Growing Link Between Cybercriminals And State Hackers Raises Security Concerns

The line between cybercriminal groups and state-sponsored hackers is becoming increasingly blurred, as espionage-focused actors collaborate with financially motivated cybercriminals, security researchers reported this week.

The trend is particularly evident in the growing use of cybercrime tactics by state-backed hackers to conceal espionage activities and fund operations.

Google-owned cybersecurity firm Mandiant highlighted this development on Tuesday, noting that financially motivated cybercrime now dominates online threats, accounting for most of the malicious activity detected by security teams.

In 2024, Mandiant responded to nearly four times more financially motivated cyber intrusions than those linked to nation-states. However, researchers warn that while cybercrime often receives less attention from national security experts, its impact can be just as severe as espionage-related attacks.

“A hospital disrupted by a state-backed group using a wiper and a hospital disrupted by a financially motivated group using ransomware have the same impact on patient care,” Mandiant researchers wrote.

This concern is especially relevant as cybercriminals increasingly target healthcare institutions, with data leak incidents in the sector doubling over the past three years.

Beyond direct threats, cybercriminal groups are also enabling state-backed hacking efforts. Nation-states are increasingly purchasing cyber capabilities from these groups or co-opting them for espionage and disruptive operations.

Russia, for instance, has relied on cybercriminal expertise in its cyber warfare against Ukraine. The Russian military intelligence unit APT44, also known as Sandworm, has reportedly used malware from cybercrime networks to conduct cyberattacks.

Similarly, RomCom, a group historically focused on financial cybercrime, has been involved in espionage operations against the Ukrainian government since 2022, as reported by the researchers.

This pattern extends beyond Russia. Iranian hacking groups deploy ransomware for financial gain while simultaneously conducting espionage. Chinese espionage groups often engage in cybercrime to supplement their income.

The researchers argue that North Korea, however, presents the most striking case, as its state-sponsored hacking groups are directly tasked with generating revenue for the regime. North Korean hackers have aggressively targeted cryptocurrency exchanges and individual wallets, securing millions in illicit funds.

Despite these overlaps, experts caution that countering cybercrime requires distinct strategies from tackling state-sponsored hacking. Cybercriminals operate across borders and frequently regroup after law enforcement takedowns, making international cooperation critical.

Mandiant emphasized that alongside law enforcement efforts, systemic solutions such as bolstering cybersecurity education and resilience are necessary to curb the growing cybercrime ecosystem.

As cybercrime and espionage continue to converge, experts warn that the threat landscape will become even more complex, demanding stronger global coordination to combat both financially and politically driven cyber threats.