A new report published on June 30, 2025, by Proofpoint reveals significant overlaps between cybercrime and state-sponsored espionage, highlighting a growing convergence in tactics, targets, and even direct collaboration between traditional criminal groups and nation-state actors.
Key findings and trends
The report found that nation-state actors increasingly adopt methods traditionally used by cybercriminals, such as ransomware, not only to disrupt but also to generate revenue for state operations. For example, North Korea’s Lazarus Group has combined espionage with financial theft, including major ransomware incidents like WannaCry.
Proofpoint says there is plenty of evidence of direct cooperation between state-backed groups and organized cybercriminals. For instance, in 2024, North Korea’s Jumpy Pisces collaborated with the Play ransomware gang, and Iranian state-sponsored actors have used ransomware attacks on U.S. organizations to fund geopolitical goals.
Case Examples
It’s not just North Korea either. The Russian GRU-linked group Sandworm (APT44) has used malware from cybercrime communities for both espionage and disruptive operations, particularly in Ukraine while RedCurl, which traditionally focused on corporate espionage, has recently deployed custom ransomware, marking a shift from pure espionage to using ransomware for disruption or as a false-flag operation.
Financial Motivation and State Objectives
The report offers substantial proof that many state-sponsored groups, especially from North Korea and Iran, use cybercrime (e.g., cryptocurrency theft, ransomware) to directly fund state objectives while simultaneously conducting espionage. This convergence complicates attribution and defense, as the same tools and techniques are used for both financial gain and state-directed espionage. This overlap also means that tackling cybercrime requires international cooperation and systemic solutions, as single takedowns are often quickly replaced by new actors.
