• Skip to main content
  • Skip to secondary menu
  • Skip to footer

Cybersecurity Market

Cybersecurity Technologies & Markets

  • Cybersecurity Events 2026-2027
  • Sponsored Post
  • Market Reports
  • About
    • GDPR
  • Contact

Foreign Criminal Cyberattacks Against the United States: Ransomware, Botnets, and Financial Fraud

May 19, 2026 By admin

The Congressional Research Service’s inventory of foreign criminal cyberattacks against the United States runs from 2003 through 2025 and documents operations by individuals and groups from Russia, Ukraine, Romania, Iran, Nigeria, Latvia, China, North Korea, and elsewhere. These actors are distinguished from nation-state operators by one criterion: the U.S. government has determined they were acting for personal financial gain rather than to benefit a state. In practice, the line is sometimes thinner than that framing implies — several criminal groups rented infrastructure to nation-state actors or were eventually shown to have state relationships — but the legal category determines the charging instrument and, consequently, what can be publicly attributed.

Ransomware Dominates the Recent Record

The most prevalent attack category in the criminal record is ransomware. REvil’s attack on Kaseya in 2021, executed by Ukrainian and Russian actors, exploited a supply-chain vulnerability in IT management software to push ransomware to thousands of downstream businesses simultaneously — a force multiplier that turned a single compromise into a mass casualty event for managed service providers. The Phobos ransomware gang, operating from Russia with multiple affiliates, victimized more than 1,000 organizations and extracted over $16 million before affiliates were arrested in a coordinated international disruption in February 2025. SamSam ransomware, operated by Iranian nationals from 2015 through 2018, targeted state and city government agencies and hospitals, causing over $30 million in losses. The Robbinhood ransomware scheme, also run by an Iranian national from 2019 through 2025, victimized city governments, hospitals, and other entities over a six-year operational window before a guilty plea was entered in May 2025.

Scattered Spider, a criminal group with a UK national charged in September 2025 for supporting its operations, ran ransomware campaigns targeting critical infrastructure from 2022 through 2025. Lockergoga, MegaCortex, and NeFilim — three distinct ransomware strains administered by a single Ukrainian actor — attacked hundreds of victims globally across 2018 through 2021.

Botnets and Infrastructure for Hire

Botnet operations appear across the full span of the record. The Qakbot botnet, operated by a Russian national from 2008 through 2025, sold access to its infected machine network to other criminal groups — functioning as infrastructure-as-a-service for ransomware and fraud operations. The leader was indicted in May 2025. Bugat, operated by Moldovan actors from 2011 through 2021, targeted school districts, banks, and energy companies for illicit wire transfers. The Kelihos botnet, operated from Russia from 2010 through 2017, combined PII theft, spam distribution, and pump-and-dump stock manipulation. Romania has been a persistent source of botnet operations: one group ran a botnet from 2007 through 2016 that infected over 60,000 computers and was used for cryptocurrency mining, spam, and credential theft; another targeted the Metropolitan Police Department’s surveillance cameras in 2017 and used compromised devices as ransomware distribution nodes.

Financial and Identity Fraud

The InFraud Organization, a transnational group centered in Russia operating from 2010 through 2017, stole credit cards, PII, and identities from financial institutions, merchants, and individuals, ultimately generating over $568 million in losses. GozNym malware, operated by a network spanning Russia, Georgia, Ukraine, Moldova, and Bulgaria from 2015 through 2016, stole banking credentials from law firms, churches, medical equipment companies, casinos, and retailers. The Fin7 group, based in Ukraine, targeted point-of-sale systems at retailers from 2015 through 2018 to harvest credit card data at scale. Business email compromise, as executed by the Hushpuppi network operating out of Nigeria in 2019, combined social engineering with money laundering to extract funds from large institutions including a Qatari school founder. SEC EDGAR was compromised by Ukrainian actors in 2016 to access nonpublic filing information and execute informed trades — a scheme that applied standard criminal hacking tools directly to securities fraud.

The criminal cyberattack record is ultimately a map of opportunity. Where nation-states select targets based on strategic value, criminals follow financial return, which means every sector with accessible data, operational dependencies, or insurance coverage for ransom payments is a viable target. The expansion of ransomware from IT systems into operational technology — hospitals taken offline, water systems probed, government services disrupted — marks the point at which criminal financial motivation began producing effects indistinguishable from state-sponsored disruption.

Filed Under: News

Footer

Recent Posts

  • JadePuffer: Researchers Document the First Fully Autonomous AI Ransomware Attack
  • Aikido Acquires Root for a Reported $70 Million to Patch Open Source Without Forcing Upgrades
  • The three-week freeze on Anthropic’s most capable models is over
  • Miasma Supply Chain Worm Jumps to Go and Now Executes Inside AI Coding Assistants
  • Two-Factor Authentication Bypass: Attackers Brute-Force 2FA Systems, Gaining Access to Enterprise Accounts
  • France’s Tchap Government Messaging Breach Signals Weak Oversight of Encrypted State Communications
  • OpenSSL CVE-2026-45447: Heap Use-After-Free in PKCS#7 Verification Enables S/MIME RCE, Discovered With AI
  • Microsoft Patch Tuesday June 2026: Record 200+ Vulnerabilities in Single Release, Three Pre-Disclosure Zero-Days
  • Check Point VPN Zero-Day (CVE-2026-50751) Actively Exploited by Qilin Ransomware, CISA Orders Emergency Patch
  • Ondas (ONDS) Buys Cyberhawk for $125 Million, Pulling Critical Infrastructure Inspection Data Into the Defense and Security Perimeter

Media Partners

  • Defense Market
  • Technologies.org
  • Technology Conferences
Arkenstone Defense Emerges From Stealth With $35 Million to Fix Pentagon’s Commercial Onboarding Problem
Farnborough International Airshow from 20 to 24 July 2026 at the Farnborough International Exhibition & Conference Centre in Hampshire, UK
NATO to Begin Formal Negotiations with Saab for Up to Ten GlobalEye AEW&C Aircraft
SES Space & Defense Secures Five-Year Space Force Satellite Services Contract
Lockheed Martin and Rheinmetall Sign MOU for European ATACMS Co-Production
Advancing Rapid Defense Innovation Symposium (ARDIS) 2026, September 15-16, 2026, Ridgecrest, CA
Ondas (ONDS) Acquires Cyberhawk for $125 Million, Extending Its Defense Autonomy Platform Into Critical Infrastructure
Teledyne FLIR Defense Selected by U.S. Army for LASSO Loitering Munition Program
Heaviside Industries Raises $28M to Push Autonomous Warfare Into Its Next Phase
Israel Approves F-35 and F-15IA Squadron Purchases Worth Tens of Billions
Why a Six-Axis Robot Arm Is Staring at a Green-Headed Tanager
Industrial Robotics Meets the AI Boom: What Cobots at Trade Shows Are Really Selling
Microsoft Trims 5,500 Jobs to Defend a $190 Billion Capital Program
South Korea Commits $590 Billion to Double Its Memory Chip Capacity
HyperLight Closes $80M to Move TFLN From Lab to Foundry
Odyssey Raises $310M to Build World Models on AWS Trainium
Apple After WWDC 2026: 35% of iPhone Volume Can’t Run Siri AI Yet
The Semiconductor Rotation Myth: There Is No Rotation Out of Semi Stocks, Only Profit-Taking
The AI Selloff Repriced Valuation, Not Demand
Apple’s Next-Generation Apple Intelligence Is Built on Google’s Gemini Models
RAISE Summit, July 8-9 2026, Paris
CJS Securities 26th Annual New Ideas Summer Conference, July 9, 2026, White Plains, NY
SEMICON West 2026, October 13–15, San Francisco
Deutsche Bank Technology Conference 2026, August, Dana Point
ECOC 2026, September 20–24, Málaga
Citi Global Technology Conference 2026, September, New York
Goldman Sachs Communacopia + Technology Conference 2026, September, San Francisco
InfoComm 2026, June 13–19, Las Vegas
EBMI 2026, June 17–18, Frankfurt
FPGA Conference Europe, June 30 – July 2, 2026, Munich

Media Partners

  • Market Analysis
  • Market Research Media
  • Analysis.org
Why EU Tech Is Falling Behind the US: A Structural Diagnosis, Not a Cultural One
The HyperLight Threat to Coherent and Lumentum Ends Where Indium Phosphide Begins
SpaceX IPO (SPCX): A $1.75 Trillion Valuation Built on Selling 4% of the Company to People Who Watch Rocket Launches
What a Trillion-Dollar Cloudflare Actually Requires
The Repricing and the Drain: How SpaceX, OpenAI, and Anthropic Rewire the Index
Quantum Computing Equities: Market Segment Memo
Quantum Computing Stocks Face Violent Selloff the Moment Markets Reopen Tuesday
The $2.6 Trillion Signal: What Gartner’s AI Spending Forecast Actually Tells You
The Productivity Is Already Here. The Bubble Narrative Is Not.
The Collingridge Dilemma
Getty Images Kills the $3.7 Billion Shutterstock Merger Rather Than Sell the Editorial Business the UK Demanded
Fox’s $22B Roku Deal: 4.6x Sales, Paid in 1.5x Stock
Tuesday Open: AI Earnings Engine Holds the Line as Iran Overhang Fades to Noise
China’s U.S. Treasury Holdings: The Great Repositioning (2021–2025)
Infographic: Why the 2025 CIPA Data Proves the APS-C Renaissance is Real
How WiFi Changed Media
Canva Acquires Simtheory and Ortto to Build End-to-End Work Platform
Netflix Price Hikes, The Economics of Dominance in a Saturated Streaming Market
America’s Brands Keep Winning Even as America Itself Slips
Kioxia’s Storage Gambit: Flash Steps Into the AI Memory Hierarchy
META Compute, Samsung, SK Hynix: Where AI Infrastructure Investors Think the Margin Actually Sits
AMD Acquired MEXT to Make Flash Behave Like DRAM. It Eases the Memory Crunch Without Threatening Micron or SanDisk.
The Memory Shortage Is an Existential Event for Small Electronics Makers, Not Just a Margin Hit
The Manic Phase Is Real. The Crash Date Is Not.
Oracle’s $95 Billion Capex Guide Meets a 6.5% PPI: Today’s Session Is the Test for Nvidia, AMD, and the AI Chip Trade
PPI May 2026: Producer Prices Surge 1.1% as Iran War Energy Shock Hits the Pipeline, Goods Inflation Sets a Record
June 22 Is the Date That Changes Everything for MRVL Shareholders
SpaceX (SPCX) IPO: Why Facebook’s 2012 Debut Is the Warning Label on the Largest IPO in History
SK Hynix Eyes August US Listing: A $14 Billion ADR Raise Lands in the Middle of the AI Liquidity Pipeline
Supermicro’s $7B Equity Raise: A $39B Order Book the Balance Sheet Can’t Carry

Copyright © 2026 CybersecurityMarket.com

Media Partners: Technologies · Market Analysis · Market Research · Photography · API Coding · App Coding · Blockchaining · Referently