anonymous isn’t really in their “canonical” agenda. Rather, it’s the fact that they take things too far, and that their moniker has been used by countless other individuals and groups to both discredit the social agenda of the “base” group and to mask their own activities.

In 2011, hackers took down the PlayStation Network and stole user data, leaving behind an “Anonymous” calling card to throw the authorities off their scent. In 2012, someone leaked vital yet outdated source codes for Norton Antivirus, and claimed to be working with Anonymous. Hackers pretending to be Anonymous have been pirating software, stealing money, and defrauding people for as long as they’ve been in the news. And even the “canonical” group has publicly released the names and addresses of innocent people countless times.

But because anyone can be Anonymous, by their very nature, we can’t really call these scammers and thieves “fake”.

Regardless of how you feel about their politics or agenda, governments around the world have been cracking down on members of Anonymous wherever they can be found. A few dozen have since gone to jail and received fines, but that does little to stop the collective from continuing with whatever cause they’ve decided they want to back. It seems unlikely we’ll ever really get rid of them, and perhaps that’s ultimately for the best.

Because as scary as Anonymous is, a world where they couldn’t exist would be even scarier.

Evgeniy Mikhailovich Bogachev

It’s very rare that a cybercriminal of this skill ever gets discovered, but then, malware of the magnitude and destruction of GAmeover ZeuS is rare as well. The botnet this fellow authored managed to infect millions of computers around the globe and infect them with ransomware, as well as steal all the data they had stored on their system. Not only did this make him an insane amount of money and do over $100 million in damages, it also earned him the attention of the Russian government, who appear to have tapped into his network in order to survey and possibly meddle with international affairs.

It took the FBI and other international crime organizations two years just to get this guy’s name, and now they’re offering three million dollars — the biggest bounty ever posted on a cybercriminal — to anyone who can help bring him to justice. Unfortunately, it seems as though Russian authorities have no intention of collecting: He now lives openly in Anapa, a run-down resort town on the Black Sea in southern Russia with a number of luxury cars and his own private yacht.

To be clear, the Russian government has never admitted to working with him, but their refusal to arrest him and his sudden excess free time and money certainly begs the question.

These days, he operates under usernames like slavik, lucky12345, pollingsoon, and others. As for what his next big move will be? It’s very likely we’ll never know.

The Equation Group & The Shadow Brokers

The Shadow Brokers make a living selling the cyberweapons of the NSA's Equation Group

Couldn’t talk about famous, dangerous hackers without talking about the state-sponsored ones.

The Equation Group is the informal name of the Tailored Access Operations (or TAO) unit of the US’s National Security Agency, or the NSA. And I know that’s a lot of proper nouns, but I promise it only gets more confusing from here.

First founded around 2001, the group was a closely-held state secret until it was “discovered” in 2015 when two types of spying malware — EquationDrug and GrayFish — were linked to the organization. It’s also known that they hoarded known vulnerabilities to ensure their hacks could go undetected, and it’s theorized they were behind Stuxnet, the worm that took down Iran’s nuclear program for a time.

Like most state actors, the Equation Group exists to promote their national agenda at home and abroad, with a majority of their ‘handiwork’ found in Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali. And perhaps that could have been the end of it: there’s nothing unusual about state hackers and they were doing a pretty good job of keeping a lid on their activities.

But then the Shadow Brokers happened.

The origin of the Shadow Brokers is something of a mystery. “Discovered” in 2016, it’s suggested that their sinister name is actually a superbly nerdy reference, inspired by an information broker with a similar name from the Mass Effect video game series. We’re not sure if that’s intentional or not, because just like their origin — with experts hypothesizing everything from an NSA insider to foreign spies — it’s all a mystery to us. If nothing else, this group lives up to their name in one regard: they leave us grasping at shadows.

But while their nature is shrouded in mystery, their activities have been all too real. In August of 2016, a twitter handle apparently owned by the group, @shadowbrokerss, announced a webpage and a GitHub repository that apparently contained instructions on how to participate in an auction where the winner would receive a number of tools used by — drumroll please — the Equation Group! At the time, this “auction” was highly suspect, but now we know exactly what they were offering: EternalBlue, EternalRomance, and other exploits that were essential to the creation of some of the most dangerous malware attacks of 2017, including the infamous Wannacry and NotPetya ransomware.

The Shadow Brokers feed off the Equation Group — selling off their secrets to the highest bidder

But their actions didn’t end there. In the coming months they went on to reveal a list of servers and tools used by the Equation Group, and offered a “data dump of the month” to anyone willing to pay the fees — illustrating their seemly unrestricted access to the NSA. And since we apparently have no leads as to who these people are, all we can do is speculate and try to prepare for their next attack.

Regardless of whether they’re state actors or government insiders, one trend is indisputable: The Shadow Brokers seem to target the Equation Group explicitly. And with the Shadow Brokers apparently having an inside track to their operations and a willingness to share their secrets to the highest bidder, you’ve got a recipe for disaster we’ve all had to sample over the past two years.

And we have no reason to suspect it’s going to end anytime soon.

Bureau 121

The North Korean hacking Bureau 121

North Korea’s digital ambitions have been growing thanks to a growing hacker army that works day and night to raise money for the regime and sow chaos against state enemies. While their hacking branch, called Bureau 121, has doubtless been responsible for countless cyberattacks and crimes, they have performed a few high-profile attacks that warrant special mention.

The first and perhaps most famous was the Wannacry ransomware attack. While the Shadow Brokers may have co-created it thanks to their access to NSA cyber-warfare tools, it was the North Koreans who crafted and deployed it, infecting around 300,000 devices and causing four billion dollars in damages.

North Korean hackers are just as much victims as the rest of the population

They were also responsible for a massive data leak at Sony Pictures in 2014, a retaliatory attack following the production of a Seth Rogen comedy about the humiliation and assassination of “dear leader” Kim Jong Un. In this attack, countless personal emails and details were leaked to the public, and Sony spent around fifteen million dollars repairing damage.

But before we start villainizing the hackers themselves, remember they’re every bit the victims of the regime as every other North Korean citizen. Stuffed in crowded, often overheated apartments with heavy security and limited freedom, the average North Korean hacker is expected to “earn”, then hand over, between $60,000 to $100,000 a year through any means necessary. Failing to hit that mark will lead to a predictably grim outcome.

If there was ever a time it was appropriate to say “don’t hate the players, hate the game”, it would be now.

Fancy Bear

Fancy Bear, a cute nickname for a dangerous hacking organization

Now that’s a charming name, isn’t it? If only the group itself more closely resembled the mental image their name conjured, then this list might not be quite so depressing. Unfortunately, that’s not the world we live in…

Fancy Bear (which also works under a bunch of other names) is a group that is  strongly associated with the Russian government and seems to support its cyberwarfare activities. While they don’t encompass everything Russia does online (what single group ever does, for a first-world nation?), they’re the most dangerous and have been responsible for some of the most high-profile hacks of the decade.

They got their start in 2008, hacking the Georgian government to throw it into chaos just before the Russian army invaded the country. And since then, they’ve been involved in countless controversies and conflicts in that region, doing everything from threatening anti-Kremlin journalists and protesters, hacking the German parliament for over six months in 2014, making death threats to the wives of US Army personnel, disabled 20% of Ukraine's artillery via a corrupted app, and famously leaked emails from the Democratic National Convention… which would hardly be the first or last time the group had been tied to elections, as their efforts to manipulate democracy has been discovered in German, French, and Ukrainian elections

Fancy Bear has made its name meddling in elections

Despite being one of the most disruptive hackers in the world, Fancy Bear almost never takes credit for their own work: more often than not they operate under the alias of Anonymous or ISIS. However, a little bit of digging into their methodology and tools typically betrays the true face of the attacker. Of course, Moscow has denied that Fancy Bear is affiliated with them in any way, which is why we cannot be absolutely certain all the above activities were authored by Russian authorities…

Regardless, Fancy Bear doesn’t seem to be going anywhere anytime soon, and with this being another election year, it’s no doubt they’ll wind up in the headlines sooner rather than later.

Alexsey Belan

At 29 years, this Latvian has certainly rustled his fair share of jimmies. Well before the hacks that put him in the public eye, he was famous in hacker circles working under the moniker M4G, who was a regular in hacker communities and even run a semi-popular blog on hacking, albeit one that didn't detail his more illicit activities. On top of hacking video game servers, a cloud computing supplier based in Israel, and websites devoted to ICQ communications, he started earning a pretty penny acting as a consultant for other hackers, and selling people’s private data online. By 2011 he was on law enforcement’s radar, and by 2012 he was officially wanted for his crimes.

Alexsey Belan stole data from over 700 million accounts from 2013 to 2016

The Yahoo hack of 2013 was easily the biggest data breach in history, with every one of Yahoo’s three billion accounts having their data stolen. However, he wasn’t responsible for that, as far as we know: rather, he was behind the 2014 hack, which saw over 500 million accounts leaked. It is tame by comparison… but, it was part of of a three-year hacking spree Alexsey Belan is said to have engaged in between 2013 to 2016, targeting e-Commerse websites in California and Nevada, including the aforementioned Yahoo. During this time, he hacked and stole data from a grand total of 700 million accounts: 500 million from Yahoo, and 200 million from other, miscellaneous sources. That’s a lot of private data.

When international law enforcement came a-knocking, though, he had already made a clean getaway. And while no one knows for sure where he might be hiding... current evidence suggests Russia. Because of course it’s Russia.

Unit 8200

Unit 8200, Israel's cyberintelligence branch

There’s never been a more inspiring — yet more terrifying — group than Unit 8200, the pseudo-clandestine cyberintellegence branch of the Israeli government. Unit 8200 is a model of efficiency and skill, with a proven track record in public service and counter-terrorism activity, and remarkably for the cybersecurity world, actually has more women members than men. They’re also responsible for some of the most terrifyingly efficient malware ever produced, and mass spying and exploitation of governments and civilians alike on an unprecedented scale anywhere in the world.

According to experts, Unit 8200 are the elite of the elite

While first founded in 1952 as the 2nd Intelligence Service Unit, it has since expanded into the largest Unit in the Israeli Defense Force. While many of their activities are clandestine (which is sort of the MO for organizations like this), a few of their exploits have slipped to the surface. They’ve foiled terrorist attacks around the globe, helped develop the Stuxnet virus, and produced a bit of malware called Duqu 2.0, spying malware that was so advanced Kaspersky called it several generations ahead of its time. They also engage in active battle against pro-Palestinian hacktivists, like during the 2013 #OpIsrael attacks.

Unit 8200 are the elite of the elite, and that can best be summarized with a quote by Peter Roberts, senior research fellow at Britain’s Royal United Services Institute: “Unit 8200 is probably the foremost technical intelligence agency in the world and stands on a par with the NSA in everything except scale. They are highly focused on what they look at — certainly more focused than the NSA — and they conduct their operations with a degree of tenacity and passion that you don’t experience elsewhere.”

PLA Unit 61398

PLA Unit 61398, China's hacking military unit

We’ve spent a lot of time looking at the many state-sponsored hackers around the globe, but it wouldn’t be a complete list without a visit to our friends in the far east, China.

Up until recently, China had categorically denied being involved in illicit online activities or even having a hacker group operate to their benefit. That all changed quite abruptly in 2015 where China just openly admitted it had a cyberdefense team, but refused to go into any detail about what they actually did. That deniability is perfectly normal, but we do have a fairly good idea of what kind of shenanigans they get up to.

Perhaps the biggest scandal associated with the group is Operation Shady RAT, which is quite possibly the largest state-sponsored online attack ever executed: during a span of five years, from 2006 to 2011, PLA Unit 61398 infiltrated and stole data from over 70 global companies, governments and non-profit organizations.

PLA Unit 61398 seems to be focused solely on stealing data from governments, corporations and non-profits

By and large, however, that’s the limit of what PLA Unit 61398 does: steal data from important international actors. For example, in 2014 they were blamed for a hack that saw countless sensitive documents stolen regarding Israel's missile defense system. And just recently, they’ve started hacking US companies again after a brief hiatus.

In the end, PLA Unit 61398, is large (it’s estimated they use well over a thousand servers), focused, and possibly just the tip of the iceberg. Or, more exactly, the elites of an massive online army of hackers that can be deployed at a moment’s notice.

That’s not a fun thought, is it?

Marcus Hutchins

Marcus Hutchins is a very important figure in the cybersecurity world today — arguably the most important — as the future for this villain-turned-hero might dramatically change the way hackers view the world, and their ability to change hats, in the years to follow.

In brief: Marcus Hutchins was a relatively reclusive cybersecurity expert working for a small-time security firm Kryptos Logic from out of his parent’s house. While on vacation, the infamous WannaCry ransomware was unleashed upon the world, and Marcus was pulled from his break to join the effort to try to put a stop to this cyber menace… and in the process of studying it, he discovered a hitherto unknown “kill switch” that completely defanged the once-terrifying malware. In one brilliant discovery, he stopped the highest-profile attack of 2017 and became a hero of the cybersecurity world, and was treated like a king at that year’s DEF CON, the world’s largest hacker conference.

But then, high on the praise and admiration of his peers, Marcus was arrested: indicted with six federal charges regarding his alleged role in the creation and spread of the Kronos virus, malware that would steal banking credentials from your browser if it managed to infect your device.

We don’t know if he’s innocent or guilty: he wouldn’t be the first black-hat turned white-hat who’s spent time in jail. But Marcus’s ongoing trial is still being carefully watched by cybersecurity experts and hackers around the globe because he’s being arrested under the Computer Fraud and Abuse Act, which has been a source of ire for white-hat hackers for a while now.

This is because it’s so poorly worded it could, and likely will be, used to arrest white-hat hackers who are simply doing routine exploit checks and tests…or for writing code that happens to wind up in malware, knowingly or otherwise. So if Marcus is found innocent of intentionally creating Kronos but still spends time in jail for unwitting contributions, it could set a terrible president for hackers in the future.

Marcus Hutchins has unwillingly found himself fighting a battle not just for his own freedom, but the future of white-hat hackers in the eyes of the law. All we can do is hope justice is done. 

AVG AntiVirus FREE FREE Download