Any list of the “most prolific” hacking groups needs a disclaimer up front, because prolific is not a scientific label. It depends on what you count. Volume of operations matters. Longevity matters. Public attribution matters. So does measurable impact. For this post, I am not treating prolific as “most technically advanced” or “most feared on social media.” I am using a simpler test: which groups keep appearing in major public investigations, across years, with enough documented activity that governments, incident responders, and law enforcement keep returning to them.
Using that standard, five names stand out repeatedly: Sandworm, APT28, APT29, Lazarus Group, and LockBit. They are not identical. Some are state-backed espionage groups. Some are destructive operators. One is a ransomware enterprise. But all five have shown unusual staying power and impact.
Sandworm is on almost every serious list because it combines disruption, persistence, and strategic effect. CISA’s 2022 Cyclops Blink advisory ties Sandworm to a line of major operations that already included the BlackEnergy disruption of Ukrainian electricity in 2015. That matters because the group did not just steal data or quietly maintain access. It repeatedly showed a willingness to target critical systems and create real-world consequences. The same group is also associated in public reporting with Industroyer, NotPetya, Olympic-themed operations, and follow-on campaigns against infrastructure. If you are looking for a group whose history shaped how defenders think about cyber operations crossing into national infrastructure and geopolitical conflict, Sandworm belongs near the top.
APT28, often associated with Russia’s GRU and widely known as Fancy Bear, stays on the shortlist because of range and frequency. CISA’s April 18, 2023 advisory says APT28 exploited a known Cisco router vulnerability in 2021 and used that access against routers worldwide, including U.S. government institutions, European targets, and approximately 250 Ukrainian victims. That one data point captures why the group matters. It is not just a one-off campaign label. It is a long-running operator that keeps adapting techniques to real infrastructure and politically sensitive targets. Public reporting on elections, military targets, and diplomatic entities across multiple years only reinforces that pattern.
APT29 deserves separate treatment because it represents a different style of longevity. Where APT28 is commonly discussed in terms of broad aggressive targeting, APT29 has become a byword for patient espionage. CISA’s February 26, 2024 advisory on SVR actors says the group commonly known as APT29, Cozy Bear, or Midnight Blizzard continues adapting tactics for cloud access. CISA’s SolarWinds remediation material also notes that the SolarWinds compromise was an APT29 operation and that roughly 18,000 Orion customers received the malicious update, even though a much smaller number suffered follow-on compromise. That is one of the clearest examples of why “prolific” does not only mean noisy. A group can be prolific because it repeatedly shows up in strategic, high-value intrusions with enormous downstream reach.
Lazarus Group belongs here because the organization has repeatedly crossed sectors and funding models while staying visible in major public cases. CISA’s TraderTraitor advisory says a North Korean state-sponsored group tracked as Lazarus, APT38, BlueNoroff, and Stardust Chollima has targeted blockchain companies since at least 2020. The FBI later confirmed that Lazarus was responsible for the theft of $100 million from Harmony’s Horizon bridge. That is one reason Lazarus is hard to ignore. It is not confined to one lane. Public cases link it to financially motivated cryptocurrency theft, broader state objectives, malware campaigns, and high-profile intrusions over many years. Even when specific sub-clusters shift names, the operational footprint keeps resurfacing.
Then there is LockBit, which is the outlier on this list because it is not generally framed as a classic state intelligence group. It still qualifies because of sheer scale. The U.S. Department of Justice said in February 2024 that LockBit had targeted over 2,000 victims, received more than $120 million in ransom payments, and made ransom demands totaling hundreds of millions of dollars. In a later DOJ announcement, the department described LockBit as the most prolific ransomware variant and group in the world. That is hard to argue with. If your definition of prolific includes repeat victimization, global affiliate activity, and measurable criminal revenue, LockBit is unavoidable.
There are other names that could reasonably appear in a list like this. FIN7 had enormous criminal reach. Conti had outsized ransomware impact before fragmenting. Salt Typhoon has become central to current telecom and infrastructure reporting. But the five above are the groups I keep coming back to when I look for public evidence of sustained operational significance across years and jurisdictions.
One caution is worth keeping in mind. Public attribution is uneven. Governments reveal what they can prove and what they want to say. Private incident response firms see different slices of the picture. So this list should not be read as a final historical ranking. It is better understood as a practical shortlist of groups whose documented campaigns changed how defenders, policymakers, and investigators think about cyber operations.
Summary
If you define prolific in terms of repeated public attribution, operational longevity, and measurable impact, Sandworm, APT28, APT29, Lazarus Group, and LockBit all make a strong case. Sandworm showed how destructive cyber campaigns can hit infrastructure. APT28 and APT29 remained central to repeated state-linked espionage operations. Lazarus repeatedly connected state interests with major financial theft. LockBit industrialized ransomware at massive scale. Different motives, different playbooks, same result: they each left a long and very visible trail.
References
- New Sandworm Malware Cyclops Blink Replaces VPNFilter
- APT28 Exploits Known Vulnerability To Carry Out Reconnaissance and Deploy Malware on Cisco Routers
- SVR Cyber Actors Adapt Tactics for Initial Cloud Access
- SolarWinds Compromise template notes at CISA
- TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies
- FBI Confirms Lazarus Group Cyber Actors Responsible for Harmony’s Horizon Bridge Currency Theft
- U.S. and U.K. Disrupt LockBit Ransomware Variant
- U.S. Charges Russian National with Developing and Operating LockBit Ransomware