The cybercrime collective Scattered Spider, along with a number of supposedly allied groups including ShinyHunters and Scattered LAPSUS$ Hunters, claimed in a letter posted to BreachForums that the groups were going dark. Additionally, the post claimed that the groups’ Telegram channels and accounts were banned, and that any new Telegram accounts claiming to be them were impostors. Despite this claim, researchers discovered indications that some of these groups are still operating and may be shifting to a new campaign against financial and technology services organizations. Additionally, the legitimacy of the now-shut-down Telegram channels was questionable when they were created by this alleged collective in July of this year.
What’s Notable and Unique
- The Scattered Spider collective repeatedly gained media visibility in 2025 for its attacks against well-known retail organizations in the UK and US, US-based insurance carriers, and airlines such as WestJet and Hawaiian Airlines. Several of its members have been arrested since 2024, most recently on September 18th, when two teenagers were arrested for their involvement in the cyberattack on Transport for London.
- In the BreachForums post, the groups claim that they are no longer active, and any new reports mentioning them are from companies that have not yet reported a previous breach.
- A research report published in mid-September found newly registered domains with similarities to spoofed domains from Scattered Spider phishing campaigns observed earlier in the year, with an increase in domain registrations targeting organizations in the finance sector.
Analyst Comments
Despite the claims of the BreachForums post, Arete assesses that it is unlikely that the members of these groups are actually ceasing cybercriminal activities. The Scattered Spider collective has operated within multiple Ransomware-as-a-Service groups, including brands like ALPHV and RansomHub, which have shut down, and existing groups like DragonForce and Qilin. It seems more likely that the groups may be trying to distance themselves from law enforcement scrutiny. The recent observations from security researchers further support this theory, indicating that these threat actors continue to plan for future attacks, despite their retirement claims.
Sources
Related Resources
![]()
Threat Actors Turn to Supply Chain Attacks to Push Malware
Discover how malicious npm packages are used in supply chain attacks targeting developers and crypto users, compromising credentials and systems.
Read more![]()
Ransomware Trends & Data Insights: August 2025
Akira led ransomware attacks in August, followed by Qilin. Arete analysts uncovered trends including SonicWall exploits, supply chain breaches, and crypto exchange sanctions.
Read more![]()
Major Password Managers Vulnerable to Unpatched Clickjacking Flaws
Security researchers reveal unpatched clickjacking vulnerabilities in popular password managers, exposing sensitive data. Users are advised to disable autofill.
Read more
