Hacktivists Turning to Ransomware or Just More Cover for State-Influenced Proxy Attacks?

A recently highlighted what it sees as an emerging trend: ideologically motivated hacktivist groups increasingly turning to profit-driven cybercrime, particularly through ransomware operations.

The article points to groups like FunkSec, which began with political messaging around causes such as “Free Palestine” but has since deployed AI-enabled ransomware, dubbed FunkLocker, to extort victims across various sectors.  

It also examines KillSec, a group that broke away from Anonymous, reportedly developed its own ransomware strains and even launched a Ransomware-as-a-Service (RaaS) platform, offering access to stolen data and offensive capabilities.  

Finally, it cites that GhostSec, once focused on counter-terrorism efforts, has also moved into ransomware operations, partnering with cybercriminal actors and later launching its own RaaS before cycling back to politically driven activity.

The central claim in the article is that these cases represent more than isolated incidents; they signal a broader shift in the threat landscape. According to the article, hacktivist groups are increasingly blending political ideology with financial incentives, leveraging low-cost ransomware kits and shared infrastructure to carry out attacks.  

But is it really the case that attackers are abandoning their ideological motivations in favor or personal profit?

Takeaway: The real story here isn’t about ideology giving way to profit, it’s about how the ambiguity in attribution obfuscates the fact that many so-called hacktivist and ransomware attacks also serve to further the geopolitical aspirations of adversarial nations.

In the past, adversarial nations often relied on hacktivism as a cover for their attacks, but that ruse required some work in the form of ideological rationalizations for attacks. Financial motivations take a lot less effort to explain and offer an even better level of cover for state-influenced operations.  

Sure, the attackers are collecting big payouts from ransomware attacks, but many of these crews are also aligned either formally or informally with adversarial nations. The ransomware playbook gives those states the perfect cover: it’s loud, it’s messy, and it lets them cash in while hitting geopolitical targets. That’s not a coincidence.

Nation-states have long used “hacktivism as the smokescreen, now they lean on the “it’s just criminals doing criminal things” excuse to maintain plausible deniability. But if you look under the hood, what you find is familiar tooling, overlapping infrastructure, and TTPs that line up a little too closely with known APT operations.  

You’re not imagining it—those blurred lines aren’t between activism and ransomware; they’re between APTs and ransomware. So, let’s not pretend this is just about ideological actors who are all of a sudden forsaking their ideological motivations to chase down ransom dollars.  

This isn’t cybercrime or hacktivism; it’s geopolitics in a hoodie, and until we start treating these attacks as nation-state aggression via proxy, we’re fighting this battle with the wrong playbook.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.