This post may contain affiliate links, please read our affiliate disclosure to learn more.
Threat Actor

6 Types of Cyber Threat Actors

 By Charles Joseph | Cybersecurity Researcher
 Published on February 19th, 2023
This post was updated on November 25th, 2023

Cyberattacks come in all shapes and sizes — and so do the hackers who commit them.

These so-called cyber threat actors can be divided into numerous subtypes, each with its own distinct motivations, targets, tactics, and end goals.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

Here’s a look at the 6 most common types of cyber threat actors and the characteristics that set each apart from the rest.

Cyber Threat Actors at a Glance

  • Many cyber threat actors are ideologically motivated: hacktivists try to correct societal wrongs, cyberterrorists weaponize fear and cause destruction, and state-sponsored threat actors attempt to further a nation’s political goals.
  • Others have more personal motivations: cybercriminals and cybercrime groups seek money and valuable data to be used for financial gain, while hobbyists and script kiddies use hacking for clout, entertainment, and trolling.
  • Insider threat actors are wildcards: capable of acting out of resentment, greed, or fear; they use their existing privileges and knowledge to infiltrate systems without raising suspicions.
  • Regardless of a specific type, all threat actors use computers and the internet to cause harm to others through theft, digital vandalism, destruction, and other malicious tactics.

6 Common Types of Cyber Threat Actors

A private person

Hobbyists/Script Kiddies

These days, it’s easier than ever to get into hacking — and if you need proof, look no further than the proliferation of script kiddies, trolls, and other hobbyist hackers.

But don’t let their lack of experience lull you into complacency. Script kiddies can still cause a ton of harm: all they need to do is find publicly-available scripts or malware, run them, then sit back and watch the chaos.

Not all script kiddie attacks cause damage. Many of them fail to accomplish anything except causing the victim mild annoyance — or amusement at seeing such unskilled attack attempts pop up in their server logs.

However, don’t discount them entirely: they’re capable of carrying out DDoS attacks, defacing websites, planting malware, and conducting basic exploits like SQL injections.

And because they’re amateurs, script kiddies aren’t usually motivated by money or data. What they’re after is a boosted reputation in the hobbyist hacker community, expanded knowledge and experience from their “research,” and the trollish pleasure of making someone’s day a little harder.


On the other end of the threat actor spectrum lie the cyberterrorists, whose goal is to spread their ideology through fear, destruction, and violence.

Cyberterrorists typically target large organizations, militaries, governments, political figures, activists, infrastructure agencies, and other high-profile victims that oppose or impede their causes. But they can also target civilian communities, instilling fear in the broader populace and disrupting day-to-day life.

As with real-world terrorist attacks, cyberterrorist attacks tend to be brutal: motivated by such compelling factors as politics, economics, and religion, they’re designed to cause as much harm as possible. Such harm ranges from somewhat passive — like the theft of mission-critical military data — to actively destructive — like the corruption of government computer systems.

And cyberterrorist attacks hold several advantages over their physical counterparts. They’re generally much cheaper to carry out and less risky for attackers, who can conduct them anonymously from a remote location.

State-Sponsored Threat Actors

State-Sponsored threat actors

State-sponsored threat actors are funded by governments with the goal of taking espionage into the virtual realm. Rather than sending spies to go undercover in enemy countries, intelligence agencies can now round up their best hackers to conduct digital reconnaissance — and, in some cases, carry out attacks that rival those of cyberterrorists.

Stealth is the name of the game for these threat actors, who have access to their country’s most advanced tech and, often, permission to operate outside the normal confines of the law. Because of this, they’re generally incredibly difficult to detect and track and may persist inside a target system for years without being caught.

Though enemy governments are common targets for state-sponsored threat actors, they’re not the only ones. These threat actors also go after foreign businesses like banks and energy companies, anti-government activists, and even domestic organizations suspected of aiding opposing nations.

And while few countries admit to sponsoring threat actors, there’s evidence that the majority of the world’s most powerful nations do just that. The United States and Israel conducted the Stuxnet cyberattack against Iran’s nuclear facilities in 2010, while China’s PLA Unit 61398 has attacked targets ranging from Lockheed Martin to the International Olympic Committee to the UN.


Like cyberterrorists and state-sponsored threat actors, hacktivists are ideologically-motivated hackers.

Unlike those other threat actors, though, hacktivists aren’t associated with governments or terrorist organizations. Rather, they’re individuals or small groups concerned with spreading a social or political message, usually with the purported goal of enacting positive change in the world.

Hacktivism is often motivated by freedom of speech and information, exposing government or corporate wrongdoings, and correcting perceived injustices. As such, hacktivists may seek to steal data that furthers their cause, bring down websites or systems belonging to “evil” entities, or simply cause a scene to bring awareness to their mission.

Depending on their cause, hacktivists are generally less maligned than the other threat actors listed here — and their willingness to break the law to do what’s right can even seem admirable.

But the illegality of their actions, along with the high potential for collateral damage, earns them the classification of “threat actor.”

Cybercriminals/Organized Cybercrime

Cybercriminal threat actors aren’t motivated by ideology, patriotism, or curiosity. Like real-world robbers, gangs, mafias, and other criminals, their top priority is themselves — and in practice, that usually means they’re after money.

Whether they’re acting on their own or as part of an organized cybercrime ring, these threat actors go after targets that are flush with cash: wealthy public figures, successful businesses, financial institutions, treasury departments, and crypto services.

But not all cybercriminals go straight for the money.

Data is a valuable commodity on the black market, especially private or secret data like company secrets, personally identifiable information, financial records, intellectual property, or user credentials. Thus, many cybercriminals will, despite having no personal interest in such data, steal it in order to sell it to other cybercriminals.

These threat actors often rely on social engineering as well as technical prowess, smooth-talking their way into computer systems before deploying their hacking skills to get the goods. They also make heavy use of ransomware and other extortion techniques to extract even more funds from their victims.

Insider Threats

The mysterious, faceless hacker sitting in a dark room on the other side of the world is easy to fear.

But all too often, the most dangerous threat actors can be found uncomfortably close to home. 18% of all data breaches originate from inside the victim organization: employees, ex-employees, contractors, consultants, board members, and others with existing access to internal systems.

Some insider threat actors plot and execute their own attacks as a way to take out frustrations against their superiors, gain more control in their positions or co-opt company resources for themselves. Others are solicited by outside threat actors looking for privileged access to an organization’s data, either in exchange for money or under the threat of blackmail.

Either way, insider cyberattacks are among the most difficult to detect. Because insiders are already trusted by the system, their actions are less likely to set off cybersecurity alarms, and their preexisting knowledge of operations and policies allows them to act more efficiently than outsiders.

Threat Actors (Video)

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
Scroll to Top