In a nutshell: Cybercriminals increasingly exploit supply chains and shared infrastructure as attack vectors, with commercialized tools such as Tycoon 2FA (89 percent market share) enabling even less sophisticated actors.
Analysis of over 1,550 investigation cases by Group-IB reveals a structural shift in organized cybercrime: attackers increasingly target IT supply chains and shared infrastructure rather than striking target organizations directly. A single compromise point reached over 130 organizations in a sector simultaneously.
Group-IB has released its annual report on global threat actors, documenting a strategic shift: criminal groups increasingly exploit IT supply chains, shared infrastructure, and third-party ecosystems to amplify harm across entire sectors through a single access point, while simultaneously reducing their detection window significantly.
This strategy is enabled by the advancing commercialization of malware and attack infrastructure in the criminal underground. The Tycoon 2FA platform controls 89 percent market share in automated phishing services (Phishing-as-a-Service) and undermines the effectiveness of multi-factor authentication by intercepting authentication tokens. The TX-NFC system allows criminals, for a daily subscription fee starting at 45 dollars, to simulate contactless payments at physical point-of-sale terminals using stolen card data.
Group-IB CEO Dmitry Volkov sees this as a turning point: “The supply chain has become the most powerful multiplier of cybercrime. A single compromise point in one operation we tracked reached over 130 organizations.” At the same time, the commercialization of attack infrastructure is rapidly closing the capability gap between highly sophisticated and technically less experienced threat actors.
The ranking names Lazarus as the leading state-sponsored group, with cryptocurrency thefts totaling over 6.5 billion dollars over its lifetime (2.02 billion dollars in 2025). Scattered Spider compromised over 130 technology companies through their supply chains. DarkBlinders demonstrates the highest adaptability, specifically targeting aviation and telecommunications in the Middle East. MuddyWater distributed three new malware variants across over 113 countries between October 2025 and March 2026. GoldFactory uses specialized malware to steal biometric data for facial recognition systems in mobile banking.
Source: www.it-daily.net · Published June 24, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.