The bad actors behind the recently formed Scattered Lapsus$ Hunters threat group – an apparent combination of the high-profile Scattered Spider, Lapsus$, and ShinyHunters operations responsible for myriad ransomware and other attacks – say they are closing down, despite being behind the data breach earlier this month of Jaguar Land Rover.

In somewhat rambling messages on the group’s Telegram channel and on the notorious BreachForums site, the hackers suggested they and other threat actors were walking away to spend the millions of dollars they’ve racked up with their cybercriminal sprees.

However, security experts say the more likely reason for the goodbye notes is pressure from law enforcement and cybersecurity vendors and that the members are much more likely to re-emerge with new threat groups.

“It’s never retirement, it’s simply part of the normal lifecycle of criminality,” Dave Tyson, partner in intelligence operations at iCOUNTER, told Security Boulevard, calling such steps “brand shedding.” “Groups come together for specific purposes, form into units to execute their plans, and exit the definable identity to lower the focus on that collective or unit. Eventually, we will see them re-appear sometime later in different units.”

Cian Heasley, principal consultant and threat intelligence lead at Acumen Cyber, wrote on LinkedIn that the message is more about the operators trying to escape the law enforcement spotlight.

“Oh Scattered Lapsus$ are 𝘴𝘤𝘢𝘳𝘦𝘥 scared,” Heasley wrote. “Big rambling statement, the basic gist of it is that this was all an elaborate ruse to distract you all while we run off with our millions, don’t worry you won’t see us again even if it looks like you did.”

He added that the Scattered Lapsus$ Hunters “is divided between the fame seekers and the kids who would like to not spend their twenties in prison, that much has been obvious. I can confidently predict though that they are addicted to the money, the adrenaline rush of hacking and the attention so they won’t be vanishing into the night.”

Taunts, Laments, and Goodbye

The note posted on BreachForums skipped between multiple themes, from explaining the group’s decision to taunting law enforcement, threat researchers, and victims to an ode to those members who have been arrested, such as 20-year-old Noah Michael Urban – aka “King Bob,” “Sosa,” “Elijah,” and “Gustavo Fring,” and a member of Scattered Spider – was sentenced last month to 10 years in prison after pleading to guilty to wire fraud and conspiracy charges.

To members of Scattered Spider and ShinyHunters that have been arrested in recent years, group operators wrote that they “want to expand our regrets to their relatives, and apologise for their sacrifice. Any State needs its scapegoat. Those carefully selected targets are the last collateral victims of our war on power, and the use of our skills to humiliate those who have humiliated, predate those who have predated.”

Group members said they’d spent the previous 72 hours speaking with family members and to confirm their “contingency plans and intents” that were being developed “whilst we were diverting you, the FBI, Mandiant, and a few others by paralyzing Jaguar factories, (superficially) hacking Google 4 times, blowing up Salesforce and CrowdStrike defences.”

“You may see our names in new databreach disclosure reports from the tens of other multi billion dollar companies that have yet to disclose a breach, as well as some governmental agencies, including highly secured ones, that does not mean we are still active,” they wrote.

That said, they also wrote that other victims still will be receiving ransom demands for attacks that were launched before the retirement plans went into effect.

No Time to Relax

Bugcrowd founder Casey Ellis told Security Boulevard that organizations shouldn’t relax simply because those behind Scattered Lapsus$ Hunters said they are retiring. They likely are exiting this group because of law enforcement efforts and rising competition from other cybercriminals.

“It’s safest to consider this announcement as more of a PR stunt than a genuine farewell,” Ellis said. “Historically, cybercriminals rarely retire in the traditional sense. Instead, they rebrand, regroup, or pivot to new tactics and operations or they get caught. The statement about ‘silence being their strength’ could signal a shift in strategy, perhaps moving toward quieter, more targeted attacks or selling their expertise to other groups. It’s possible that some members will transition into other forms of cybercrime, like hacking-for-hire or fraud.”

James Maude, field CTO for BeyondTrust, noted that Scattered Spider, Lapsus$, and ShinyHunters are not organized in the same way as previous actor, adding that a more loosely connected group of individuals who are more likely to disband and reform new groups rather than retire.

“The one objective these groups have clearly met is highlighting the underlying weakness of identity security and how, by simply targeting the right identity with the right level of privilege, they can compromise some of the biggest companies globally,” Maude told Security Boulevard. “Anyone believing their retirement claims shouldn’t get complacent about the need to better secure identities and paths to privilege, as there is a small army of threat actors ready and waiting to exploit those.”