Beware, evil attack: the three most dangerous hacker groups are named

At the beginning of 2025, three large hacker groups became active in the Russian Federation at once. According to rough estimates by experts, the damage from their activities is estimated at hundreds of millions of rubles. The most dangerous, Head Mare, had previously hacked SDEK and Peterburgaz, and recently she had destroyed the protection of a large heavy industry enterprise and used a scheme to extort money. About hackers and their chosen areas of attack — in the material of Izvestia.

The three most dangerous hacker groups

Informzashita experts told Izvestia about the most dangerous hacker groups that launched attacks on Russian companies in 2025. The international Head Mare is in the first place, it first appeared in 2023, its goal is organizations from Russia and Belarus. In January of this year, it accounted for about 15% of all extortion attacks.

Photo: Head Mare's account on the social network X

LokiLocker is in second place, it also appeared in 2023, in January 2025 they were responsible for about 10% of attacks. The exact origin of the group is unknown, presumably, it includes hackers from Iran and Eastern European countries: Poland, the Czech Republic and Ukraine.

Babuk2, which occupies the third position, accounted for 8% of attacks on Russian companies. The hacker group operated in 2020-2021, and it is believed that their imitators were created in 2025. It includes Russian-speaking and English-speaking hackers, probably it was originally formed in the Russian Federation, the press service of Informzashchita clarified.

Promo code for 10 thousand: how hackers deceive Russians under the guise of marketplaces

Eesperts urged not to click on dubious links

The company told Izvestia about a recent case of a Head Mare attack on one of the heavy industry enterprises. The attack was organized through vulnerabilities in routers that were used in the organization's information infrastructure. The malware was there, presumably, for three months. As a result, hackers were able to encrypt part of the databases, including information about planned shipments and their volumes. Serious consequences were avoided due to the timely involvement of information security service specialists and the availability of backups. The ransom demanded by the attackers was about 900 thousand rubles.

Photo: IZVESTIA/Eduard Kornienko

"In January 2025, 25% of the ransomware attacks targeted the industrial sector, which will remain the most attacked industry throughout the year. The reasons for the attention to industry, in addition to the availability of valuable information, are the use of outdated equipment (60% of enterprises) and the insufficient work of information security specialists (45% of companies). Services (20%) and healthcare (10%) were also in the top of the attacked industries," according to a study by Informzashchita experts (available from Izvestia).

Experts observe a tendency to combine groups of extortionate hackers and individual hacktivists to carry out attacks. So, in January, the number of cyber attacks increased by 80% compared to the same period in 2024, due to the proliferation of so-called RaaS platforms that allow attackers to easily obtain malware. RaaS extortion as a service is one of the most popular services provided by offending programmers, cybersecurity experts said.

How much damage did the hackers cause?

Head Mare attacks everything it can reach in Russia, so calculating the damage is extremely difficult, Phishman CEO and information security expert Alexey Gorelkin told Izvestia. According to his estimates, taking into account downtime, the SDEK situation alone in May 2024 resulted in damage of up to 1 billion rubles. According to the expert, Head Mare is the most dangerous of the top 3, but the expert advises not to forget about the North Korean hackers Lazarus, who have remained extremely effective for a decade and a half and, probably, thanks to them, the DPRK is one of the top largest bitcoin holders in the world.

Photo: IZVESTIA/Yulia Khramtsova

- Head Mare attacks many people: the Kalashnikov concern, Russian Railways, and Belarusian information security integrators. At the same time, many such groups are pro—government, which means that they "sit" on the salaries of our enemies and attack not the most vulnerable, but those whose hacking will bring maximum economic and informational damage to Russia, the expert added.

Igor Bederov, Head of the Information and Analytical Research Department at T. Hunter, agrees with this.

— Shutting down a factory can cost millions of rubles per hour, which makes industrial companies more accommodating in paying the ransom. At the same time, the introduction of automation outstrips the updating of security systems. For example, outdated information security systems in factories are becoming an easy target for cybercriminals. Well, some of the attacks were probably sponsored by states for which industrial facilities are among the most significant targets," he said.

Photo: Global Look Press/Vadim Akhmetov

According to Igor Bederov, in the case of the Peterburgaz hacking at the end of 2024, hackers introduced malicious code into the pressure management system, which caused an emergency shutdown of part of the network. The consequences could have been catastrophic, but a manual reboot worked. The organization has not officially confirmed the incident.

Buy - Hack: How the cybercrime market on the darknet will change in 2025

Experts are alarmed by the growing availability of tools for hackers

Since April 2023, according to experts, LokiLocker has attacked at least 62 companies worldwide, 21 of them in Russia, Igor Bederov said. Small and medium-sized businesses from the construction, tourism, and retail sectors suffered mainly from the group's actions. It is believed that the backbone of LokiLocker consists of immigrants from Eastern European countries, including Poland and Ukraine, he added.

The expert noted that there is no direct evidence of a formal alliance or coordinated actions between the Babuk2, Head Mare and LokiLocker groups at the beginning of 2025. However, indirect signs and analytical data suggest possible overlaps in methods, infrastructure, or sponsors.

Photo: Head Mare's account on the social network X

"The growth of cyber attacks in 2025 proved that information security is a strategic priority that affects the survival and competitiveness of businesses," said Demid Golikov, Director of ARB Pro consulting company.

According to Akhmetzhan Makhmutov, an information security expert and Deputy Minister of Digital Development of the Vologda Region, by 2026 we should expect the merger of groups into alliances, which, in turn, will increase the scale of threats. At the same time, there is already a massive use of AI by hacker groups to analyze vulnerabilities. For example, Head Mare used neural networks to find weaknesses in the SDEC code in a matter of minutes, he added.

For protection, the expert recommends that organizations implement quantum-resistant encryption, regularly test systems for hardware bookmarks, and create backup data stores to spread risks.