Threat intelligence expert reveals how decentralized collectives, phishing‑as‑a‑service platforms and state-backed groups are transforming modern cybercrime

Group-IB, a leading creator of predictive cybersecurity technologies to investigate, prevent, and fight digital crime, today unveils its Top 10 Masked Actors for 2026 – a definitive ranking of the most prolific cybercriminal groups operating globally.

The list is drawn from Group-IB’s High-Tech Crime Trend Report 2026, which identifies 2026 as the year the supply chain became cybercrime’s most exploited attack surface. Across more than 1,550 frontline investigations and extensive monitoring of the criminal underground, Group-IB analysts observed a structural transformation in how attacks are orchestrated: threat actors are no longer targeting victims directly, but embedding themselves into the trusted infrastructure and third-party ecosystems that organizations depend on — amplifying their reach, compressing detection windows, and maximizing disruption across entire industries simultaneously.

The 2026 Top 10 Masked Actors ranking is determined through a rigorous, adversary-centric methodology, scoring each group across six dimensions: financial impact, victims, volume of threats during the operational lifespan, novelty of technical evolution, growth of affiliates, and notoriety. The result is an intelligence-led framework that goes beyond listing who the top threat actors are — it explains why they matter, and how their tactics are reshaping the future of cybercrime.

The 2026 Top 10 Masked Actors:

1. Scattered Spider

Linked to some of the most high-profile attacks of the past year, Scattered Spider has risen to global notoriety through a combination of social engineering mastery and unprecedented operational scale. This decentralized cybercriminal community demonstrated the power of the supply chain attack vector in a single 2025 operation that compromised 130+ organizations across the technology sector – showing how loosely affiliated actors can cascade a downstream supply chain and rival the impact of traditional organized crime.

2. Lazarus
A highly sophisticated, state-linked threat actor blending cyber espionage with large-scale financial crime. Lazarus earns its place, primarily for its financial impact, responsible for over $6.5 billion in cryptocurrency theft within its lifespan, and over $2.02 billion in 2025 alone – making it one of the most financially destructive threat actors documented.

3. MuddyWater
A state-aligned cyber espionage group targeting government, financial services, and logistics sectors, notable for its broad geographic reach across 113 countries. Its defining characteristic, operational tempo: between October 2025 and March 2026, MuddyWater deployed three new malware variants, illustrating the velocity of adversary development cycles that defenders must now anticipate.

4. Tycoon 2FA
The dominant force in Phishing-as-a-Service (PhaaS), Tycoon 2FA controls 89% market share of the adversary-in-the-middle PhaaS segment. It’s SaaS subscription model has commoditized enterprise credential theft at scale – enabling thousands of attacks across cloud environments globally and lowering the barrier for less technically sophisticated actors to execute high-impact campaigns.

5. GoldFactory
First identified by Group-IB in 2024, GoldFactory is a technically advanced threat cluster that has demonstrated a unique capability: stealing biometric data to bypass facial recognition authentication in mobile banking fraud. Operating 15 infections per day across active campaigns, the group has begun to expand beyond its original APAC focus, with new Spanish-language code artefacts signalling deliberate geographic expansion.

6. TX-NFC
A commercialised ecosystem that emulates contactless payment systems on fraudsters’ devices, offered via subscriptions from $45 a day to $1,050 per three months. As contactless payments continue to expand globally, TX-NFC’s available attack surface grows with them. The group is expanding into English and Russian-speaking cybercrime ecosystems.

7. Shadow Silk
A financially motivated group specialising in obfuscation and long-duration evasion, Shadow Silk has been observed operating undetected within critical infrastructure and government entities across multiple regions — remaining concealed for over 12 months in one documented instance. Its ability to persist inside high-value environments without triggering detection places it among the most operationally mature actors on this year’s list.

8. Bloody Wolf
A persistent threat group prioritising long-term access and surveillance over immediate financial gain. Operating primarily in Central Asia with a focus on government organisations, Bloody Wolf employs geo-fenced delivery infrastructure to maintain a targeted, low-profile foothold — a tradecraft increasingly associated with actors seeking strategic, intelligence-gathering objectives.

9. Teste PHP
In under a year, Teste PHP has built a financial crime operation spanning five Spanish-speaking countries, using malicious browser extensions that silently harvest credentials in real time. Its rapid geographic expansion and aggressive victim acquisition rate illustrate the relentless pace at which new cybercriminal operations can scale in the current ecosystem.

10. DarkBlinders

An emerging threat cluster targeting aviation and telecommunications sectors in the Middle East, DarkBlinders holds the highest TTP evolution score on this year’s list — a metric derived from the frequency and breadth of changes to its tactics, techniques and procedures over a 12-month period. Unlike actors operating from a static playbook, DarkBlinders continuously monitors its own exposure and adapts its methods to invalidate existing detection signatures, making it one of the most operationally agile adversaries currently tracked by Group-IB.

“The supply chain has become cybercrime’s most powerful multiplier. What our investigators documented across more than 1,550 cases last year tells us that attacks are no longer targeting victims in isolation – they are embedding themselves into trusted infrastructure and third-party ecosystems to cascade across entire industries at once. A single point of compromise reached over 130 organizations in one operation we tracked. At the same time, the commercialization of attack infrastructure – phishing platforms with 89% marketshare, NFC fraud sold on subscription – is closing the capability gap between sophisticated and unsophisticated threat actors fast. For defenders, the response has to be adversary-centric: understanding how these specific adversaries evolve, not just what they did last quarter, but predicting through AI driven intelligence what they will do next.” – Dmitry Volkov, Chief Executive Officer, Group-IB.