Scattered Spider accounted for 42.9% of all actor-related alerts in the second half of 2025.

The hacktivist group NoName057 (16) claimed 4,693 attacks, the highest number claimed by a single hacktivist entity.

71% of incidents in the Automotive and Smart Mobility ecosystem are attributed to black hat actors, up from 65% in 2024.

The Qilin ransomware group claimed 1,115 victims in 2025, making it the most active ransomware group across disclosed and undisclosed attacks.

The Play ransomware group accounted for 5% of disclosed ransomware attacks in 2025.

Fifty-two new ransomware groups emerged in 2025, a 9% increase compared to 2024.

A total of 130 different ransomware groups carried out attacks in 2025.

The Lazarus threat actor group has over 40 distinct designations across the industry.

The INC ransomware group claimed 66 victims in undisclosed activity in 2025.

The Akira ransomware group was linked to 776 total recorded attacks in 2025.

40% of threat actor updates in H1 2025 were attributed to state-sponsored groups.

9% of threat actor updates in H1 2025 were attributed to hacktivists.

51% of threat actor updates in H1 2025 were attributed to cybercriminals, such as ransomware groups.

The Handala ransomware group, a pro-Palestine group, targeted 17 Israeli organisations between 14th and 30th June 2025. These attacks coincided with the 12-day Iran-Israel war.

Play dropped to third place of most active threat groups in June 2025 with 29 attacks.

Qilin was the most active threat group in June 2025, responsible for 16% of all attacks, which amounted to 60 cases.

Qilin ranked as the third most active threat group in May 2025 with 42 attacks.

Akira was the second most active threat group in June 2025, with 31 attacks, rising from fourth place in May.

Qilin saw a significant rise in Q2 2025 with 151 attacks, up from 95 attacks in Q1.

SafePay dropped to fourth place of most active threat groups in June 2025 with 27 attacks.