Scattered Spider Member Surrenders as Group Claims Retirement: A New Chapter or Strategic Deception?

Teenage hacker turns himself in to Las Vegas authorities while notorious cybercrime collective announces shutdown—but security experts remain deeply skeptical

October 1, 2025

In the latest development in law enforcement's ongoing battle against Scattered Spider, one of the world's most notorious cybercrime groups, a teenage member has surrendered to Las Vegas authorities—just weeks after the collective dramatically announced its retirement from cybercrime. This comes amid an unprecedented global crackdown that has seen multiple members arrested across three continents, following devastating attacks that have cost victims hundreds of millions of dollars.

The Surrender: Another Win for Law Enforcement

A teenage member of the notorious Scattered Spider cybercrime group surrendered to authorities at the Clark County Juvenile Detention Center in Las Vegas on September 17, marking the latest law enforcement victory against the band of youthful hackers. The juvenile was booked on multiple charges including three counts of obtaining and using another person's personally identifiable information to harm or impersonate them, one count of extortion, one count of conspiracy to commit extortion, and one count of unlawful acts regarding computers.

The charges relate to cyberattacks on multiple Las Vegas casino properties between August 2023 and October 2023—timing that aligns with the devastating ransomware attacks on Caesars Entertainment and MGM Resorts that resulted in over $100 million in combined losses. The Clark County District Attorney's Office is seeking to transfer the juvenile to the criminal division to face charges as an adult.

This surrender comes just days after two other suspected Scattered Spider members were arrested in the United Kingdom. Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, were arrested and charged in connection with the Transport for London cyberattack that caused £39 million in damages last year. Jubair was also indicted by the United States over his role in the hacking group's over 120 attacks, which earned at least $115 million in ransom payments.

A Dubious Farewell: "We Have Decided to Go Dark"

The timing of these arrests is particularly notable because they coincide with an announcement that many security experts view with profound skepticism: the group's claimed shutdown.

Posted on the hacking marketplace BreachForums and the group's public Telegram channel, a farewell letter addressed to the "World" stated: "Our objectives having been fulfilled, it is now time to say goodbye. We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark."

The announcement appeared first on the group's Telegram channel and then on BreachForums.hn, describing the last 72 hours as a period spent with family and activating "contingency plans." The message listed corporations such as Air France, American Airlines, British Airways, and luxury group Kering as firms that had suffered breaches but had yet to receive ransom demands.

Last month, members of Scattered Spider, Lapsus$, and ShinyHunters appeared to join forces under a new banner, "Scattered Lapsus$ Hunters," on a public Telegram channel where members posted an exploit for two SAP NetWeaver Visual Composer vulnerabilities that were under attack in the wild.

The Skeptics Weigh In: "Running Scared, Not Retiring"

Security researchers are far from convinced that this announcement represents a genuine retirement from cybercrime.

Cian Heasley, principal consultant at Acumen Cyber, described the move as a transparent attempt to buy breathing space, noting that the reference to undisclosed breaches is significant as it indicates victims may still be unaware of compromises. "They say they hold the power, but the real message is that Scattered Lapsus$ Hunters is running scared," Heasley stated.

The document from your upload reinforces this skepticism with a telling quote: "Cybercrime groups have a bit of a history when it comes to retiring, that is often no more than the equivalent of lying low while the heat is on. Anyone believing their retirement claims shouldn't get complacent about the need to better secure identities and paths to privilege, as there is a small army of threat actors ready and waiting to exploit those."

Dave Tyson, partner in intelligence operations at iCOUNTER, called such steps "brand refreshment," adding that "It's never retirement, it's simply part of the normal lifecycle of criminality." He noted that the group "is divided between the fame seekers and the kids who would like not to spend their twenties in prison," but predicted they are "addicted to the money, the adrenaline rush of hacking, and the attention, so they won't vanish into the night."

Evidence of Continued Activity Despite Shutdown Claims

Perhaps most damning to the group's retirement narrative is evidence suggesting continued operations even after the shutdown announcement.

Obsidian researchers believe the claim that Scattered Spider had ceased operations was incorrect, stating "The bottom line: Scattered Spider has not stopped—they have evolved." Research firms have documented continued targeting of financial institutions and other sectors following the supposed shutdown.

Analysis shows that ShinyHunters and Scattered Spider have been targeting the same sectors during overlapping timeframes, with overlapping domain registration patterns and tactics that suggest ongoing collaboration or merger between these groups. An analysis of over 700 domains registered in 2025 that matched Scattered Spider phishing patterns revealed that domain registrations targeting financial companies increased by 12% since July 2025.

The Scattered Spider Threat: A Brief History

Understanding the significance of these developments requires context on just how destructive and prolific this group has been.

Scattered Spider first gained notoriety after high-profile breaches and ransomware attacks in 2023 on Las Vegas casino and hotel giants Caesars Entertainment and MGM Resorts. MGM reportedly refused to pay a ransom, resulting in an estimated $100 million in losses and roughly 10 days of system outages affecting reservations, slot machines, room keys, and websites. Caesars reportedly paid a $15 million extortion demand.

The group is known for being comprised primarily of English-speaking teenagers and twenty-somethings who carry out hacking campaigns using sophisticated social engineering tactics. Members of the group launched an assault in 2025 on multiple industries—pivoting to target major insurance companies, shutting down several airlines, and attacking high-profile retailers from March to July.

The Law Enforcement Response: Building Momentum

The pace of arrests has accelerated dramatically over the past year, demonstrating increased international coordination among law enforcement agencies. As detailed in our comprehensive coverage of the global crackdown, law enforcement has been systematically dismantling the group's operations across multiple countries.

In November 2024, the Department of Justice unsealed criminal charges against five members of the group, with four American defendants ranging from 20 to 25 years old, while the fifth member, Tyler Robert Buchanan, 22, was located in the United Kingdom. The maximum sentences for their crimes include 20 years in federal prison for conspiracy to commit wire fraud, up to five years for conspiracy, two years for aggravated identity theft, and 20 years for wire fraud.

Key arrests and convictions include:

Noah Urban ("King Bob"): In April 2025, the 20-year-old pled guilty to his cybercrime charges and was sentenced to 10 years in prison, forced to pay $13 million in restitution for a massive cryptocurrency theft scheme.

Remington Goy Ogletree: Arrested in December 2024 at age 19, he was accused of running a phishing operation from October 2023 to May 2024 after gaining credentials and unauthorized access to two telecommunications companies and one US-based national bank.

Tyler Buchanan: In June 2025, the alleged ringleader of the cybercrime group was arrested at Palma Airport in Palma de Mallorca as he was trying to board a flight to Italy. At the time of arrest, the 22-year-old possessed a laptop, a mobile phone, and was in control of $27 million in bitcoin. He was accused of more than 45 cyberattacks against US companies.

UK Retailer Attack Suspects: Four people were arrested in the UK in connection with attacks on retailers including Marks & Spencer and Co-Op, including two 19-year-old men, a 17-year-old man, and a 20-year-old woman.

September 2025 Arrest Wave: The past month has seen an unprecedented acceleration in arrests:

• September 17: Las Vegas juvenile surrenders (subject of this article)
• September (mid-month): Thalha Jubair and Owen Flowers arrested in UK for TfL attack
• Both UK arrests came just days after the group's retirement announcement, suggesting law enforcement had been closing in for months

This September surge represents what one cybersecurity analyst called "the beginning of the end" for the original Scattered Spider core members, though experts warn that The Com ecosystem will likely spawn new threat actors to fill the void.

The Threat That Remains

What makes this situation particularly concerning for enterprises is the cryptic nature of the group's farewell message, which appears to contain veiled threats about future revelations.

The document you provided includes a chilling passage from the group's farewell letter: "Will Kering, Air France, American Airlines, British Airlines, and among many other critical infrastructure face THE CONSEQUENCES OF THEIR PUBLIC OR SECRET data breaches? I'd wonder too if I was them, as they know some have yet to receive any demand for ransom—or anything else. Are their data currently being exploited, whilst US, UK, AU, and French authorities fill themselves with the illusions thinking they have gotten the situation under control?"

This suggests that even if the group truly is shutting down, there may be a significant backlog of compromised data that has yet to be monetized or disclosed—a digital time bomb waiting to detonate.

What Organizations Must Do Now

Security experts are unanimous in their recommendations: don't let your guard down.

James Maude, field CTO for BeyondTrust, noted that "Cybercrime groups have bit of a history when it comes to retiring, that is often no more than the equivalent of lying low while the heat is on. Anyone believing their retirement claims shouldn't get complacent about the need to better secure identities and paths to privilege, as there is a small army of threat actors ready and waiting to exploit those."

Key defensive measures organizations should prioritize include:

Identity and Access Management: Scattered Spider's primary attack vector has been social engineering targeting identity systems. Organizations must implement robust identity verification processes that can't be bypassed through helpdesk calls or vishing attacks.

Multi-Factor Authentication Hardening: Traditional SMS-based MFA has proven vulnerable to SIM-swapping attacks. Organizations should move to phishing-resistant authentication methods like hardware security keys or biometric authentication.

Employee Training: Regular security awareness training focused specifically on social engineering tactics, including vishing and impersonation attacks, is critical. Employees should know that attackers may have legitimate-seeming information about the organization.

Privileged Access Monitoring: Given the group's focus on gaining privileged credentials, organizations need enhanced monitoring and controls around administrative access, with assume-breach protocols in place.

Incident Response Planning: Organizations should have tested incident response plans that assume compromise of identity systems and can rapidly contain lateral movement.

The Bigger Picture: The Com Ecosystem

To understand Scattered Lapsus$ Hunters, you need to understand The Com—short for The Community. It is not a single hacking group but a cybercriminal ecosystem with thousands of members worldwide, where factions constantly emerge, merge, and rebrand.

The Com's roots trace back to the late 2010s, when teenagers hijacked Instagram accounts to sell valuable short handles, which quickly evolved into SIM swapping where telecom employees were bribed or tricked into redirecting phone numbers.

This ecosystem nature of the threat is what makes the "retirement" announcement so dubious. Even if specific individuals step away, the techniques, tools, and motivations that drove Scattered Spider's success remain accessible to countless others within The Com ecosystem.

Conclusion: Vigilance Over Celebration

While law enforcement's recent successes—including the teenage member's surrender and the arrests of Jubair and Flowers—represent important victories, the security community remains justifiably skeptical about the group's claimed retirement.

The pattern is familiar: when law enforcement pressure intensifies, cybercrime groups often announce shutdowns, rebrand, or temporarily go quiet, only to resurface later with new names and slightly modified tactics. The financial incentives are simply too strong, and the pool of talented young hackers too large, for these operations to truly disappear.

As Heasley noted: "While Scattered Lapsus$ Hunters is seemingly over for now, this won't be the last time we hear about them. They say they are going to use this time to 'enjoy their golden parachutes' of ransom payments while they still can, but the lure of the money and excitement that comes with cybercrime will inevitably draw them back in eventually."

For organizations, the message is clear: treat this as a lull rather than an ending. Use this time to shore up identity security, enhance social engineering defenses, and prepare for the next evolution of this threat. Whether it comes from former Scattered Spider members operating under a new banner or from entirely new actors leveraging the same playbook, the threat will return.

The surrender of a teenage member to Las Vegas authorities is a positive development, demonstrating that actions have consequences even for juvenile offenders. But it's one arrest among thousands of potential threat actors in The Com ecosystem.

The war against social engineering-focused cybercrime is far from over—it may have just entered a new phase.

Related Coverage:

• Scattered Spider Overview & Threat Profile
• The Fall of Scattered Spider: Teen Charged in $100M Las Vegas Casino Heist
• The MGM and Caesars Cyber Heists: A Detailed Breakdown
• The MGM Cyberattack: A Deep Dive Into Its Financial and Operational Impact
• Two Teenagers Charged in £39M Transport for London Cyber Attack
• First Scattered Spider Member Sentenced: Noah Urban Gets 10 Years
• Scattered Spider Pivots to Insurance Sector: Aflac Breach Signals New Wave
• The End of an Era: Scattered Lapsus$ Hunters Announces Retirement

Organizations concerned about Scattered Spider-style attacks should review the FBI and CISA's advisory on the group and implement the recommended defensive measures. Despite the group's claimed retirement, the tactics they pioneered continue to threaten enterprises worldwide.