ShinyHunters, Lapsus$, Scattered Spider Cybercrime Gangs are Back as a Tag Team. Or Are They?

In September ShinyHunters, Lapsus$, and Scattered Spider jointly announced their supposed retirement. Observers were naturally skeptical, given the long tradition of ransomware gangs “retiring” when the heat is on and coming back some months later under a new brand. But just a couple of months later the three leading cybercrime gangs have seemingly returned to action as a team calling itself “Scattered LAPSUS$ Hunters” (SLH).

The news comes via a report by security firm Trustwave, who assess that many old members of these groups likely actually have moved on. However, this is also not just a “zombie brand” propped up by pretenders. Some former operators with considerable skill seem to be leveraging the reputation of these groups into new specific service areas, such as a replacement for the underground market BreachForums and a new go-to extortion-as-a-service option, and teasing of a new strain of ransomware indicates they may become even more active in the near future.

New group leverages ties to “The Com” cybercrime gangs

The new SLH group acts as if it has 30 members, but the Trustwave researchers believe it is closer to five that are using sockpuppets to fill out the rest of the count. Some of those core members are known quantities and skilled, however, most notably a threat actor going by the handle “Yuka” that has previously been observed working with ShinyHunters.

The group is primarily doing business via a Telegram channel that first appeared in August, but has gone up and down at least 16 times now due to repeated bans. Nevertheless, the cybercrime gangs re-emerge with it under the SLH name and continue doing business. They use a Tor site to keep customers apprised of the latest channel location.

The cybercrime gangs are talking big on these new channels about all sorts of raids, but Trustwave thinks that a lot of this is empty boasting serving as marketing to quickly build reputation. At present, their main lines of work seem to be creating a successor to BreachForums that they control and marketing an extortion-as-a-service product.

Many of the major players from all three cybercrime gangs were thought to be pressured into at least some period of dormancy by increasing attention generated by their wide-ranging 2025 campaigns, and some arrest waves that took place during and after. There is not yet any evidence to show this has changed for most of their major players, who generally avoided arrest in favor of lower-level money movers, but the SLH is teasing a new ransomware strain that the three gangs had discussed just prior to their retirement announcement.

Criminal “cooperatives” seem to be the way of the future

The seeming merger brings together the three most active and successful cybercrime gangs of roughly 2023-2025. But they were already tied together via “The Com” superstructure, sort of a loose cyber criminal professional association in which players with particular niche skills can move between cybercrime gangs for one-off jobs and all manner of general mutual support can be provided.

This is likely the way of the future for cybercrime gangs. A similar recent example is the partnership between major ransomware providers and hacking outfits DragonForce, LockBit and Qilin; there is yet another connection here as DragonForce has been a preferred ransomware choice for Scattered Spider during its recent campaigns. If the major players from the “retired” gangs return, they will likely be moving right back into this same sphere under different names.

Cybercrime gangs often focus on one particular approach simply because they lack expertise for anything else. This new “syndicate” approach makes that expertise more accessible and fluid, and on a temporary freelance basis. A general increase in attack competence is not good news when paired with recent jumps forward in AI malware and tooling.