Article · Wikipedia archive · Last revised May 31, 2026

Threat actor

In cybersecurity, a threat actor, bad actor or malicious actor is either a person or a group of people that take part in malicious acts in the cyber realm, including computers, devices, systems, or networks. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. Threat actors have different educational backgrounds, skills, and resources. The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. Rerearchers have proposed taximonies of threat actors that include: cyber criminals, nation-state, ideologues, thrill seekers/trolls, insiders, and competitors. These threat actors all have distinct motivations, techniques, targets, and uses of stolen data.

Last revised
May 31, 2026
Read time
≈ 7 min
Length
1,664 w
Citations
36
Source
Wikipedia ↗

In cybersecurity and risk assessment, a threat actor (or threat agents, attackers, or adversaries1) is a person, group, organisation, state, or other entity with the ability to cause, carry, transmit, support, or exploit a threat.12

Threat actors are commonly analysed according to their motivations, resources, technical capability, access to systems, relationship to a target, and degree of connection to state authority. They may exploit vulnerabilities, conduct social engineering, steal or monetise data, disrupt operations, or support other actors who carry out such activity.34 Because the term covers a wide range of actors, researchers and security organisations use taxonomies that distinguish between groups such as cybercriminals, state-linked actors, ideologically motivated actors, thrill seekers or trolls, insiders, and competitors.5

Threat actor classifications are used in risk management, cyber threat intelligence, and incident response to connect observed behaviour with possible objectives and likely future activity. The categories are not always mutually exclusive: the same actor may combine criminal, ideological, commercial, or state-linked motivations, and different organisations may use different names for similar actors.

Risk assessment and security management

In risk assessment, threat actor analysis is used to identify who or what may create, carry, transmit, support, or exploit a threat, and how that actor relates to the system being assessed. Rausand and Haugen classify threat actors by their relationship to the system, distinguishing between internal and external actors, and by intent, distinguishing between intentional and unintentional actors.1 Threat actor classification may also support incident investigation. Rogers argued that actor categories could be inferred from observable case points, such as tools used, messages left, data targeted, forensic knowledge, and the degree of damage, allowing investigators to assess likely motivation and skill level.6

Later work similarly linked actor classification to operational analysis. Chng, Lu, Kumar and Yau proposed a framework connecting hacker types, motivations and typical strategies, arguing that observed behaviour before or during an attack can help analysts infer the likely type of actor involved.5

At the strategic level, actor analysis may consider an actor's resources, capabilities, degree of state involvement, motivations and objectives.7

Landscape

The United Nations Institute for Disarmament Research has described the contemporary cyberthreat landscape as involving an increasingly diverse and interconnected set of actors, including state-led operations, cybercriminal syndicates, ideological hacktivists, commercial cyber mercenaries, private companies and civilian volunteers. Its 2026 report argued that these actors vary in resources, technical sophistication and relationships with states, making it traditional distinctions between state, civilian combatant roles, and legitimate and illegitimate conduct harder to apply.7

Academic taxonomies

Early taxonomies classified hackers by activity, skill, motivation, or criminal profile. Landreth proposed six categories based on activity: novice, student, tourist, crasher, and thief.8 Hollinger classified computer misuse into pirates, browsers, and crackers, describing a progression from less-skilled activity to more technically serious offences.8 Chantler used attributes including activity, skill, knowledge, motivation, and duration of involvement to distinguish between an elite group, neophytes, and "losers and lamers".8 Parker proposed seven profiles of cybercriminals: pranksters, hacksters, malicious hackers, personal problem solvers, career criminals, extreme advocates, and malcontents, addicts, and irrational or incompetent people.8

Marc Rogers, an influential figure in the taxonomy of threat actors at TechCrunch Disrupt in 2018 source ↗

In 2000, Marc Rogers proposed a taxonomy of hackers with seven, non-mutually-exclusive categories: newbie/tool kit users, cyber-punks, internals, coders, old guard hackers, professional criminals, and cyber-terrorists.8

Rausand and Haugen distinguish between internal and external threat actors, and between intentional and unintentional threat actors. Internal actors have some relationship with, access to, or position inside the system or organisation, while external actors operate from outside it. Intentional actors seek to create, exploit, or support a threat event, whereas unintentional actors may cause or enable a threat event through error, negligence, accident, or lack of awareness.1

Rogers later revised his hacker taxonomy into Novices, Cyber-punks, Internals, Petty Thieves, Virus Writers, Old Guard hackers, Professional Criminals, Information Warriors, and, more tentatively, Political Activists. In the model, motivation is grouped into four broad domains: curiosity, notoriety, revenge, and financial gain.9

A 2022 review by Chng, Lu, Kumar and Yau examined 11 hacker typologies published over three decades and proposed a unified framework linking hacker types, motivations, and strategies. The framework identified 13 hacker types and seven motivations, and argued that observed strategies during an attack can help analysts infer the likely type of actor involved.10


Government taxonomies

Taxonomies of threat actors by governments are much more likely to include state-level threat actors.

In the United States the National Institute of Standards and Technology (NIST) uses the term threat source in its risk-assessment guidance: organisations are directed to identify and characterise threat sources of concern, including capability, intent and targeting for adversarial threat sources, and the range of effects for non-adversarial threat sources.11 NIST treats threat-source identification as part of the risk-assessment process, alongside identifying threat events, vulnerabilities, likelihood and impact.11

In the EU, European Union Agency for Cybersecurity publishes the annual ENISA Threat Landscape, which analyses cyber incidents and adversary behaviour affecting the European Union. The 2025 report analysed selected incidents from the previous year and grouped activity around cybercrime, state-aligned activity, foreign information manipulation and interference, and hacktivism.12

In ENISA's 2025 analysis, hacktivist activity dominated reporting, representing almost 80% of recorded incidents and consisting mainly of low-level distributed denial-of-service operations.12 ENISA also reported increasing convergence between hacktivism, cybercrime and state-nexus activity, including state-aligned use of hacktivist personas, hacktivist adoption of ransomware, and false-flag or impersonation activity.12

At the UN level, A 2026 report by the United Nations Institute for Disarmament Research described the cyberthreat landscape as involving state-led operations, cybercriminal syndicates, ideological hacktivists, commercial cyber mercenaries, and civilian volunteers, with actors varying in resources, technical sophistication, and links to states.13

Canada defines threat actors as states, groups, or individuals who aim to cause harm by exploiting a vulnerability with malicious intent. A threat actor must be trying to gain access to information systems to access or alter data, devices, systems, or networks.14

The Japanese government's National Centre of Incident Readiness and Strategy (NISC) was established in 2015 to create a "free, fair and secure cyberspace" in Japan.15 The NICS created a cybersecurity strategy in 2018 that outlines nation-states and cybercrime to be some of the most key threats.16 It also indicates that terrorist usage of the cyberspace needs to be monitored and understood.16

The Security Council of the Russian Federation published the cyber security strategy doctrine in 2016.17 This strategy highlights the following threat actors as a risk to cyber security measures: nation-state actors, cyber criminals, and terrorists.1817

A fictional example of a phishing email, one common initial access method used by different types of threat actor. source ↗

Techniques

Threat actors use techniques like Social engineering (security), and Phishing, alongside technical exploits like Cross-site scripting, SQL injection, and denial-of-service attacks.19

Limitations

In practice, actor categories may overlap (Edward Snowden for example), and the same activity may combine features associated with hacktivism, cybercrime and state-linked operations. The lines between hacktivism, cybercrime and state-nexus activity had continued to blur, with shared toolsets, overlapping methods, fake personas, hacktivist adoption of ransomware, and cybercriminal or state-linked actors masquerading as other groups.12

Edward Snowden has been discussed both as a whistleblower and as an insider-threat case. source ↗

Threat actor analysis also has limits as a risk-management method. NIST notes that risk assessments depend on their purpose, scope, assumptions, constraints, information sources, risk model and analytic approach, and that assessments are tied to particular time frames and organisational contexts.11 NIST also warns that simple threat-vulnerability pairing may be undesirable or problematic where there are many threats and vulnerabilities, and recommends using risk scenarios to address some of those limitations.11

References

References

  1. Rausand, Marvin; Haugen, Stein (2020). Risk Assessment: Theory, Methods, and Applications (2nd ed.). John Wiley & Sons. p. 611. ISBN 978-1-119-37723-8.
  2. "Cybersecurity Spotlight - Cyber Threat Actors". CIS. Retrieved 2021-11-13.
  3. Pawlicka, Aleksandra; Choraś, Michał; Pawlicki, Marek (2021-10-01). "The stray sheep of cyberspace a.k.a. the actors who claim they break the law for the greater good". Personal and Ubiquitous Computing. 25 (5): 843–852. doi:10.1007/s00779-021-01568-7. ISSN 1617-4917. S2CID 236585163.
  4. Ablon, Lillian. "Data Thieves - The Motivations of Cyber Threat Actors and Their Use and Monetization of Stolen Data" (PDF). www.rand.org.
  5. Chng, Samuel; Lu, Han Yu; Kumar, Ayush; Yau, David (2022-03-01). "Hacker types, motivations and strategies: A comprehensive framework". Computers in Human Behavior Reports. 5 100167. doi:10.1016/j.chbr.2022.100167. ISSN 2451-9588.
  6. Rogers, Marcus K. (2006). "A two-dimensional circumplex approach to the development of a hacker taxonomy". Digital Investigation. 3 (2): 97–102. doi:10.1016/j.diin.2006.03.001.
  7. UNIDIR Security and Technology Programme (2026). Securing Cyberspace for Peace: Insights into Cyberthreats and International Security in 2025 (PDF) (Report). Geneva: United Nations Institute for Disarmament Research.
  8. Rogers, Marc (2000). "A new hacker taxonomy". University of Manitoba: 8.
  9. Rogers, Marcus K. (2006). "A two-dimensional circumplex approach to the development of a hacker taxonomy". Digital Investigation. 3 (2): 97–102. doi:10.1016/j.diin.2006.03.001.
  10. Chng, Samuel; Lu, Han Yu; Kumar, Ayush; Yau, David (2022). "Hacker types, motivations and strategies: A comprehensive framework". Computers in Human Behavior Reports. 5 100167. doi:10.1016/j.chbr.2022.100167.
  11. Joint Task Force Transformation Initiative (September 2012). Guide for Conducting Risk Assessments (Report). National Institute of Standards and Technology. doi:10.6028/NIST.SP.800-30r1. NIST Special Publication 800-30 Revision 1.
  12. "ENISA Threat Landscape 2025 | ENISA". www.enisa.europa.eu. 2025-11-06. Retrieved 2026-05-26.
  13. UNIDIR Security and Technology Programme (2026). Securing Cyberspace for Peace: Insights into Cyberthreats and International Security in 2025 (PDF) (Report). Geneva: United Nations Institute for Disarmament Research.
  14. Security, Canadian Centre for Cyber (2018-08-15). "Canadian Centre for Cyber Security". Canadian Centre for Cyber Security. Retrieved 2021-12-07.
  15. "National Centre of Incident Readiness & Strategy for Cybersecurity (NISC) Japan". www.cybersecurityintelligence.com. Retrieved 2021-12-07.
  16. "National center of Incident readiness and Strategy for Cybersecurity | NISC". www.nisc.go.jp. Retrieved 2021-12-07.
  17. "Совет Безопасности Российской Федерации". www.scrf.gov.ru. Retrieved 2021-12-07.
  18. Sailio, Mirko; Latvala, Outi-Marja; Szanto, Alexander (2020). "Cyber Threat Actors for the Factory of the Future". Applied Sciences. 10 (12): 4334. doi:10.3390/app10124334.
  19. Bahrami, Pooneh Nikkhah; Dehghantanha, Ali; Dargahi, Tooska; Parizi, Reza M.; Javadi, Hamid H. S. (2019). "Cyber Kill Chain-Based Taxonomy of Advanced Persistent Threat Actors: Analogy of Tactics, Techniques, and Procedures". Journal of Information Processing Systems. 15 (4).