Nearly 15 ransomware and cybercrime groups, led by the notorious Scattered Spider collective, announced their retirement in a dramatic farewell letter that cybersecurity experts believe may be an elaborate deception.
The unusual manifesto, posted to BreachForums and addressed to “Dear World,” claimed the groups were “going dark” following international arrests — but the timing, content, and motivations behind the announcement raised serious questions about its authenticity.
The letter emerged after a series of devastating cyberattacks, including the recent assault on Jaguar Land Rover that forced global manufacturing shutdowns for over a week and caused estimated losses in the hundreds of millions.
At first glance, the letter appeared legitimate. But cybersecurity experts aren’t convinced by the surface-level authentication.
Brijesh Singh, cybersecurity expert and additional director general of police with the Government of Maharashtra, India, acknowledged the letter’s apparent authenticity while expressing deep skepticism about its true purpose.
“The letter came from verified BreachForums accounts and was quickly copied onto the gang’s Telegram channels, so it appeared authentic,” he said.
However, Singh pointed to several red flags that suggested something more calculated was at play: “Nevertheless, its elaborate tone, the lack of any obvious money‑moving activity in the two days after it was posted, and the history of other ransomware groups staging fake retirements all pointed to a marketing stunt rather than a real end to criminal activity.”
An unlikely alliance raises immediate red flags
The letter purported to speak for an unprecedented collection of cybercrime groups, claiming a coordinated retirement across multiple organizations.
“We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark,” the group wrote in the public letter.
This claimed alliance immediately struck experts as suspicious.
Sunil Varkey, advisor at Beagle Security, highlighted the fundamental problems with this narrative.
“The so-called collective was only publicly formed in August 2025 via Telegram, making a swift ‘retirement’ just a month later highly suspicious,” he explained. The timeline alone raised questions, but Varkey pointed to an even more basic issue: “None of them had any known commonalities, affiliations, or activities together in the past.”
Rather than a spontaneous decision, the letter revealed deliberate coordination and planning that contradicted the narrative of a pressured retreat.
“We apologise for our silence and the ambiguities of our message,” the letter stated, referring to a 72-hour communication blackout that preceded the announcement. “These 72 hours spent in silence have been important for us to speak with our families, our relatives, and to confirm the efficiency of our contingency plans and our intents.”
Law enforcement pressure: real but limited impact
The letter explicitly acknowledged the mounting international pressure that supposedly drove their decision.
“We want to share a thought for the eight people that have been raided or arrested in relations to these campaigns, Scattered Spider and/or ShinyHunters groups since beginning on April 2024 and thereafter 2025, and especially to the four who are now in custody in France,” the letter read.
While these arrests represented genuine law enforcement successes, Singh provided crucial context about their actual impact on the groups’ operations. “Since April 2024 the FBI, the UK’s NCA, France’s DGSI and Spain’s Policía Nacional arrested eight people linked to the syndicate,” Singh confirmed.
However, the arrests hadn’t achieved their intended deterrent effect: “These arrests involved mostly low‑ or mid‑tier members such as cash‑out mules, SIM‑swappers, and chat administrators; the core developers, money‑launderers and senior leaders remained at large. Thus law‑enforcement damaged the gang’s public image but did not stop its operations,” Singh said.
Empty promises and concerning admissions
The letter’s content revealed perhaps the strongest evidence against its authenticity through what it failed to offer. While apologizing to victims, the groups explicitly refused to provide any meaningful assistance or remediation.
“We will not try to help anyone anymore, directly or indirectly, to establish their innocence,” the letter said bluntly. This refusal to help with ongoing investigations or provide assistance to previous victims contradicts any genuine attempt at reform or accountability.
Varkey identified these elements as particularly damaging to the letter’s credibility. “The intent was questionable since there was only a verbal apology statement to the victims, but no practical relief, explicit refusal to assist with past cases, no commitments on stolen data or ransomware, and no infrastructure or C2C takedown,” he explained.
Far from expressing remorse, the letter bragged about recent high-profile attacks. “Whilst we were diverting you, the FBI, Mandiant, and a few others by paralyzing Jaguar factories, (superficially) hacking Google 4 times, blowing up Salesforce and CrowdStrike defences, the final parts of our contingency plans were being activated,” the groups wrote.
Expert consensus: tactical deception
Both experts pointed out that the announcement represented strategic misdirection rather than genuine retirement. “It seemed more like a smokescreen tactic — a deceptive move to evade law enforcement pressure, resolve internal issues, or facilitate rebranding rather than a genuine dissolution,” Varkey said.
Singh focused on the broader implications of what appeared to be a coordinated disinformation campaign. “If the groups truly retired, the biggest threat was the spread of their advanced tactics,” he warned. “OAuth‑token abuse, AI voice‑cloning vishing, and leaked hyper‑visor ransomware code were now cheap and widely available. New, quieter groups were likely to arise, some already poaching former staff or reusing the same wallet mixers.”
Organizations shouldn’t lower their guard
Given the expert consensus about the announcement’s deceptive nature, Singh recommended that organizations maintain maximum vigilance and assume continued threat activity. “Defenders should act as if their compromised accounts were still active: reset passwords, enforce FIDO2, and revoke legacy tokens,” he advised. “Help desks must train on deep‑fake audio and challenge any urgent, unverified calls. ESXi hypervisors should be isolated, put into lockdown mode, and have SSH restricted to break‑glass procedures.”
Singh’s final assessment encapsulated the challenge facing cybersecurity professionals: “Overall, the ‘retirement’ was best seen as a brand sunset; the tactics, people, and laundering infrastructure still existed, so assuming security was dangerous.”
No Responses