Disclosure: TheBestVPN is reader-supported. When you buy a VPN through links on our site, we may earn commissions. Learn more.

Where Do Most Cyber Attacks Come From?

Last updated:
Where Do Most Cyber Attacks Come From?

 

Key Takeaways

  • China leads with 210 threat groups (40.8%) – nearly double Russia’s 112 groups
  • 77.2% of tracked groups originate from just 5 countries: China, Russia, Iran, Turkey, North Korea
  • Cybercriminals generate 6x more incidents than state-sponsored actors despite equal numbers

The Story Behind the Numbers

When people ask “where do most cyber attacks come from,” a practical way to answer is to look at how many distinct threat actor groups are linked to each origin country. This focuses on organized clusters of activity that tend to reuse the same tools, infrastructure, and tactics over time.

Looking at threat actor groups by country of origin, China accounts for 210 groups (40.8%) – nearly twice Russia’s 112 (21.7%). Iran ranks third with 55 (10.7%), and after the top three there’s a steep drop to Turkey (11 groups, 2.1%) and North Korea (10 groups, 1.9%). Across the report’s full origin-country list, 77.2% of tracked threat actor groups are linked to these five countries. The United States isn’t in the top five for attacker origin, but it’s still one of the biggest targets, with roughly 2,348 cyber attacks hitting US networks daily.

Why This Data is Important

This geographic concentration reveals organized, well-resourced operations – not random attacks. These groups fall into two categories: state-sponsored actors and cybercriminals. While their numbers are roughly equal, cybercriminals generate six times more incidents.

State-sponsored groups focus on espionage, critical infrastructure, and telecommunications for geopolitical goals. Cybercriminal groups dominate healthcare, financial services, and manufacturing – motivated by money through ransomware and data theft. For everyday users, most threats are financially motivated attackers scanning for weak passwords and unpatched systems.

Understanding this matters when choosing protection. A VPN hides your IP address, makes your connection harder to profile, and secures public Wi-Fi traffic. Combined with strong passwords and updates, you reduce exposure to opportunistic attacks.

Looking Ahead: Future Outlook

Cyberattacks are becoming more globally distributed even as the top three countries maintain dominance. While China, Russia, and Iran remain the leading origins by tracked threat actor groups, attack infrastructure now spans IP addresses registered across 214 countries, which makes attribution harder – especially as proxy networks and rented hosting become more common. At the same time, the 84% surge in attacks using operational technology protocols points to growing pressure on critical infrastructure heading into 2026.

Source & Methodology

Data comes from Forescout’s 2025 Threat Roundup, which examined over 900 million cyberattacks between January and December 2025. Counts are the number of distinct groups linked to each origin country. Percentages are each country’s share of the total groups shown in the table, not a share of all cyberattacks worldwide.