“Threat actor” is super vague but more specific than the words you proposed.

https://en.m.wikipedia.org/wiki/Threat_actor

I agree the jargon isn’t great, I’ve seen “attacker” and “malicious user” used in pentest reports and neither of those seems quite right either.

Also, they aren’t technically criminals if the attackers are state-sponsored and conducting an act of war. “Threat-actor” seems exactly like the type of legalese a government relies on when crafting the story around its own retaliation or justification for future aggression. I think it’s just entered the lexicon when talking about these types of incidents.

I agree, there are no criminals at the nation-state level, only other actors.

In addition to other comments : I guess "threat actors" includes non-human autonomous hacking systems ("AI"), and humans (or organizations) who are neither good or bad intended, but whose actions happen to have negative consequences.

Because increasingly state actors are involved and it's not simple crime.

I don't think that's the reason; if someone who happens to be employed by a government commits a crime in their jurisdiction, they're still a perpetrator and a criminal.

"Threat actor" is actually more specific; it refers to someone behaving in a threatening manner without regard to their legal status or jurisdiction.