Aka, who’s actually out there, doing shady stuff…
Understanding the different types of threat actors is one of the most effective ways to make sense of how and why incidents actually happen, and why many of them are far less sophisticated than we tend to assume. In today’s article, we’ll be exploring some of the actors that make the internet unsavoury, as well as exploring their motivations and how they go about doing what they do.
Cybercriminals: The Business of Digital Exploitation
Cybercriminals are the most common and economically motivated threat actors in the online ecosystem, operating with the primary goal of generating profit through scalable and repeatable methods. Rather than relying on highly technical exploits, they often focus on efficiency, targeting exposed credentials, weak security practices, and widely reused passwords to gain access to accounts and systems. Their operations frequently involve credential stuffing, phishing campaigns, and the resale of access through underground marketplaces, and many now function as structured enterprises with defined roles and revenue streams. What makes cybercriminals particularly effective is not necessarily their sophistication, but their ability to capitalize on predictable human behavior and widely available data.
Ransomware Operators: Monetizing Access and Disruption
Ransomware groups represent a specialized and highly impactful subset of cybercriminals, built around the model of gaining access to systems, encrypting or exfiltrating data, and demanding payment for its return or non-release. These actors increasingly operate within a Ransomware-as-a-Service (RaaS) ecosystem, where affiliates conduct intrusions using shared tools and infrastructure, lowering the barrier to entry and expanding the scale of attacks. While ransomware is often perceived as technically advanced, initial access is frequently achieved through relatively simple means such as stolen credentials, exposed remote services, or successful phishing attempts. The real sophistication lies in their ability to coordinate operations, apply pressure through data leaks, and exploit the urgency organizations feel when their operations are disrupted.
Hacktivists: Ideology Over Profit
Hacktivists are threat actors driven by political, social, or ideological motivations, using digital means to amplify their message or disrupt organizations they perceive as adversaries. Their activities commonly include website defacement, distributed denial-of-service (DDoS) attacks, and the public release of data intended to embarrass or pressure a target. Unlike financially motivated actors, hacktivists are less concerned with stealth or long-term persistence and more focused on visibility and impact. Their technical capabilities can vary widely, but their effectiveness often comes from timing, coordination, and the ability to leverage public attention rather than from deeply sophisticated techniques.
State-Sponsored Actors / APTs: Strategic and Persistent Threats
State-sponsored threat actors, often referred to as Advanced Persistent Threats (APTs), operate with the backing or alignment of nation-states and are typically tasked with objectives such as espionage, intellectual property theft, or strategic disruption. These groups are characterized by their resources, patience, and ability to maintain long-term access within targeted environments, often going undetected for extended periods. While they are capable of developing and deploying advanced tooling, their initial access methods frequently overlap with those used by less sophisticated actors, including phishing, credential harvesting, and exploitation of misconfigurations. What distinguishes them is not just technical capability, but their persistence, operational discipline, and alignment with broader geopolitical objectives.
Insiders: Risk from Within the Organization
Insider threats originate from individuals who already have legitimate access to systems and data, including employees, contractors, and business partners, making them uniquely positioned to cause harm either intentionally or inadvertently. Unlike external attackers, insiders do not need to bypass perimeter defenses, which allows their actions to blend more easily into normal activity and makes detection more challenging. These threats can take the form of deliberate data theft, misuse of access privileges, or simple negligence such as mishandling sensitive information or falling victim to phishing attacks. In many cases, what appears to be an external breach is actually rooted in compromised or misused internal access, highlighting the importance of monitoring behavior in addition to securing systems.
Script Kiddies and Low-Skill Actors: Access With Low Expertise
Script kiddies and other low-skill threat actors represent individuals who lack deep technical knowledge but leverage readily available tools, exploits, and tutorials to carry out attacks. While they are often dismissed as unsophisticated, they can still pose a meaningful risk, particularly to organizations with weak security controls or exposed assets. These actors rely heavily on automation and publicly available resources, scanning for vulnerabilities, testing default credentials, or launching basic attacks without needing to fully understand the underlying systems. Their impact is less about precision and more about volume, as they exploit the reality that many environments remain vulnerable to even the most basic techniques.
Violent Extremist Networks: Online Activity with Offline Consequences
Violent extremist networks operate in the digital space to support recruitment, propaganda distribution, financing, and coordination, representing a different category of online threat where the consequences often extend beyond cyberspace. These actors use a mix of mainstream platforms, encrypted messaging services, and alternative networks to disseminate content and connect with individuals, often leveraging anonymity and decentralized communication methods. While they may not always engage in traditional cyberattacks, their online presence creates significant risk by enabling radicalization, operational planning, and the amplification of harmful ideologies. From a threat perspective, their use of online infrastructure underscores how digital exposure can intersect with real-world harm.
Carders: Turning Stolen Data into Money
Carders specialize in the theft, sale, and use of compromised payment card data, and their methods are often far more routine than people expect. They typically obtain card details through breaches, phishing pages, malware (like infostealers), or by purchasing bulk data from other actors, then validate and monetize that data through small test transactions or fraudulent purchases. In practice, this often looks like automated scripts checking whether cards are still active, followed by resale on underground forums or direct use for goods and services. Their effectiveness comes from volume and reuse—if enough people store card details insecurely or reuse credentials tied to payment accounts, there is always fresh data entering their ecosystem.
Social Engineers: Manipulating People, Not Systems
Social engineers focus on manipulating individuals directly, using conversation, persuasion, and context to gain access or sensitive information or to get individuals to take a particular action. This can happen over phone calls, email, messaging platforms, or even in person, often under the guise of IT support, a colleague, or a trusted vendor. Their approach is to create believable scenarios (e.g. something is broken, something needs urgent attention, or something requires verification) and guide the target into taking an action that benefits the attacker. Unlike phishing, which is often broad and automated, social engineering can be more targeted and adaptive, with the actor adjusting their approach based on the responses they receive. At its core, it works because it leverages normal human tendencies: trust, helpfulness, and a desire to resolve problems quickly.
Infostealer Operators: Harvest Now, Sort Later
Infostealer operators deploy malware designed to quietly collect large volumes of data from infected systems, including saved passwords, browser cookies, autofill data, and session tokens. These infections often happen through downloaded files, cracked software, malicious ads, or links shared through forums and messaging platforms. Once the data is collected, it’s packaged into logs and either sold or shared, where other actors can sift through it for valuable access. The key pattern here is scale—operators are not targeting a specific individual so much as gathering as much data as possible and letting others figure out what’s useful. This creates a constant stream of exposed credentials that can be reused across services.
So What Do We Really Mean by “Online Threat”?
When you step back, it becomes clear that an online threat is not defined solely by the presence of a malicious actor, but by the conditions that allow that actor to succeed. Across all categories—from cybercriminals to insiders—the common thread is not necessarily advanced technology, but accessible data, weak controls, and predictable behavior. The same pathways that enable sophisticated actors are often available to low-skill individuals, and in many cases, the difference between a near miss and a breach comes down to routine decisions made in day-to-day operations.
The Part We Don’t Like to Admit
It’s easy to frame online threats as something external—something done to us by attackers with specialized skills and intent. But in reality, many of the conditions that enable these actors are created internally, through habits like password reuse, oversharing, convenience-driven storage, and misconfigured systems. The uncomfortable truth is that while threat actors vary in motivation and capability, they are all leveraging the same underlying reality:
Systems are only as strong as the way we use them. And more often than not, the biggest threat isn’t just out there—it’s in our own habits.