12 entries in this category.
A wallet-drainer-as-a-service operation (≈85/15 affiliate/developer split) specialized in EVM chains. Most notably, Angel Drainer malware was used in the December 2023 Ledger Connect Kit supply-chain attack, which drained roughly $500K–$600K from DeFi users in a few hours.
An early, prolific wallet-drainer-as-a-service crew (active into early 2023) that focused on high-value NFTs and is estimated to have facilitated roughly $13–16.5M in theft before announcing it was 'shutting down' and pointing affiliates to rival drainers.
A pro-Israel hacktivist group (Persian: Gonjeshke Darande, 'Predatory Sparrow') active since ~2021 that has run destructive cyberattacks on Iranian targets. In June 2025 it claimed the Nobitex crypto-exchange breach and the Bank Sepah attack, burning ~$90M to make a political statement.
A North Korea-linked RGB unit (Lazarus umbrella) that blends cyber-espionage with revenue generation. The U.S. sanctioned it in 2019 and, in 2024, indicted member Rim Jong Hyok for deploying Maui ransomware against U.S. hospitals and laundering the proceeds to fund further espionage.
A financially motivated cybercrime group (tracked as UNC3944, 0ktapus, Octo Tempest) known for SMS phishing and SIM-swapping. U.S. prosecutors say members stole millions in cryptocurrency from individuals; several have been arrested and pleaded guilty.
A wallet-drainer-as-a-service crew that, per ZachXBT and Scam Sniffer, stole more than $75–85M from roughly 20,000 victims, often via hijacked X/Discord accounts pushing phishing links, before announcing its 'retirement' in 2024.
A 'drainer-as-a-service' operation that rented phishing/wallet-draining software to affiliates for a ~20% cut. Group-IB and Scam Sniffer say it stole roughly $80M+ from ~137,000 victims (Nov 2022–Nov 2023) by spoofing 100+ Web3 brands; it later resumed activity.
A North Korea-linked campaign that poses as recruiters/contractors to trick developers and crypto workers into running malware (e.g. BeaverTail, InvisibleFerret, INLETDRIFT). Tracked as UNC4736 / AppleJeus / Citrine Sleet; linked to the Radiant Capital theft.
A Cambodia-based conglomerate that U.S. prosecutors call one of Asia's largest transnational criminal organizations. Per an October 2025 DOJ indictment, founder Chen Zhi ran forced-labor compounds running 'pig-butchering' crypto investment scams; the DOJ seized ~127,271 BTC (~$15B) — its largest-ever forfeiture.
A North Korea-linked, financially focused sub-group of the Lazarus umbrella that targets banks and crypto firms. Blamed for the 2016 Bangladesh Bank SWIFT heist and, more recently, macOS malware campaigns against crypto businesses (RustBucket, KandyKorn, 'Hidden Risk'). Sanctioned by the U.S. in 2019.
A North Korea-linked threat cluster (part of the Lazarus umbrella) that the FBI blames for several of the largest exchange thefts, including Bybit ($1.5B), DMM Bitcoin ($305M), and the Ronin/Axie bridge. It favors social-engineering of employees and supply-chain compromises.
The most widely used name for North Korea's state-sponsored hacking apparatus, run under its Reconnaissance General Bureau. Blamed for the Sony hack, the Bangladesh Bank SWIFT heist, WannaCry, and — since ~2017 — many of the largest crypto thefts ever. Chainalysis puts DPRK's cumulative crypto haul near $6.75B, used to fund the regime's weapons programs.