The skills that fuel a cybercriminal’s success—systematic planning, relentless curiosity and precise execution—darkly mirror those driving breakthroughs in research and development. Yet in the wrong hands, that similar cunning can becomes a blueprint for infiltration rather than discovery. Just ask Hector Monsegur, the once LulzSec hacker who later became an FBI ally and was released early from prison. “I wasn’t a rocket scientist. What made me successful as an adversary was that I had a structure in place,” said Monsegur, who was once known by his online handle “Sabu,” at Zero Trust World 2025, held February 19–21 in Orlando, Florida. “I knew exactly what to break into, how to break into it, what to do post-exploitation, and how to deal with potential logging and detection.” Monsegur is now the d
Hector Monsegur, as shown in his social media profiles
Yet Monsegur’s path highlights a larger truth: no sector is off-limits when it comes to cyber threats. In fact, research and development environments—from universities to Fortune 500 companies—often find themselves directly in the crosshairs. In the first quarter of 2023, education and research organizations experienced an average of 2,507 cyberattacks per organization per week. One example is the February 2024 ransomware attack on the Berlin University of Applied Sciences and Technology by the Akira hacker group. The attack led to a shutdown of all servers and internet connections to contain the breach, according to a Nature article surmising that cyberattacks were targeting research institutions “with devastating effects.”
When a cyberhunter is hunted
This firsthand knowledge comes from two men who once stood on opposite sides of the law: Chris Tarbell, the NAXO cofounder and a former FBI Special Agent who led major cybercrime takedowns, and Monsegur, the onetime LulzSec leader who later became an FBI informant and has helped prevent hundreds of cyberattacks (read more about his hijinks in the sidebar below), including those targeting NASA and the U.S. military. Both are now dedicated to defending against the very threats they once pursued. “I investigated cybercrime for years,” Tarbell said, “but I didn’t know what it was like to be a victim until the Office of Personnel Management got hacked.” The OPM breach, which some researchers have attributed to Government of China’s Ministry of State Security, involved a breach of approximately 22.1 million records.
They took my blood type, how fast I can run a mile and a half, my kids’ grades—everything
Chris Tarbell
From ransomware gangs that mirror corporate efficiency to AI scammers exploiting cutting-edge tools, the threats continue to evolve.
[Note: Both Monsegur and Tarbell are co-hosts of the “Hacker and The Fed Podcast.”]
Ransomware gold rush
While in the early days, hackers were motivated with equal parts curiosity and light-hearted mischief, now the financial motive is clear.
“Ransomware groups are so well-funded now, they’ve got HR departments and offer six-figure signing bonuses to skilled hackers,” Monsegur warned. “Every ransom payment makes them richer… it’s a vicious cycle.”
State-sponsored cyber actors pose significant threats owing to their substantial resources, sophisticated techniques and strategic objectives. They have highly trained talent, the latest tools and acumen that allows them to break into everything from critical infrastructure to defense networks.
A case study on the dark-side of tech-savvy
A court filing filed in the U.S. District Court for the Southern District of New York chronicles the exploits of Monsegur, alias “Sabu,” whose pioneering hacks serve as a case study in operational creativity turned destructive. As a key figure in Anonymous, Internet Feds and LulzSec, Monsegur’s ingenuity drove sprawling cyber conspiracies, landing him seven months in jail—though his extensive cooperation with the FBI, thwarting attacks on NASA and military systems, spared him a potential 124-year sentence. His blend of manual vulnerability probing, multi-vector attacks and financial fraud not only disrupted systems but laid groundwork for more sophisticated threats that followed.
Monsegur’s role as a “rooter” showcased a hands-on approach to vulnerability identification. In “Operation Yemen” and “Operation Zimbabwe,” he systematically probed government systems, manually tested weaknesses by accessing them without authorization and extracted data to confirm exploits. This weeks-long cycle—identify, test, deploy—ensured reliability, transforming shared vulnerabilities into potent weapons across Anonymous networks.
Ultimately, Monsegur’s operational creativity had a diverse set of targets—Sony Pictures, Fox, the U.S. Senate and PBS—using a mix of disruption, theft and disinformation. While “Operation Payback” focused solely on denial of service (DoS) attacks against Visa, MasterCard,and PayPal, his broader hybridity spanned operations: DoS takedowns, fake Tupac stories on PBS, and lateral movement via stolen HBGary credentials to Tribune Co. systems. Repurposing Yemeni servers and Zimbabwe’s email systems as attack platforms, he pioneered botnet tradecraft—compromised systems as disposable weapons—mirroring modern ransomware-as-a-service (RaaS) models where access brokers and attackers divide labor.
Financial crimes further underscored his attacks. In 2010, he hacked an auto parts vendor to fraudulently ship $3,450 in engines and built a carding empire, aggregating stolen credit cards from company breaches and dark web forums for personal use and resale. His cross-sector targeting—Sony’s 2011 $171 million breach, Senate intrusions, PBS disinformation—created what Tarbell calls “hacktivism’s inflection point”: high-visibility ops that drew cult followings and unwinnable legal battles.
His Arab Spring hacks, like defacing Tunisia’s PM website, disrupted civil infrastructure.
The filing details conspiracies under Title 18 U.S.C. § 1030(b) (Counts 1-3, Pages 5-17), with losses exceeding the $5,000 statutory minimum (§ 1030(c)(4)(B)(i), Page 6)—though real damages soared higher. Arrested on June 7, 2011, Monsegur served seven months pre-trial, pleaded guilty in August 2011, and cooperated for nearly three years, stopping hundreds attacks.
While state actors wield their attacks with precision, a brasher, greed-driven force is gaining momentum—ransomware. “These ransomware groups aren’t state actors—they’re a different beast. State actors are going after your R&D, stealing your information. And some of them, like North Korea, are still going after the money,” Tarbell said. “But now it’s these ransomware crews driving the threat. They’re rich, and we’re making them richer. As Hector says, every payment fuels them more, and it’s getting worse.”
Targets are everywhere
The success and greed of ransomware crews has also led cybercriminals to become more brazen and undiscriminating in whom they target. For research institutions, the stakes are high: a single breach, like at Berlin University, can halt projects, leak intellectual property, or cost millions.
“Hector and I talk about this all the time,” he said. “When Hector was hacking, they had a code of ethics,” Tarbell said. “To a degree,” responded Monsegur. But cybercriminals in the 90s and 2000s would never hit a hospital, Tarbell said. “There was a line that even the hackers back then didn’t cross,” Tarbell said. Now, ransomware actors routinely target healthcare systems. In 2024 alone, Change Healthcare’s ransomware attack disrupted insurance claims nationwide, while Ascension’s breach locked staff out of critical systems; earlier, the 2017 WannaCry attack, for instance, crippled the UK’s NHS, canceling procedures and risking lives.
But hospitals are only one potential target. With few ethical lines left uncrossed—and near-limitless resources—modern ransomware crews have evolved into well-funded enterprises that thrive on bigger paydays, and will target more or less anyone they want who is likely to cough up a big ransom. “They’re getting paid. That payout drives them to squeeze the most vulnerable targets, like hospitals, without hesitation.” The financial muscle behind these groups has transformed them into something more menacing. “People don’t realize how much money these ransomware crews have,” Tarbell added. “They’ve got HR departments, signing bonuses—six-figure offers to lure skilled hackers. It’s a full-blown industry now.” And their wealth is rewriting the rules of the cybersecurity game.
More menacing than unassisted human attacks is the rise of sophisticated AI-powered attacks — which, on the lower end, gives would-be attackers the ability to wreak havoc while upping the game of sophisticated attackers who can potentially automate aspects of their craft. “AI is big now in the scamming world,” Tarbell warned. “They can make an AI voice of you calling your mom, in your own voice. It’s only going to get bigger.” Voice-cloning tools can impersonate loved ones, while rentable GPU clusters make cracking even robust passwords trivial—and this is only the beginning.
As the financial power of ransomware groups grows, so does their ability to harness these emerging tools. Tarbell notes that well-funded crews are already upping the complexity of their attacks: “With that money, these ransomware guys are hiring people to be the voice—or they’re using AI to be the voice,” he said.
Emerging threats
But the threat is poised to evolve further. Monsegur foresees adversaries shifting toward even more advanced AI applications. “Right now, adversaries are mostly leveraging generative AI,” he explained. But “they’re moving into agent-based systems, or autonomous systems, and you’re probably going to see a lot more there.” While resource limitations currently confine many criminals to exploiting known vulnerabilities, Monsegur warns that this is only a stepping stone. With enough funding, cybercriminals could soon wield fully autonomous AI systems capable of uncovering and exploiting new weaknesses—zero-day vulnerabilities that today’s defenses are ill-prepared to handle.
The overall threat landscape is shifting. Ransomware gangs, flush with cash and operating like corporations, now join state-sponsored actors in exploiting similar methodical skills that drive advanced researchers. As Monsegur, a former hacker turned defender, cautions, the challenges on the horizon will only intensify: “Eventually, with enough money, [adversaries] will start moving into agent-based systems, autonomous systems, predictive systems… We’re not there yet, but it’s coming.”
