Category
Cybercrime continues to rise in scale, complexity and impact, affecting individuals, businesses and governments alike. While much attention is given to how attacks happen, it’s just as important to ask why they occur in the first place. Understanding what motivates attackers is a crucial part of building an effective defence.
So, why do hackers hack?
Some are driven by financial gain, while others act on behalf of a nation-state or in support of a political cause. There are those motivated by revenge or personal challenge, and others who simply exploit opportunities because they can.
In this post, we explore the key motivations behind cybercriminal activity, helping you better understand the intent behind the threat and its implications for your organisation’s security posture.
Financial Gain
For many cybercriminals, money is the primary motivator. The vast majority of cybercrime is financially driven, with threat actors seeking to extract value from individuals, businesses or governments through theft, fraud or extortion.
Ransomware is perhaps the most well-known example. Attackers encrypt a victim’s data and demand payment, usually in cryptocurrency, in exchange for the decryption key. The rise of Ransomware-as-a-Service (RaaS) has made these attacks more accessible, allowing less technically skilled criminals to launch sophisticated campaigns using tools developed by others.
One of the most notorious examples of financially motivated cybercrime is Evil Corp, a Russia-based cybercrime group responsible for developing and distributing the Dridex banking Trojan and BitPaymer ransomware. The group, led by Maksim Yakubets, has been linked to attacks that have caused hundreds of millions of pounds in damages globally. According to the U.S. Department of the Treasury, Yakubets was allegedly tasked by Russian intelligence to conduct espionage operations alongside his cybercriminal activities. He is known not just for the scale of his crimes, but also for flaunting his wealth—reportedly driving a Lamborghini with a personalised number plate that reads “THIEF”.
Phishing and business email compromise (BEC) are also common financially motivated attacks. These techniques are designed to trick victims into handing over login credentials, payment details or other sensitive information that can be monetised directly or resold on dark web marketplaces. The FBI has reported billions of dollars in losses from BEC schemes, which often involve attackers impersonating executives or suppliers to redirect large financial transactions.
What’s particularly concerning is how mature and professionalised the cybercriminal ecosystem has become. Online forums and marketplaces, often hosted on the dark web, serve as thriving hubs where criminals buy and sell tools, data and services. This includes malware, exploit kits, stolen credentials and even technical support for other attackers. Some actors specialise in initial access, others in data theft or extortion, and many operate purely as brokers or facilitators.
As a result, modern cyberattacks are rarely the work of a lone hacker. Instead, they often involve multiple actors working together across a decentralised and anonymous marketplace. For a relatively low cost, almost anyone can purchase the tools and expertise needed to carry out a breach.
With high rewards and limited risk in many jurisdictions, financially motivated cybercrime remains one of the most significant threats facing organisations today.
Ideological or Political Motivation (Hacktivism)
Not all cybercriminals are driven by profit. Some are motivated by political beliefs, social causes or ideologies. These individuals or groups, often referred to as hacktivists, use hacking as a form of protest, aiming to disrupt, expose or embarrass organisations and governments they oppose.
One of the most recognisable hacktivist collectives is Anonymous, a loosely organised group known for its cyber campaigns against governments, corporations and extremist groups. Their activities have ranged from distributed denial of service (DDoS) attacks on financial institutions, to leaking sensitive documents from law enforcement agencies and political bodies.
Hacktivism has also played a prominent role in modern conflicts. In the early days of the Russia–Ukraine war, groups on both sides of the conflict engaged in cyber operations. Ukrainian-aligned actors, including the so-called IT Army of Ukraine, targeted Russian government websites and media outlets with defacements and DDoS attacks. Meanwhile, pro-Russian hacktivist groups like Killnet have launched attacks against European infrastructure in retaliation for political support of Ukraine.
These operations are not always highly technical, but they can be disruptive and attention-grabbing. For example, in 2022, Killnet claimed responsibility for attacks on several websites belonging to airports, healthcare providers and public institutions across Europe, using basic but effective DDoS techniques.
Hacktivism can blur the line between political protest and criminal activity. While some view it as a legitimate form of dissent in the digital age, it often involves illegal access, data leaks or service disruption, and can escalate geopolitical tensions or cause collateral damage to innocent third parties.
For defenders, politically motivated attacks pose a unique challenge. They may not follow the typical patterns of financially driven crime, and their targets can shift quickly based on current events, perceived injustices or ideological trends.
State-Sponsored Espionage
Some of the most advanced and persistent cyber threats come not from criminals seeking profit, but from nation-states pursuing strategic objectives. These attacks are often aimed at gathering intelligence, disrupting rivals, or gaining long-term access to critical systems. Unlike financially motivated actors, state-sponsored groups tend to operate with significant resources, patience and stealth.
These threat actors—often referred to as Advanced Persistent Threats (APTs)—typically target government departments, defence contractors, critical national infrastructure, and major corporations. Their goal may be to steal sensitive data, conduct surveillance, interfere with democratic processes, or enable future sabotage.
A prominent example is APT29, also known as Cozy Bear, a group linked to Russia’s Foreign Intelligence Service (SVR). They have been implicated in numerous high-profile intrusions, including the 2020 SolarWinds supply chain attack, which compromised several US federal agencies and global private sector organisations. The operation was notable for its sophistication and subtlety, remaining undetected for months.
Similarly, APT10, associated with China’s Ministry of State Security, was involved in an extensive global cyber espionage campaign targeting managed service providers (MSPs). By compromising these third-party IT providers, APT10 was able to access a wide range of downstream client networks, including government and corporate systems in the UK, US and beyond.
Unlike typical cybercriminals, these groups are often protected by their host governments and operate with impunity. They may also work in parallel with criminal organisations, blurring the lines between state and non-state activity. For example, some ransomware attacks have been linked to actors with suspected ties to nation-states, suggesting a dual-purpose intent: generating revenue while causing strategic disruption.
The motivations behind state-sponsored cyber operations are diverse, ranging from political influence and military advantage to intellectual property theft and economic gain. These campaigns are rarely random; they are calculated, well-resourced and long-term in nature.
For organisations, this means traditional defences may not be enough. Combating espionage-level threats requires a heightened focus on detection, incident response and threat intelligence, particularly for those in sensitive sectors.
Corporate or Industrial Espionage
Businesses, particularly those with valuable intellectual property and trade secrets, are prime targets for corporate or industrial espionage. Cybercriminals and competing organisations alike seek to gain an unfair advantage by stealing sensitive data related to research and development (R&D), product designs, strategic plans or proprietary technologies.
This type of espionage often overlaps with state-sponsored cyber operations, where nation-states target foreign companies to bolster their own industries or military capabilities. A notable example is the Operation Aurora campaign, uncovered in 2010, where threat actors believed to be linked to China targeted Google and dozens of other major companies. The attackers aimed to steal intellectual property and gain access to corporate networks.
Similarly, in 2021, the US Department of Justice indicted members of a Chinese hacking group known as APT41 for conducting widespread cyber intrusions into video game companies and technology firms, stealing source code and proprietary information to benefit commercial interests.
R&D-heavy sectors such as biotechnology, aerospace, automotive and software development face particularly high risks. The theft of trade secrets not only undermines a company’s competitive edge but can also result in substantial financial losses and damage to reputation.
Unlike typical financially motivated attacks, corporate espionage campaigns are usually stealthy and meticulously planned. Attackers may maintain prolonged access to compromised networks, gathering intelligence over months or even years to extract maximum value.
Organisations must therefore prioritise safeguarding their intellectual property through robust cybersecurity measures, employee awareness, and stringent access controls. Collaboration with industry partners and government agencies can also help in detecting and mitigating these sophisticated threats.
Personal Challenge or Prestige
For some hackers, the motivation is less about money or politics and more about curiosity, thrill-seeking, or the desire for recognition within their communities. These individuals often see hacking as a puzzle to be solved or a challenge to be conquered, gaining personal satisfaction and prestige among peers.
This motivation is particularly common among younger or amateur hackers, sometimes referred to as “script kiddies”, who may lack advanced skills but are eager to prove themselves by exploiting vulnerabilities or defacing websites. The hacking community online—including forums, social media groups and dark web marketplaces—can foster this behaviour, offering a platform for sharing exploits, bragging rights and reputation-building.
A notable example is the hacktivist group LulzSec, which gained international attention in 2011 through a series of high-profile attacks targeting organisations like Sony, the CIA, and PBS. Their actions were largely driven by the desire to embarrass their victims and entertain themselves, rather than for financial gain or political objectives.
Similarly, the case of Jonathan James, a teenage hacker from the United States, illustrates this motivation. At just 15 years old, James infiltrated several government systems, including NASA, stealing source code and causing significant disruption. His actions seemed motivated by the challenge and thrill of hacking rather than monetary rewards.
While these hackers might not always intend serious harm, their actions can have unintended consequences: disrupting services, compromising data, or exposing vulnerabilities that other malicious actors might exploit.
Revenge or Personal Grievances
Not all cyber threats originate externally—sometimes the greatest risks come from insiders motivated by personal grudges or feelings of revenge. Disgruntled employees, former staff or contractors with authorised access can deliberately cause harm to an organisation by leaking sensitive information, sabotaging systems or stealing data.
One of the most infamous cases involved Edward Snowden, a former NSA contractor who leaked vast amounts of classified information, motivated by a personal belief that the public had the right to know about government surveillance programmes. Though his actions sparked worldwide debate on privacy, they also caused significant damage to intelligence operations.
In the corporate sphere, a UK-based case saw a former IT administrator take revenge after being dismissed by deleting critical files and disabling user accounts, resulting in days of downtime and financial loss.
Such incidents highlight the critical importance of internal controls, thorough monitoring and robust offboarding procedures. Regularly reviewing access rights, implementing the principle of least privilege, and monitoring unusual activity can help detect and prevent insider threats before they escalate.
Organisations must balance trust with vigilance, fostering a positive workplace culture while ensuring employees understand the consequences of malicious actions.
Opportunistic or Accidental Hacking
Not all cyberattacks are the result of carefully planned operations. Many stem from opportunistic or accidental hacking, where attackers use automated tools to scan large numbers of systems for common vulnerabilities. These attacks require minimal effort but can still cause significant damage, especially to organisations or individuals with poor basic cyber hygiene.
Automated bots and scripts regularly probe the internet for unpatched software, weak passwords, misconfigured devices, or open ports. Once a vulnerability is found, the attacker may exploit it to gain access, often without a specific target in mind. This “spray and pray” approach relies on volume rather than precision.
For example, the WannaCry ransomware outbreak in 2017 rapidly spread across the globe by exploiting a known Windows vulnerability. Many affected organisations had failed to apply critical patches, making them vulnerable to this widespread, indiscriminate attack.
These types of attacks highlight the importance of fundamental cybersecurity practices: regularly updating software, using strong, unique passwords, enabling multi-factor authentication, and maintaining good network hygiene. Even basic measures can significantly reduce the risk posed by opportunistic attackers.
While opportunistic hacking might lack the sophistication or motive of targeted attacks, its impact can be equally devastating if proper precautions are not taken.
Mixed Motivations
In reality, cybercriminal motivations are often complex and overlapping rather than clear-cut. Many attacks are driven by a combination of factors—financial, political, ideological, or personal—which can make attribution and defence especially challenging.
A common scenario involves financially motivated cybercriminal groups being hired or tolerated by state actors to carry out attacks that serve national interests. These groups operate with relative impunity in exchange for providing offensive cyber capabilities or disruptive services.
For example, the notorious ransomware group REvil (also known as Sodinokibi) has been linked to criminal operations that sometimes intersect with geopolitical objectives. While primarily motivated by profit through ransomware extortion, there are indications that some affiliates have conducted operations aligning with certain state interests or received indirect protection from their home governments.
Such hybrid motivations complicate the threat landscape, blurring the lines between organised crime and state-sponsored espionage or sabotage. For defenders, understanding these intertwined incentives is crucial for developing effective cyber defence strategies and threat intelligence.
Conclusion
Cybercriminals are motivated by a wide and varied range of factors—from financial gain and political agendas to personal grudges and the pursuit of prestige. Understanding these diverse motivations is essential for organisations seeking to build effective defences in an increasingly complex cyber threat landscape.
By recognising what drives threat actors, businesses and individuals can better anticipate potential attack vectors, prioritise security investments, and tailor their incident response strategies accordingly. A threat-informed defence approach goes beyond technical measures, incorporating intelligence, awareness and proactive risk management.
As cyber threats continue to evolve, adopting a comprehensive, informed security posture is no longer optional—it is vital. Organisations should take active steps to understand their adversaries, strengthen their defences, and cultivate a culture of vigilance to stay ahead in the ongoing battle against cybercrime.
Header Photo by Furkan Elveren on Unsplash
Recent Comments