You might be familiar with the white hat vs black hat distinction: where white hat hackers aim to help improve security systems, black hat hackers try to exploit security vulnerabilities for personal gain.
But there are even more types of hackers, ranging from mobsters to script kiddies to anonymous collectives doing it ‘for the lulz’. In this article, we’ll define several types of hackers, distinguishing them also based on their chosen method of attack.
Types of Hackers
White Hat Hackers
White hat hackers are cybersecurity experts that focus on identifying vulnerabilities as a means of making systems more secure. Some hackers in this category are employees of large enterprises, government agencies, or similar entities, focusing solely on the internal organizational network, data, and assets. Their goal is to shore up the landscape for their employer alone.
Other white hat hackers work for third-party security firms, essentially contracting with organizations to perform the role of an internal white hat hacker team. Some are researchers or hobbyists, too, working independently but typically informing companies when they find weaknesses in systems.
Black Hat Hackers
Black hat hacker refers to cybercriminals who access systems without authorization for malicious purposes. Their goals can vary dramatically. Some aim to disrupt an organization’s operations, while others want to copy data, corrupt systems, or even steal money.
In most cases, the core motive is profit. However, some black hat hackers have other motivations, such as revenge or drawing attention to an issue. In many cases, the purpose behind the hack is usually to cause the organization harm in exchange for some form of personal gain.
Gray Hat Hackers
With gray hat hacking, the goal isn’t necessarily to do harm, but it isn’t usually to help either. Instead, hackers in this category view accessing systems or data as a challenge. They often get enjoyment from getting past security measures or exploiting vulnerabilities.
Once they’re done, gray hat hackers may take no action. Essentially, they’ve experienced the thrill, and that’s satisfying enough. Others may want to leave a mark, creating some kind of proof that they made it inside. However, they don’t remove anything or disrupt operations. Instead, they may simply write their name in an innocuous place or something similarly harmless.
Organized Crime Groups
One of the more common joint efforts in the world of hacking, organized crime hackers are groups that come together in an attempt to accomplish a particular goal. Typically, the main driving motivation is profit, though some may favor disrupting access to critical services.
With organized crime, the biggest challenge is that multiple hackers are working in conjunction with one another. The efforts are coordinated but may also be dispersed across countries, making it harder to shut down the activity fully.
An anonymous collective is a group of hackers that work together, coordinating cyberattacks against specific individual targets or types of targets. Often, their motivations aren’t profit. Instead, they may be supporting social or political causes, using their efforts to try and instill change.
One key defining characteristic is that even collective members may not know each other’s “real life” identities. Additionally, many anonymous collectives have members spread far and wide. As a result, shutting down a collective is often incredibly challenging, if not outright impossible.
The most wideley known collective of this nature is Anonymous, a decentralized group that has operated for nearly 20 years. More recently, the Lapsus$ group of hackers launched a series of attacks on high profile companies such as Microsoft.
A ‘script kiddie’ typically refers to a hacker that doesn’t have a lot of technical experience or know-how. Instead, they often purchase malware created by others, allowing them to initiate attacks even though they lack the ability to engineer one alone.
Broadly, script kiddies are considered amateur black hat hackers. However, there are nonetheless dangerous to organizations. In most cases, their goal is to cause some degree of harm, such as disrupting operations. Denial of Service (DoS) attacks are popular among this subset, though it isn’t the only angle they’ll use if other malware scripts are available.
State-sponsored – or nation-sponsored – hackers are supported (or even employed by) governments. Usually, their goal is to gather information on other countries or disrupt nations their government deems a threat. With the former, scooping up sensitive information is the general objective. That could include anything from data on national leaders to details about military operations.
In the latter case, shutting down critical systems is one of the more common types of disruptions. This can include communication channels, public services, supply chains, and more.
As the name suggests, hacktivists are activist hackers. With hacktivists, profit is essentially never the goal. Instead, they breach systems, shut down services, or collect data as a means of furthering political or social goals. Often, government agencies are the primary targets, though some turn their sights to corporations that they feel are stymying the desired social or political progress.
While hacktivists can work as part of a collective – anonymous or otherwise – they may also be solo hackers. In the end, the defining characteristic is the purpose behind their actions, not the number of participants or even the nature of the hacks.
With a whistleblower hacker, you’re dealing with an insider who is collecting information regarding an organization or individual that they aren’t authorized to gather. Usually, the goal of a whistleblower is to expose illegal or unethical activities by securing evidence that they can provide to another party.
After gathering the data, a whistleblower may take several paths. Some simply notify organizational higher-ups, while others alert law enforcement or connect with media outlets. In some cases, the nature of the information – particularly whether the whistleblower deems it a safety issue or of public interest – plays a role, though that isn’t universally the case.
Since mining for cryptocurrency is resource-intensive, some hackers look to increase their profits by spreading malware that causes a victim’s system to work for them. Usually, the malware operates somewhat quietly in the background, allowing the attacker to use the infected system to conduct more cryptocurrency mining.
Cryptojacking can be especially hard to detect. The goal isn’t to damage systems, prevent access, or steal data, so it won’t alter device operations beyond supporting their mining. As a result, many people don’t realize their system is infected until they experience a notable performance issue on their device.
Types of Attack Vectors
Social Engineering Attacks
Social engineering is an attack vector that involves manipulating individuals into providing the desired information. Precisely how it unfolds can vary. In some cases, hackers will pretend to be legitimate companies in hopes of getting people to download malware, provide banking details, reveal login credentials, or take similar actions. Others may claim to be family members, work colleagues, or other known persons, generally for the same purposes.
The sophistication of social engineering attacks can vary. Some hackers use little more than a spray-and-pray-style approach, sending out generic messages en masse, hoping to trick at least a few recipients. Others are far more developed, using research to learn about a person’s life before trying to position themselves as a legitimate contact.
A type of social engineering, phishing involves masquerading as a legitimate person or organization in hopes of acquiring sensitive data from an individual. Scam emails involving the impersonation of legitimate businesses fall in this category and are often the most common form individuals encounter. In those messages, the hackers attempt to steer people toward malicious attachments, links, or phone numbers, usually with the goal of securing login credentials, bank card data, or similar personal information.
There are also several subcategories within the broader phishing landscape. For instance, spear phishing is a targeted approach focused on a limited number of specific individuals that have access to a system or knowledge of certain information.
Malware is a broad category that includes essentially any kind of malicious software. The programs are all nefarious in nature, but they may result in different types of issues or damage.
For example, spyware monitors activity on an infected system, collecting information about various user actions – such as keystrokes – programs used, or information viewed. Worms work to replicate themselves, typically modifying or deleting files along the way or injecting more malicious software on devices.
However, most malware shares certain functional similarities, such as requiring the insertion of code into a target system and a triggering mechanism for the attack itself. In some cases, those events are one in the same, though that isn’t always the case.
Ransomware is a type of malware that, upon infection, encrypts the data or blocks access to various systems, preventing access by authorized users. Once the encryption process is complete, ransomware usually announces its presence, demanding payment in exchange for unencrypting data and restoring control of the system to the owner.
When it comes to ransom requests, most require payment in cryptocurrency. Generally, this is because of the anonymous nature of crypto and its ease of use across international lines. Additionally, reversing cryptocurrency transactions is difficult, if not impossible.
Denial of Service Attacks
A DoS attack is a hack that aims to make a network or system inaccessible to specific people. For instance, it may shut down a retailer’s website, preventing shoppers from making purchases or reviewing orders.
Typically, a DoS attack involves flooding a particular machine or network with requests, bogging it down to the point that traffic slows to a proverbial crawl. Once the system is hampered enough, legitimate users are unable to access it.
With a distributed denial of service (DDoS) attack, the flood of traffic isn’t coming from a single source. Instead, it’s coming from a range of sources, such as multiple machines within a botnet. That causes the attack to become harder to shut down, and it could make identifying the responsible individual more difficult.
Brute Force Attacks
A simple yet potentially effective technique, brute force hacks rely on trial-and-error to identify legitimate login credentials, passwords, encryption keys, and similar details. In most cases, hackers use a program that begins inputting various combinations of characters, merely hoping to snag a correct guess on occasion.
The effectiveness of brute force attacks can vary. Many systems have restrictions regarding multiple failed login attempts, hindering activities such as these.
Additionally, the stricter the password requirements and the complexity of the passwords themselves play a role, as that can determine how long it takes the program to identify a match. With simpler passwords, it may take as little as a few seconds. However, highly complex passwords could take years to crack.
SQL Injection Attacks
With SQL injection attacks, a hacker uses malicious code to manipulate a database. For SQL injection to work, a security vulnerability has to be present. That allows the attacker to take advantage of an exploit to interfere with application queries, creating opportunities to view, delete, or modify data within the database.
In some cases, an attacker can even give themselves full administrator rights. In that scenario, they can make any desired change to the underlying database relatively unhindered. While this attack is most common with websites that rely on SQL databases, it’s potentially launchable against any kind of SQL database.
A man-in-the-middle (MITM) attack involves a hacker positioning themselves in the center of digital communication between two parties, allowing them to functionally eavesdrop on what’s occurring.
For example, they may sit between a user and a legitimate application. Once that happens, the attacker can monitor all user inputs and application outputs, giving them a chance to capture sensitive information like login credentials.
In some cases, a MITM attacker will impersonate a legitimate participant instead of silently sitting off to the side. Ultimately, the end goal and result are typically the same.