A new ranking of the world's most active cybercriminal groups shows the underground economy increasingly mirrors the SaaS business model it preys on, with subscription pricing, market share, and franchised affiliates replacing the lone-hacker stereotype.

by Kasun Illankoon, Editor in Chief at Tech Revolt

If you wanted to understand how organized crime works in 2026, you would not start with a heist movie. You would start with a pricing page.

That is the implicit argument inside a new report from Group-IB, the Singapore-headquartered cybersecurity firm that has spent more than two decades tracking the people who build malware, run phishing operations, and drain bank accounts for a living. Each year, the company publishes a ranking of the ten most consequential cybercriminal groups operating worldwide, drawn from its High-Tech Crime Trend Report and more than 1,550 frontline investigations conducted over the previous year. The 2026 edition, released this week, does something the genre rarely does well: it explains not just who the most active threat actors are, but why the structure of cybercrime itself has changed.

The headline finding is not a single catastrophic breach or a record-setting ransom payment, though both appear in the data. It is a quieter, more structural observation: cybercriminal groups are no longer just attacking companies directly. They are climbing into the supply chains and shared infrastructure that companies depend on, then using that single point of entry to reach dozens or hundreds of organizations at once.

A Supply Chain Problem, Not Just a Hacking Problem

Group-IB's report describes 2026 as the year the supply chain became cybercrime's most exploited attack surface, and the numbers back that framing up. The clearest example sits at the top of the list. Scattered Spider, a loosely organized, decentralized hacking community rather than a formal syndicate, compromised more than 130 organizations across the technology sector in a single 2025 operation by exploiting one shared vulnerability point rather than attacking each victim in isolation.

That detail matters more than it might first appear. For most of the history of cybercrime, scale required either a large criminal organization or a worm that spread itself automatically. Scattered Spider's operation suggests a third path: a relatively small, informal group can now achieve the blast radius of a nation-state campaign simply by finding the right shared dependency and pulling on it once.

“The supply chain has become cybercrime’s most powerful multiplier,” said Dmitry Volkov, Chief Executive Officer of Group-IB. “What our investigators documented across more than 1,550 cases last year tells us that attacks are no longer targeting victims in isolation - they are embedding themselves into trusted infrastructure and third-party ecosystems to cascade across entire industries at once. A single point of compromise reached over 130 organizations in one operation we tracked.”

The Underground Economy Has Discovered Recurring Revenue

The second thread running through the report is even more telling, and it is the one that turns this from a list of scary names into a genuine business story. Several of the groups Group-IB tracked are not selling stolen data or extorting victims directly. They are selling access to the tools that make crime possible, priced and packaged the way a software company would price a product.

Consider Tycoon 2FA, which now controls 89 percent of the market for phishing-as-a-service platforms designed to defeat two-factor authentication. It operates on a subscription model, effectively franchising credential theft to customers who do not need deep technical skills of their own. Or consider TX-NFC, a tool that emulates contactless payment systems on a fraudster's device and is rented out for anywhere from 45 dollars a day to 1,050 dollars for three months, terms that would not look out of place on a software vendor's website.

This is the capability gap closing in real time. A criminal who could never have built a credential-phishing platform from scratch can now rent one with the same ease as signing up for a project management tool, and the people who built the platform profit regardless of who uses it or how well. It is the franchise model, applied to fraud.

Patience Has Become a Competitive Advantage

Not every group on the list is optimizing for speed. Shadow Silk, a financially motivated group that specializes in long-duration evasion, was observed operating undetected inside critical infrastructure and government networks for more than a year in one documented case. Bloody Wolf, focused on Central Asian government targets, uses geo-fenced delivery infrastructure specifically to keep its footprint small and its profile low, prioritizing sustained access over any single payday.

These groups represent the opposite instinct from the smash-and-grab stereotype of cybercrime. Their advantage is not technical sophistication so much as discipline: the willingness to sit quietly inside a network for months, gathering intelligence or waiting for the right moment, rather than cashing out immediately and risking detection.

Some Threats Are Evolving Faster Than Defenses Can Track

At the other end of that spectrum sits DarkBlinders, an emerging cluster targeting aviation and telecommunications companies in the Middle East. Group-IB gave it the highest tactics-evolution score of any group on this year's list, a measure of how often and how broadly an actor changes its methods over a twelve-month window. Unlike a group working from a static playbook, DarkBlinders appears to continuously monitor its own exposure and adjust its techniques to outrun existing detection signatures, a level of operational self-awareness more commonly associated with state-linked operations than emerging regional groups.

Elsewhere on the list, Lazarus, the state-linked group long associated with cryptocurrency theft, is credited with more than 6.5 billion dollars stolen over its operating history and over 2.02 billion dollars in 2025 alone, a reminder that the oldest playbook in cybercrime, financially motivated state-linked hacking, has not gone anywhere even as newer commercial models emerge alongside it. MuddyWater, a state-aligned espionage group with reach into 113 countries, shipped three distinct new malware variants in a single six-month window, illustrating just how quickly adversary development cycles now move.

Why an Adversary-Centric View Matters for Defenders

Group-IB built this year's ranking around six dimensions: financial impact, number of victims, volume of threat activity over each group's operational lifespan, the novelty of its technical evolution, the growth of its network of affiliates, and its overall notoriety. That methodology is itself a small piece of editorial argument. Rather than simply counting breaches, it tries to model how each adversary behaves as an evolving organization, which is closer to how intelligence agencies study state actors than how most companies traditionally think about hackers.

“For defenders, the response has to be adversary-centric,” Volkov said. “understanding how these specific adversaries evolve, not just what they did last quarter, but predicting through AI driven intelligence what they will do next.”

That shift in framing carries a genuinely useful implication for security teams and the executives who fund them. If cybercrime increasingly behaves like a competitive industry, complete with market share, subscription pricing, and franchised affiliates, then defending against it benefits from the same kind of competitive intelligence a business would use to track a rival, rather than a purely technical checklist of patches and firewalls.

It also suggests where the leverage points actually are. Commercialized tools like Tycoon 2FA and TX-NFC scale because they lower the skill floor for entry, which means disrupting the platform itself, the way law enforcement has occasionally dismantled phishing-as-a-service operations, removes far more downstream harm than chasing each individual customer of that platform ever could.

None of this makes the underlying threat smaller. But it does make it more legible, and legibility is the precondition for an effective defense. A ranking like this one is ultimately a map, not a body count, and the organizations reading it closely this year are likely to spend less time asking who attacked them and more time asking which shared dependency let the attacker in.

Related Articles:

How Group-IB's AWS Financial Competency Signals a Broader Shift in How Banks Fight Fraud

The Middle East's Digital Expansion Is Outpacing Its Security Visibility, This Partnership Aims to Fix That

Can the Cybersecurity Skills Gap Be Solved by Training Instead of Hiring? Fortinet Says Yes