A sudden and unexpected rash of formal retirements of ransomware groups has surprised security researchers, with 15 in total including some of the biggest and most active players apparently calling it a career.
Since these are ransomware groups after all, the information may well be FUD to cover strategic retreats and rebrands after an extended period of high-level exposure. But at least for the moment some of the world’s most significant threats such as Scattered Spider, ShinyHunters, and Lapsus$ appear to be out of the game.
Ransomware groups claim it’s time to enjoy “golden parachute” retirement
A collection of these ransomware groups took to leading underground hacking forum Breachforums to announce their retirements, with the biggest of them boasting that they had done everything they wanted to do in the world of “information security” and would now enjoy the millions of dollars they have accrued.
The move comes just weeks after reports that ShinyHunters and Scattered Spider had joined forces for a massive breach campaign spanning most of 2025 to date, and that the new tandem had also been meeting with Lapsus$ on a Telegram channel to potentially coordinate attacks between the three groups. The groups also teased a forthcoming new ransomware-as-a-service platform called “ShinySpider” before pulling the plug on the channel and going quiet. The groups claim that some forthcoming ransomware attacks that have not been reported on yet may be attributed to them, but they are now no longer active.
ShinyHunters and Scattered Spider have seen a great deal of success with their data breaches over the course of this year, but have also drawn heavy law enforcement attention and weathered arrests of group members and disruptive operations as a result of their boldness. It is far from uncommon for leading criminal hacking groups to scatter when law enforcement pressure gets to this level, very often surfacing months later under new names or having had members disperse to other existing groups.
Unclear what prompted sudden “retirement” of so many ransomware groups
While it is not unusual for ransomware groups to fake a retirement and regroup somewhere else, it is odd that so many groups would opt to announce their farewells at the same time and in the same place. The announcements do at least appear to be authentic, having been posted by known official Breachforums accounts operated by the groups and then moving from there to Telegram accounts they are known to control.
The smaller ransomware groups that made similar announcements include Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Yukari, and Clown. One of the bigger names included in this list is IntelBroker, which is thought to be an individual that operates BreachForums in addition to engaging in his own cyber attacks. It was unclear if this supposed retirement would have any impact on BreachForums going forward. What might tie the seemingly odd assortment of smaller groups together is links to Scattered Spider, which has been reported as adopting a more fluid organizational structure that allows hackers from other groups to come and go for particular attacks. Security researchers also note that most of these groups only began to interact with each other and Scattered Spider in August, just weeks before the retirement announcement.
Further bolstering the theory of a false retirement is the fact that the eight raids and arrests of ShinyHunters and Scattered Spider members have only produced low- to mid-level participants, such as money mules and footmen in SIM-swapping schemes. No senior leadership of either group is thought to have been brought in as of yet.
Nevertheless, some security researchers believe the ransomware groups are pulling this stunt out of fear and panic over law enforcement attention. Scattered Spider became the most notorious hacking group of the current year with its social engineering campaign that began in May, first targeting major retailers in the UK and then spreading on to a Fortune 500 insurance firm and Australian airline Qantas among other targets. ShinyHunters was thought to be engaging in its own parallel campaign targeting local SalesForce installations, but in recent weeks mounting evidence has come out indicating the two groups have been working together for some time. Scattered Spider just saw two more members, both UK-based teenagers, arrested over alleged participation in a 2024 hack of Transport for London (TfL).
But regardless of the present level of fear, the hackers will almost certainly form or incorporate into new ransomware groups and come back; that’s what history says will happen, at least. The claim of “golden parachutes” and millions of dollars may well be a smokescreen to make people think the retirement is legitimate, with the intention to simply come back under an entirely new brand name in some weeks or months.
Nivedita Murthy, Senior Staff Consultant at Black Duck, cautions that organizations should thus expect the tools and tactics employed by these organizations to continue to be used: “Organizations should take these announcements with a pinch of salt. It could be possible that some of these groups may have decided to step back and enjoy their payday, it does not stop from copycat groups from rising up and taking their place. While there has been increased awareness and prioritization about security in organization it has not reached the level to deter attackers. There has also been significant increase in regulation on security of products and data, they all require the organizations to comply. There are still limited laws by which attackers are prosecuted and investigated. Organizations should continue to make application security an executive mandate and ensure uncompromised trust in software for the increasingly regulated, AI-powered world.”
James Maude, Field CTO at BeyondTrust, adds: “Cybercrime groups have a bit of a history when it comes to retiring that is often no more than the equivalent of lying low while the heat is on. Back in 2019 the GandCrab crew announced they were retiring after earning more than $2bn, they had cashed out and quit the business. A few months later REvil ransomware appeared bearing all the hallmarks of the GandCrab crew leading many to the conclusion that they had actually rebranded rather than retired. With these groups in particular they are not organized in the same way as previous threat actors and are a far more loosely connected group of individuals that would be far more likely to disband and reform in new groups than actually retire … Law enforcement and the industry have put a name on the groups and linked their Tactics, Techniques and Procedures (TTPs) across multiple incidents and industries meaning they have become a major target that institutions can co-ordinate efforts around hunting. By announcing a retirement they are likely attempting to throw some of that focus off and establish new groups in an attempt to confuse and distract from ongoing investigations. It also provides some plausible deniability and distance from previous major incidents in the event they are caught.”
Dave Tyson, Partner – Intelligence Operations at iCOUNTER, coins the phrase “brand shedding” to describe what is likely to happen here: “It’s never retirement, it’s simply part of the normal lifecycle of criminality. Groups come together for specific purposes, form into units to execute their plans, and exit the definable identity to lower the focus on that collective or unit. Eventually, we will see them re-appear sometime later in different units. While it’s fair to say there is always law enforcement pressure for them to be concerned about, it is more likely what I call “Brand Shedding”.”
