The Congressional Research Service’s inventory of foreign criminal cyberattacks against the United States runs from 2003 through 2025 and documents operations by individuals and groups from Russia, Ukraine, Romania, Iran, Nigeria, Latvia, China, North Korea, and elsewhere. These actors are distinguished from nation-state operators by one criterion: the U.S. government has determined they were acting for personal financial gain rather than to benefit a state. In practice, the line is sometimes thinner than that framing implies — several criminal groups rented infrastructure to nation-state actors or were eventually shown to have state relationships — but the legal category determines the charging instrument and, consequently, what can be publicly attributed.
Ransomware Dominates the Recent Record
The most prevalent attack category in the criminal record is ransomware. REvil’s attack on Kaseya in 2021, executed by Ukrainian and Russian actors, exploited a supply-chain vulnerability in IT management software to push ransomware to thousands of downstream businesses simultaneously — a force multiplier that turned a single compromise into a mass casualty event for managed service providers. The Phobos ransomware gang, operating from Russia with multiple affiliates, victimized more than 1,000 organizations and extracted over $16 million before affiliates were arrested in a coordinated international disruption in February 2025. SamSam ransomware, operated by Iranian nationals from 2015 through 2018, targeted state and city government agencies and hospitals, causing over $30 million in losses. The Robbinhood ransomware scheme, also run by an Iranian national from 2019 through 2025, victimized city governments, hospitals, and other entities over a six-year operational window before a guilty plea was entered in May 2025.
Scattered Spider, a criminal group with a UK national charged in September 2025 for supporting its operations, ran ransomware campaigns targeting critical infrastructure from 2022 through 2025. Lockergoga, MegaCortex, and NeFilim — three distinct ransomware strains administered by a single Ukrainian actor — attacked hundreds of victims globally across 2018 through 2021.
Botnets and Infrastructure for Hire
Botnet operations appear across the full span of the record. The Qakbot botnet, operated by a Russian national from 2008 through 2025, sold access to its infected machine network to other criminal groups — functioning as infrastructure-as-a-service for ransomware and fraud operations. The leader was indicted in May 2025. Bugat, operated by Moldovan actors from 2011 through 2021, targeted school districts, banks, and energy companies for illicit wire transfers. The Kelihos botnet, operated from Russia from 2010 through 2017, combined PII theft, spam distribution, and pump-and-dump stock manipulation. Romania has been a persistent source of botnet operations: one group ran a botnet from 2007 through 2016 that infected over 60,000 computers and was used for cryptocurrency mining, spam, and credential theft; another targeted the Metropolitan Police Department’s surveillance cameras in 2017 and used compromised devices as ransomware distribution nodes.
Financial and Identity Fraud
The InFraud Organization, a transnational group centered in Russia operating from 2010 through 2017, stole credit cards, PII, and identities from financial institutions, merchants, and individuals, ultimately generating over $568 million in losses. GozNym malware, operated by a network spanning Russia, Georgia, Ukraine, Moldova, and Bulgaria from 2015 through 2016, stole banking credentials from law firms, churches, medical equipment companies, casinos, and retailers. The Fin7 group, based in Ukraine, targeted point-of-sale systems at retailers from 2015 through 2018 to harvest credit card data at scale. Business email compromise, as executed by the Hushpuppi network operating out of Nigeria in 2019, combined social engineering with money laundering to extract funds from large institutions including a Qatari school founder. SEC EDGAR was compromised by Ukrainian actors in 2016 to access nonpublic filing information and execute informed trades — a scheme that applied standard criminal hacking tools directly to securities fraud.
The criminal cyberattack record is ultimately a map of opportunity. Where nation-states select targets based on strategic value, criminals follow financial return, which means every sector with accessible data, operational dependencies, or insurance coverage for ransom payments is a viable target. The expansion of ransomware from IT systems into operational technology — hospitals taken offline, water systems probed, government services disrupted — marks the point at which criminal financial motivation began producing effects indistinguishable from state-sponsored disruption.