Skip to content

Motivation taxonomy

Use a small number of consistent motivation labels across group pages and, when clearly relevant, people pages:

  • Access monetization — compromise is turned into resale, extortion, or direct use for further compromise
  • Credential theft — primary goal is to obtain secrets and tokens
  • Blast-radius expansion — the group’s goal is to turn one foothold into many victims
  • Espionage — long-term, targeted access for intelligence collection
  • Disruption / sabotage — intent is to break operations or damage trust

Guidance

  • If multiple motivations are visible, prefer the primary operational objective first.
  • If attribution is weak, say “likely” or “appears to be.”
  • Do not invent a human identity unless a public source clearly names one.