• News
  • Positive Technologies warns: damage from hacktivist attacks reaches the level of nation-state groups
News

Positive Technologies warns: damage from hacktivist attacks reaches the level of nation-state groups

The line between ideologically driven hackers (hacktivists) and advanced persistent threat (APT) groups is blurring, as these actors increasingly carry out operations on behalf of governments and state-affiliated organizations. Experts at Positive Technologies have highlighted this major shift in the global cyberthreat landscape. They predict that further collaboration between politically motivated hackers and nation-state groups will lead to the rise of "hacktivism as a service" on the global dark web.

Advanced persistent threat (APT) groups are highly skilled, organized hacker collectives that conduct targeted attacks and operate covertly over extended periods. However, in 2025, hacktivist groups began fitting this profile as their operations expanded beyond simple digital protests.

Experts at Positive Technologies have also observed a major shift in hacktivist behavior. Today, hacktivists frequently act as proxies, participating in cyberattacks alongside or under the direction of state-aligned groups. When operating as hackers-for-hire, they actively expand their toolsets and hone their skills while maintaining an illusion of independence. This provides them with the resources to professionalize and build their own arsenals, resulting in more technically sophisticated attacks and larger-scale targets.
 

Europe remained the primary global target for hacktivism in 2025, with hacktivists representing 65% of all attackers in the region. Attention-seeking tactics like DDoS attacks1 and website defacements2 are being replaced by operations aimed at establishing a long-term covert presence in victim networks, carrying out actual infrastructure sabotage, and stealing critical data. For instance, state-aligned groups stole a record-breaking $2 billion in cryptocurrency in 2025, marking a 51% increase from the previous year. In the process, they also compromised vast amounts of exchange customer information and personal data.

In 2025, attacks primarily targeted sectors comprising the critical infrastructure of the victim states: government agencies (22%), industrial organizations (16%), defense contractors (10%), and financial institutions (10%). Campaigns conducted by the Lazarus group clearly demonstrated the scale of this threat. The threat actors targeted employees at affected companies with phishing emails containing malware disguised as fake job offers. Consequently, they successfully exfiltrated classified technical data regarding industrial processes, compromising the national and military security of multiple countries simultaneously.

Phishing remained the primary method for gaining initial access to internal networks, utilized by up to 43% of the tracked threat groups. Furthermore, the capabilities of this attack vector are rapidly expanding thanks to artificial intelligence. For instance, the BlueNoroff group used deepfakes during video calls, impersonating crypto project executives to trick participants into downloading a malicious "update."

1 A DDoS attack involves overwhelming servers with a massive volume of requests to take them offline.

2 Website defacement is the unauthorized alteration of a site's appearance, typically done to publicly demonstrate a successful cyberattack.

"In 2025, the highest concentration of active threat groups was recorded in the CIS region, with 99 classified as APT groups and 24 as hacktivists. In Europe, we tracked the activity of 105 groups. Almost two-thirds of these were hacktivists, making it the leading region globally for this type of threat actor. Meanwhile, 99 predominantly financially motivated groups were active across Latin and North America."

Artem Beleii
Artem BeleiiSenior Analyst at the International Analytics Group at Positive Technologies

Defending against APT groups and hacktivists requires a comprehensive approach that integrates technology, processes, and expert training. Modern cybersecurity solutions, including EDR, XDR, SIEM, and NGFW, are essential for detecting and mitigating threats before they can cause severe damage. Because phishing remains the primary initial access vector, regular employee training on cyberhygiene is crucial. Cyberthreat intelligence (CTI) also plays a vital role in proactive defense by continuously gathering and analyzing data on the latest attacker tactics and tools. Finally, organizations can evaluate their readiness to withstand such sophisticated threats by simulating real-world attacks with the help of specialized expert teams.