The Importance of Monitoring Threat Actors in an Era of Blurring Boundaries

threat actor

In today’s rapidly evolving digital landscape, threat actors—ranging from lone hackers and organized cybercriminal groups to ideological hacktivists and state-sponsored operatives—pose a growing challenge to global cybersecurity. As the tools and tactics available to these actors become more advanced, the traditional distinctions between them are beginning to fade. Criminal groups now collaborate with nation-state entities, hacktivist campaigns are increasingly politicized, and financial motives often overlap with espionage or sabotage. This convergence is creating a far more complex and unpredictable threat environment.

In this blog, we’ll examine how threat actors are adapting to emerging technologies, how the lines between different threat categories are becoming increasingly blurred, and what this means for organizations looking to defend themselves in an age of converging and rapidly evolving cyber threats.

What Are Threat Actors?

Threat actors are individuals, groups or entities that pose a threat to cybersecurity by carrying out cyberattacks. They are usually categorized based on their skill set and resources.

Main Types of Traditional Threat Actors and Their Motivations

Here are some of the most common types of threat actors and their typical motivations:

Cybercriminals

This is a broad term used to describe individuals or groups that conduct illegal activities online. Cybercriminals are generally motivated by financial gain. Cybercrime includes a variety of threats, ranging from well-organized ransomware-as-a-service (RaaS) syndicates to lone actors. Their malicious activities include stealing data, scamming victims into transferring money, stealing login credentials and much more.

Nation-State Actors

Also known as advanced persistent threat (APT) actors, these groups operate on behalf of a country’s government or intelligence agency. They are highly sophisticated and well-resourced, allowing them to develop advanced tools and techniques. APTs are usually motivated by national interests with aims ranging from espionage, sabotage and disruption to political destabilization, although occasionally they will also conduct activities for economic gain. They mainly target governmental institutions, critical infrastructure and large corporations.

Hacktivists

Hacktivists are individuals or groups (also known as collectives) with political or social motives. The goal of most hacktivist groups is to draw attention to their agenda, and they do not typically cause substantial damage to critical infrastructure. While they are generally not financially motivated, some seek financial gain to help finance their activities. Their tactics often include DDoS attacks, website defacements and data breaches, usually targeting government organizations and corporations.

Insiders

An insider can be an employee, third-party contractor or partner. Insider threats occur when individuals with authorized access to sensitive information, systems or physical assets misuse that access to harm the organization, whether intentionally or unintentionally. While unintentional threats usually stem from negligence, malicious insiders may be motivated by financial gain, revenge or ideology.

Top Threat Actors

As shown in the diagram below from Cognyte’s 2025 Threat Landscape Report, the top most active threat actors over the past year were cybercriminals (49%), followed by nation-state actors (36%) and hacktivists (4%):

Top threat actors of 2024

The top threat actors have remained consistent with trends in 2023, with nation-state actors increasing slightly from 33% to 36%. This is likely due to the ongoing regional and global conflicts and the involvement of cyberattacks as a tactic to support the different sides of the conflicts.

Common Platforms Used by Threat Actors

Threat actors operate on various platforms depending on their objectives. Their activities are  with the dark web, which provides anonymity and encryption, making it a haven for cybercriminal activity. Additionally, messaging platforms, which are part of the deep web, have become common hubs for fraudulent activity.

One platform of particular interest is Telegram. Telegram has gained popularity among cybercriminals due to its combination of unique features, including end-to-end encryption, anonymity, ease of use, open API and bot functionalities. Threat actors use specific forums, communities, and channels on Telegram dedicated to cybercrime subcategories such as malware, initial access and more.

Although some threat actors have claimed they would diversify their operations beyond Telegram following reports that the platform may share information with law enforcement, so far there has not been a significant shift away from Telegram. Despite a recent and ongoing purge of hacktivist accounts by Telegram, the LUMINAR team has observed that some groups appear to migrate to new channels, suggesting continued usage of Telegram for their illicit activities.

The Growing Threat of GenAI-Driven Attacks

The rise of Generative AI (GenAI) technologies—especially Large Language Models (LLMs) now available for public use—is transforming the cybersecurity landscape. Threat actors are leveraging these tools to scale their operations, enhance deception techniques and automate attacks with unprecedented speed and precision. From writing malware to generating deepfake content and launching sophisticated phishing campaigns, GenAI is accelerating the evolution of cyber threats.

A recent warning from Microsoft underscores the urgency of this shift, highlighting how nation-state actors from Russia, North Korea, Iran, and China are increasingly experimenting with LLMs to support their cyber operations. This marks a turning point in the threat landscape, as adversaries gain access to AI-driven capabilities that can significantly accelerate and enhance their illicit activities.

Blurring Traditional Boundaries

As the cyber landscape becomes increasingly interconnected, the lines between traditional categories of threat actors are becoming increasingly blurred. Throughout the past year, there were several trends that will likely continue to intensify:

  • There were multiple instances of complex, dual-motivated threat actors whose motivations deviated from traditional classifications. For example, several groups with hacktivist traits were also financially motivated, employing cybercrime tools, such as ransomware.
  • Nation-state actors are strengthening ties with cybercriminals and hacktivists, outsourcing cyberespionage operations and using these affiliations to mask their activities. For example, Russia-affiliated state actors have been observed utilizing infostealers used by cybercriminals to collect intelligence on the Ukrainian military. Similarly, nation-state groups linked to Iran have collaborated with and acted as initial access brokers for affiliates of known ransomware gangs.
  • The relationship between nation-state attackers and hacktivist groups has deepened. For instance, researchers recently identified a former Chinese hacktivist working as a contractor for China’s Ministry of State Security (MSS).
  • Insider threats may escalate as sophisticated threat actors increasingly attempt to infiltrate corporations or manipulate employees. For example, the FBI recently observed North Korean IT workers leveraging unlawful access to U.S. company networks to exfiltrate proprietary and sensitive data, facilitate cybercriminal activities and generate revenue.

These developments highlight the importance of meticulous and continuous monitoring of threat actors, who often operate across multiple platforms. The complexity of mixed and dual motivations for attacks challenges traditional threat actor classifications, requiring advanced analysis and expertise to anticipate and mitigate threats.

Monitoring Threat Actors

All organizations, big and small, across all industries, are potential targets for cyber attacks. A full and deep understanding of relevant threat actors is crucial to mitigating cyber threats, including vulnerability exploitation, data breaches, access credentials theft and other malicious activities. Ongoing monitoring of threat actors’ tactics, techniques and procedures (TTPs) is essential for proactive defense.

LUMINAR is Cognyte’s AI-powered, external threat intelligence solution that consolidates all essential threat intelligence capabilities into one unified solution. LUMINAR’s Threat Actor Analysis Module enables swift and comprehensive monitoring of threat actors’ activities across multiple platforms. Continuous monitoring allows organizations to be aware of threats in real time, increasing the chances of early threat detection and enabling swift and effective mitigation.

LUMINAR Threat Actor Analysis Module
LUMINAR’s Threat Actor Profiling Module

Conclusion

The landscape of cyber threats is evolving at an unprecedented pace, with traditional boundaries between threat actor groups becoming increasingly blurred. To keep up, organizations must employ continuous monitoring and intelligence-driven cybersecurity strategies. Understanding the motivations and tactics of threat actors, as well as the platforms they use, is essential to strengthening cyber defenses and mitigating risks before they escalate. Staying ahead requires vigilance, adaptability and proactive external threat intelligence to counter the ever-growing sophistication of cyber adversaries.

Click here to learn how LUMINAR can safeguard your organization.

April 10, 2025
Mar 03 2025 · 11 Min Read
Harnessing AI for Cybersecurity: The Power of Threat Intelligence
Feb 16 2025 · 11 Min Read
Data Driven Policing: Revolutionizing Crime Prevention and Public Safety
Jan 08 2025 · 9 Min Read
What is Digital Risk Protection?

See how analytics-driven
threat intelligence works

More results...

Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors