The Scattered Spider ransomware group and more than a dozen other hacker buddies have abruptly decided to close up shop. Apparently, the pressure from law enforcement agencies has become too hot to handle.
-
Scattered Spider and allied groups announced they are “going dark,” citing law enforcement pressure after high-profile hacks on Jaguar Land Rover, Salesforce, and M&S.
-
The gang issues rare apologies to victims, law enforcement, and the families of arrested members on Telegram.
-
Despite declaring operations over, the group teases a new “ShinySp1d3r RaaS” venture, signaling a possible future comeback.
“Our objectives having been fulfilled, it is now time to say goodbye,” Scattered Spider wrote in a farewell letter addressed to the "World," penned by the ransomware gang’s apparent "leader and representative."
The announcement was posted on the gang’s recently created Telegram channel on Thursday, along with a link to the goodbye missive hosted on a webpage run by the notorious BreachForums. "End of an era, bye.... 💔," the group writes in its last Telegram post.
“We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark,” the letter states.
The now short-lived Telegram venture, created on August 30th, was thought to be a collaboration between three well-known threat actors: Scattered Spider, LAPSUS$, and Shiny Hunters.
The channel – “scattered LAPSUS$ hunters 4.0” – was started only one day before luxury automaker, Jaguar Land Rover, announced it had suffered a massive breach, forcing it to shut down operations, allegedly at the hands of the rebranded group.
"All seems farfetched"
The cybercriminal trio, which claims on Telegram to “only exist to destroy the FBI,” has been rampant with provocative posts since the JLR attack.
Many of the hundreds of posted messages have been filled with complete jibberish, foul language, or scribbled on, as portrayed in the group’s final post featuring what appears to be a hacked US government database.
The gang has been using the channel to taunt, not only JLR, Salesforce, Marks&Spencer, and other alleged victims, but also the FBI, Google’s Mandiant, the UK National Crime Agency (NCA), as well as threatening more attacks on other critical targets.
“As you know, the last weeks have been hectic. Whilst we were diverting you, the FBI, Mandiant, and a few others by paralyzing Jaguar factories, (superficially) hacking Google four times, blowing up Salesforce and CrowdStrike defences, the final parts of our contingency plans were being activated,” the group writes.
Cian Heasley, Principal Consultant and Threat Intelligence Lead at Acumen Cyber, says, “While the posts claim that they hold all the power, the real message is that Scattered Lapsus$ Hunters is running scared,” adding that, “This all seems far-fetched."
“While the posts claim that they hold all the power, the real message is that Scattered Lapsus$ Hunters is running scared. This all seems far-fetched.”
- Cian Heasley, Principal Consultant and Threat Intelligence Lead at Acumen Cyber
“It's a transparent move that suggests its members are buying some breathing time, panicking about the threat of prison, and arguing behind the scenes about how much trouble they are actually in and the need to be cautious,” Heasley says.
Heasley believes its more likely members are having "internal disagreements, given the volatile and explosive nature of the group."
Disagreements such as “How to proceed under the threat of prison time, how high a profile they want to maintain in the media and the cybercrime underground, and whether to lie low until the dust settles,” Heasley explains.
Pressure from authorities triggers shut down
Scattered Spider (UNC6040 ) made waves this spring by allegedly hitting British retail giants Marks & Spencer, Harrods, and Co-op, and has recently been connected, along with Shiny Hunters (UN3944), to the recent Salesloft Drift/Salesforce hacking campaign, which hit more than 700 companies worldwide this summer.
Four members of the Shiny Hunters gang were arrested in June by French authorities, a fact Scattered Spider repeatedly brings up on Telegram calling Shiny its "BFF foreber [sic]."
Intelbroker, a seasoned threat actor also arrested this June in the UK, was known for their continued presence on BreachForums, leaking stolen data over the years from major organizations such as Cisco, Apple, AT&T, and others.
In Thursday’s missive, the group claims it is “letting go” of trying to fight for its fellow hackers, many of whom have been arrested by authorities, including four suspects, average age 19, taken by UK police in connection with the M&S hacks in July.
“We will not try to help anyone anymore, directly or indirectly, to establish their innocence,” the group's spokesperson said.
In August, a 20-year-old hacker called King Bob, also mentioned on the channel, was sentenced to 10 years in prison by the US government and forced to pay $13 million in restitution for a spate of SIM swapping hacks allegedly connected with Scattered Spider.
Scattered Spider – a self-proclaimed bunch of English-speaking teen hackers, primarily located in the US – has been making headlines ever since its highly publicized cyberattacks on the MGM Resorts International and Caesars Entertainment in Las Vegas back in September 2023.
The group is well known for targeting large organizations with phishing-inspired social engineering attacks, preying on its victims’ third-party information technology (IT) help desk vendors, as proven in its attacks on M&S and MGM.
The apology tour
Speaking for both Scattered Spider and ShinyHunters, the letter apologizes to the families of the “eight people that have been raided or arrested in relations to these campaigns…beginning April 2024 and thereafter 2025… especially the four who are now in custody in France.”
In the farewell letter, Scattered Spider also apologized to its roughly 52K followers for taking a 72-hour timeout from the messaging platform prior to their decision to shutter operations.
“We apologise for our silence and the ambiguities of our message… These 72 hours spent in silence have been important for us to speak with our families, our relatives, and to confirm the efficiency of our contingency plans and our intents,” the group said.
On September 6th, the group claimed that the CIA had infiltrated their infrastructure, labeling it "the worst day ever."
The next day, the group wrote an apology post to the CIA, and then several more to the organizations it had targeted over the years, repenting for its "harmful behavior." In one post, Scattered Spider vowed to "stop all attacks against the private sector, government agencies, and countries critical infrastructure worldwide" and "disengage with all active and pending ransomware/extortion negotiations."
Those names on the apology tour include Tata Motors (Jaguar Land Rover), Alphabet, Inc., Google Threat Intelligence, CrowdStrike Holdings, Unit221b, as well as federal agencies, the FBI, Department of Defense (DoD), and the UK's NCA.
To note, a CrowdStrike spokesperson made clear to Cybenews that although singled out by the ransomware group, the company is not one of its victims.
Besides deciding “to progressively abandon some of our tools,” the group further warns that although their hacking days are officially over, many victims still have not yet come forward.
“You may see our names in new data breach disclosure reports from the tens of other multi-billion dollar companies that have yet to disclose a breach, as well as some governmental agencies, including highly secured ones, that does not mean we are still active,” it said.
Still, on September 6th, the group also posted, "Good news is ShinySp1d3r RaaS is launching in exactly 2 weeks!! or maybe sooner," leading Cybernews to believe this saga is far from over.
Heasley agrees. The threat intel leader says it’s hard to imagine Scattered Spider et al. carrying out this level of due diligence to move into its next chapter. "While Scattered Lapsus$ Hunters is seemingly over for now, this won’t be the last time we hear about them," Heasley predicts.
‘They say they are going to use this time to ‘enjoy their golden parachutes’ of ransom payments while they still can, but the lure of the money and excitement that comes with cybercrime will inevitably draw them back in eventually," Heasley says.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked