The well-known group of cybercriminals called Scattered Lapsus$ Hunters released a surprising farewell statement on BreachForums.
This manifesto, a mix of confession and strategic deception, offers vital insights into the changing landscape of modern cybercrime and the increasing pressure from global law enforcement agencies.
The statement reveals sophisticated operational security practices that extend far beyond typical cybercriminal behavior.
The group claims their 72-hour silence was deliberately orchestrated to “speak with our families, our relatives, and to confirm the efficiency of our contingency plans and our intents”.
This calculated approach demonstrates a level of strategic planning typically associated with nation-state actors rather than financially motivated cybercriminals.
They describe these spectacular breaches as tactical misdirection designed to “divert the FBI, Mandiant, and a few others” while their actual contingency plans were being activated.
This reveals a sophisticated understanding of how law enforcement and incident response teams allocate resources, suggesting the group has studied defensive methodologies as carefully as attack vectors.
The group’s claim that they “willingly left them in wonder” after penetrating Google’s systems is particularly significant.
Scattered LAPSUS $Hunters Statement
Scattered LAPSUS $Hunters Statement
The restraint shown in Google’s Workspace, Person Finder, and Gmail legacy branches suggests that the group may have had more access than they revealed but chose not to use it fully. This decision goes against what is typical for ransomware groups, which usually try to cause as much damage and make as much money as possible.
Infrastructure Targeting And Unrealized Threats
Perhaps most concerning are the group’s implications regarding critical infrastructure vulnerabilities.
Their statement suggests data from companies including Kering, Air France, American Airlines, and British Airlines may be compromised, with some organizations unaware they face potential exploitation.
This aligns with documented attacks throughout 2025, where Air France and KLM confirmed breaches in August, and multiple aviation sector incidents were attributed to related groups.
The group’s question, “Are their data currently being exploited, whilst US, UK, AU, and French authorities fill themselves with the illusions thinking they have gotten the situation under control?” reveals deep cynicism about international law enforcement coordination.
This statement gains particular significance given the recent arrests and the group’s apparent ability to monitor investigative activities, including their claim of “observing them as they painfully try to upload their HD logos to the BF servers”.
The statement directly addresses the human cost of their operations, acknowledging eight arrests linked to Scattered Spider and ShinyHunters operations since April 2024, with four individuals currently in French custody.
These arrests include the June 2025 detention of four alleged ShinyHunters members in France, highlighting the effectiveness of international cooperation between French authorities, the FBI, and other agencies.
The group’s expression of regret “to the four who are now in custody in France” and their assertion that investigations will “progressively fall apart” suggests they believe the arrested individuals were sacrificial.
Their claim to have “manipulated evidence to mislead investigators” indicates sophisticated counterintelligence capabilities designed to protect core operators while allowing peripheral members to face legal consequences.
Collaborations
The emergence of Scattered Lapsus$ Hunters represents an unprecedented consolidation within cybercrime, combining the tactics of Scattered Spider, Lapsus$, and ShinyHunters.
This merger brought together complementary skill sets: Scattered Spider’s social engineering expertise, Lapsus$’s brazen publicity tactics, and ShinyHunters’ data theft capabilities.
Their operations throughout 2025 demonstrated remarkable technical sophistication, including OAuth token abuse in Salesforce environments, AI-enhanced voice cloning for vishing attacks, and custom tooling for accelerated data extraction.
The Google Threat Intelligence Group confirmed these actors deployed specialized tools for Salesforce data extraction while simultaneously targeting multiple organizations through social engineering campaigns.
The group’s announcement of retirement should be viewed skeptically, given historical precedent. Their statement that “LAPSUS$, Trihash, Yurosh, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others” are “going dark” reads more like a strategic reorganization than a genuine cessation of activities.
The timing coincides with unprecedented law enforcement pressure. The FBI and CISA’s July 2025 advisory warned of Scattered Spider’s “serious and ongoing threat”, while coordinated international operations throughout 2025 disrupted numerous cybercrime infrastructures.
The group’s decision to withdraw likely reflects recognition that their operational security has been compromised rather than genuine remorse.
Cybersecurity Landscape
The Scattered Lapsus$ statement provides several critical takeaways for cybersecurity professionals and law enforcement:
Operational Evolution: Modern cybercriminal groups increasingly operate with nation-state level sophistication, employing strategic deception, counterintelligence, and long-term planning.
Human-Centric Threats: Their success stemmed primarily from social engineering and identity-based attacks rather than technical exploits, highlighting the continued vulnerability of human factors in security.
International Coordination Effectiveness: The pressure evidenced in their farewell statement validates the impact of coordinated international law enforcement efforts, particularly the Franco-American cooperation that led to multiple arrests.
Infrastructure Vulnerabilities: Their targeting of third-party vendors and cloud services underscores the critical importance of supply chain security and OAuth token management.
The Scattered Lapsus$ farewell represents not the end of an era, but likely a transformation.
While these specific actors may have withdrawn, their techniques, tools, and tactical innovations will undoubtedly influence the next generation of cybercriminal operations.
Their statement serves as both a warning about the sophistication of modern threats and validation that sustained international pressure can force even the most brazen actors to reconsider their activities.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post What Are The Takeaways From The Scattered LAPSUS $Hunters Statement? appeared first on Cyber Security News.
