The End of an Era: Scattered Lapsus$ Hunters Announces Retirement from Cybercrime

Breached Company

Breached Company

6 min read
The End of an Era: Scattered Lapsus$ Hunters Announces Retirement from Cybercrime

In an unexpected turn of events, the notorious cybercrime group Scattered Lapsus$ Hunters has announced their retirement through a cryptic farewell message on BreachForums, marking the end of one of the most audacious hacking campaigns in recent memory.

In the early hours of September 12, 2025, the cybercrime underground was stunned by an extraordinary announcement. Scattered Lapsus$ Hunters, the group behind some of the most brazen corporate breaches of the past two years, posted what appears to be their final message: a retirement notice that reads more like a manifesto than a goodbye.

The Message That Shocked the Underground

The farewell message, posted on BreachForums (the successor to the seized RaidForums), is remarkable not just for what it says, but for how it says it. Beginning with "Dear World," the group offers apologies for their "silence and ambiguities," claiming that the past 72 hours were spent confirming contingency plans and speaking with families and relatives.

The tone is simultaneously boastful and melancholic, defiant yet resigned. They reference their high-profile attacks—"paralyzing Jaguar factories, (superficially) hacking Google 4 times, blowing up Salesforce and CrowdStrike defences"—while suggesting these spectacular breaches were merely distractions from their real objectives.

Who Were Scattered Lapsus$ Hunters?

To understand the significance of this retirement, we need to understand who these actors were. The group appears to be connected to or evolved from the original Lapsus$ gang, which burst onto the scene in 2021-2022 with attacks on major corporations including Microsoft, Nvidia, Samsung, and Okta. They were known for their youth (several arrested members were teenagers), their brazenness (often announcing attacks on Telegram as they happened), and their unconventional methods.

The "Scattered Spider" element of their name likely references another group known for sophisticated social engineering attacks, particularly against casino operators like MGM and Caesars in 2023. The merger or evolution of these groups into "Scattered Lapsus$ Hunters" represented a maturation of tactics—combining the audacity of Lapsus$ with the sophistication of Scattered Spider.

Decoding the Farewell

The retirement message is layered with implications and revelations:

The Google Claims: They state they "willingly left them in wonder" after entering Google's systems, choosing not to pursue beyond a certain point. They specifically mention Google's Workspace, Person Finder, and Gmail "including legacy branches" as being "dominated." This restraint, if true, is unusual for a group known for maximum impact.

Infrastructure Targeting: The reference to airlines (Kering, Air France, American Airlines, British Airlines) and questioning whether they faced a "databreach" or received ransom demands suggests the group had access to critical infrastructure but chose not to fully exploit it.

The Surveillance Claim: Perhaps most intriguingly, they claim to have been "observing them as they painfully try to upload their HD logos to the BF servers," suggesting they had visibility into law enforcement or security firms' attempts to infiltrate or monitor BreachForums.

The Prisoner Reference: They mention "eight people that have been raided or arrested" since April 2024, with four currently in custody in France. This human element adds weight to their decision to retire—real people facing real consequences.

The Tutanota Reference

One particularly interesting detail is their mention of "progressively abandon[ing] some of our tools (Hello, Tutanota)." Tutanota is an encrypted email service often used by privacy-conscious individuals and, yes, cybercriminals. This abandonment suggests either the service was compromised or they believed it was under surveillance.

A Lesson in Power Dynamics

The group's philosophical musings are particularly striking: "Talent and skill is not everything. Planning and power rule the world." This isn't the typical bravado of cybercriminals. It suggests a group that has come to understand the limits of technical capability when faced with the full weight of international law enforcement and intelligence agencies.

Their claim that "Vanity is never a victory. Manipulation of opinion is nothing but vanity" reads almost like a meditation on the futility of their previous attention-seeking behavior. For a group that once lived for the spotlight, this represents a complete reversal.

The Technical Legacy

Beyond the drama, Scattered Lapsus$ Hunters leaves behind a significant technical legacy. They mention others will "keep on studying and improving systems you use in your daily lifes. In silence." This suggests that while this particular group is retiring, their methods, tools, and knowledge have already been disseminated throughout the cybercrime ecosystem.

The reference to "funambulist equilibrium"—a tightrope walker's balance—being "taught every day at Langley" is a not-so-subtle suggestion that their techniques have drawn the attention of intelligence agencies, possibly even being studied for defensive or offensive purposes.

The Final Roll Call

The message ends with a roll call of handles: "LAPSUS$, Trihash, Yurosh, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark." Some of these names are well-known in cybersecurity circles:

  • IntelBroker: Known for selling access to breached corporate networks
  • Scattered Spider: The sophisticated social engineering group mentioned earlier
  • Yukari: Associated with various data breaches and leaks

This collective retirement, if genuine, represents a significant reduction in active, high-profile cybercrime talent.

Verifying the Retirement

The cybersecurity community is treating this announcement with appropriate skepticism. Retirement announcements in the cybercrime world are not uncommon and don't always stick. Sometimes they're tactical moves to reduce heat from law enforcement. Sometimes they're genuine but temporary, with actors returning under new identities.

However, several factors lend credibility to this announcement:

  1. The Arrests: The mention of specific arrests and ongoing custody situations suggests real pressure
  2. The Tone: Unlike typical exit scams or fake retirements, there's a weariness to this message
  3. The Technical Details: The specific mentions of abandoned tools and tactics suggest genuine operational security concerns
  4. The Timing: Coming after a period of silence rather than immediately after a big score

Implications for Cybersecurity

If genuine, this retirement has several implications:

Talent Dispersal: The group's knowledge and tools won't disappear. They'll likely be sold, shared, or adopted by other groups, potentially leading to a proliferation of sophisticated attacks.

Law Enforcement Victory: This represents a significant win for international law enforcement cooperation, showing that even the most brazen groups can be pressured into retirement.

Evolution of Tactics: The group's emphasis on "silence" as their new strength might inspire other groups to adopt lower profiles, making detection and attribution harder.

Corporate Security: Organizations targeted by these groups can't relax. The vulnerabilities they exploited remain, and new groups will inevitably attempt to fill the vacuum.

The Philosophical Turn

Perhaps the most intriguing aspect of this retirement is its philosophical nature. The message reads less like a criminal's farewell and more like a hacker manifesto—complete with references to Dylan Thomas ("go gentle into that good night") and meditation on the nature of power and talent.

This philosophical turn might reflect the group's age and maturation. Many Lapsus$ members were teenagers when arrested. As they've grown older, faced real consequences, and watched friends get arrested, their perspective has clearly evolved from teenage rebellion to something more complex.

What Comes Next?

The cybercrime ecosystem, like nature, abhors a vacuum. The retirement of Scattered Lapsus$ Hunters will create opportunities for other groups to rise. We can expect:

  1. New Groups: Emerging actors will attempt to claim the notoriety vacuum
  2. Tactical Evolution: Future groups will likely learn from both the successes and failures of Scattered Lapsus$ Hunters
  3. Increased OpSec: The emphasis on "silence" might herald a new era of quieter, more careful cybercrime
  4. Continued Pressure: Law enforcement will likely use this momentum to pressure other high-profile groups

The Truth They Promised

The group promises "It is now time to offer you what you have been waiting for. The truth." Yet, notably, no major data dumps or revelations accompanied their retirement announcement. This could mean:

  • The "truth" is simply their retirement itself
  • Data or revelations may still be coming
  • They've chosen to keep their remaining cards close to the chest
  • The promise was merely rhetorical flourish

Conclusion: The End of an Era?

The retirement of Scattered Lapsus$ Hunters marks the end of a particular chapter in cybercrime history—one characterized by brazen attacks, teenage hackers taking on tech giants, and criminals who seemed to court attention as much as they sought profit.

Their farewell message, equal parts confession, philosophy, and warning, provides a rare glimpse into the mindset of elite cybercriminals facing the consequences of their actions. The weariness in their words—"We've decided to let go"—suggests that the glamorous image of cybercrime often doesn't match the reality of constant paranoia, arrested friends, and the inexorable pressure of international law enforcement.

Whether this retirement sticks or whether these actors return under new identities remains to be seen. What's certain is that their impact on the cybersecurity landscape has been profound, their techniques have been studied and adopted widely, and their spectacular rise and fall will be analyzed for years to come.

As they write in their farewell: "Thank you to everyone who has watched and stuck around. Goodbye."

The cybersecurity world watches and waits to see what fills the vacuum they leave behind.

The retirement of Scattered Lapsus$ Hunters reminds us that even in the digital age, cybercrime remains fundamentally human—with all the frailties, fears, and eventual fatigue that entails. Their goodbye is not just the end of a hacking group, but perhaps a sign of the mounting pressure that international law enforcement cooperation can bring to bear on even the most sophisticated cybercriminals.

Read more

When GitHub Became the Battlefield: How AI-Powered Malware and Workflow Hijacking Exposed Thousands of Developer Secrets

When GitHub Became the Battlefield: How AI-Powered Malware and Workflow Hijacking Exposed Thousands of Developer Secrets

Date: September 8, 2025 Combined Impact: 5,505+ Compromised Accounts Secrets Stolen: 5,674+ Credentials Attack Vectors: AI Tool Weaponization & GitHub Actions Exploitation Primary Targets: Developer Credentials, Cloud Infrastructure, Cryptocurrency Wallets Executive Summary In a devastating one-two punch against the software development ecosystem, two sophisticated supply chain attacks—s1ngularity

By Breached Company