Threat Actors
Cybersecurity statistics about threat actors
Showing 1-20 of 44 results
More than half of SafePay's ransomware activity in Europe targeted German organisations.
The Qilin ransomware group was linked to ransomware incidents in 26 of the 31 countries analysed.
Qilin was responsible for 59 finance-sector incidents in the past year.
Least-skilled threat actors used about 16 distinct techniques on average, while the most skilled used about 20.
The number of distinct threat groups targeting finance increased from 37 in 2023 to 45 in 2024 and to 48 in 2025.
The share of actors classified as medium risk or higher increased from 33% in the first six-month period to 56% in the second six-month period, a roughly 1.7-fold increase.
79 ransomware groups claimed victims during Q1 2026.
In 2025, cybercriminal groups led threat activity in North America with 52%.
The Gentlemen ransomware group increased from 35 victims in Q4 2025 to 182 victims in Q1 2026.
Activity from the Qilin ransomware group declined by 25% and activity from the Akira ransomware group declined by 22%.
In 2025, the Qilin group was responsible for 12.8% of ransomware attacks.
129 ransomware groups were active during 2025.
Threat actors deployed more than 147,000 malicious domains, nearly 58,000 malware files, and actively exploited 549 vulnerabilities in 2025.
Median dwell time for cyber espionage incidents and North Korean IT worker incidents was 122 days.
AI-related illicit discussions increased by 1,500% between November and December 2025.
AI-enabled adversaries increased their operations by 89% year-over-year.
95% of Chief Information Security Officers (CISOs) cite the growing sophistication of threat actor capabilities as their greatest risk.
Scattered Spider accounted for 42.9% of all actor-related alerts in the second half of 2025.
71% of incidents in the Automotive and Smart Mobility ecosystem are attributed to black hat actors, up from 65% in 2024.
The hacktivist group NoName057 (16) claimed 4,693 attacks, the highest number claimed by a single hacktivist entity.