Fifteen well-known ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, have announced that they are shutting down their operations.
The collective announcement was posted on Breachforums, where the groups claimed they had achieved their goals of exposing weaknesses in digital infrastructure rather than profiting through extortion.
In their statement, the gangs said they would now shift to “silence,” with some members planning to retire on the money they had accumulated, while others would continue studying and improving the systems people rely on daily.
“Golden Parachutes” and Quiet Exits
The announcement struck a defiant tone, noting that members still in custody would not be forgotten. The groups vowed to work toward their release and hinted at retaliation against law enforcement.
They also insisted that fears of their disappearance were misplaced, stating: “If you worry about us, don’t … [we] will enjoy our golden parachutes with the millions the group accumulated. Others will keep on studying and improving [the] systems you use in your daily lives. In silence.”
Despite the claims of retirement, analysts have raised doubts about whether this marks a permanent end.
“Organizations should take these announcements with a pinch of salt,” Nivedita Murthy, senior staff consultant at Black Duck, said.
“It could be possible that some of these groups may have decided to step back and enjoy their payday, [but] it does not stop copycat groups from rising up and taking their place.”
Read more on cybercriminal rebranding strategies: Researchers Confirm BlackLock as Eldorado Rebrand
A Significant Roster of Names
Among the 15 groups that declared their exit are some of the most prominent in recent years. The full list mentioned in the post includes Scattered Spider, ShinyHunters, Lapsus$ and more than a dozen other factions tied to high-profile breaches of corporations, governments and critical service providers.
“Cybercrime groups have a bit of a history when it comes to retiring that is often no more than the equivalent of lying low while the heat is on,” said James Maude, field CTO at BeyondTrust.
“Back in 2019, the GandCrab crew announced they were retiring after earning more than $2bn […] A few months later, REvil ransomware appeared bearing all the hallmarks of the GandCrab crew.”
Concern Over the Future
“It’s safest to consider this announcement as more of a PR stunt than a genuine farewell,” said Casey Ellis, founder at Bugcrowd.
“Historically, cybercriminals rarely retire in the traditional sense. Instead, they rebrand, regroup or pivot to new tactics and operations, or they get caught.”
Dave Tyson, partner of intelligence operations at iCOUNTER, echoed Ellis’s views.
“It’s never retirement, it’s simply part of the normal lifecycle of criminality,” he said.
“Groups come together for specific purposes, form into units to execute their plans and exit the definable identity to lower the focus on that collective or unit.”
Whether the announcement reflects a turning point in cybercrime or a reshaping of old threats into new forms remains to be seen.
For now, the sudden withdrawal of several notorious groups signals a shift in the underground ransomware landscape but offers little reassurance that the danger has truly passed.
