ReliaQuest saw it coming. In August, its analysts warned that Scattered Spider, the English-speaking actors tied to ShinyHunters, would soon look toward the finance sector. The signal was in the domains. Fake names, ticket portals, login pages. All set to harvest trust.
Now the evidence is here. Domains tied to finance have multiplied. A U.S. bank has been breached.
The way in was quiet. An executive’s account, reset through Azure’s self-service password tool. Once inside, the attackers spread. They read IT and security files. They moved through Citrix and VPNs. They reached VMware ESXi, dumped credentials, shifted virtual machines to hide their work. They reset a Veeam service account, gave themselves global administrator rights, and stretched further still. Signs show they tried to siphon data from Snowflake, AWS, and other stores.
ShinyHunters Stirs
At the same time, ShinyHunters has stirred. After a year of silence, they returned with attacks through Salesforce. Big names fell in scope, Google among them. Domains built to mimic tickets and dashboards led victims to credential traps. Vishing calls posed as IT staff. Connected apps turned into keys for theft.
ReliaQuest sees overlap. Registration patterns that echo Scattered Spider’s habits. Okta-themed phishing pages in the mix. A forum alias, “Sp1d3rhunters,” tying one identity to another. Together these signs suggest not only parallel work but perhaps shared hands.
If it is collaboration, the timing is deliberate. Since July, domains targeting banks and insurers have risen 12%. Technology firms, long at the center of these campaigns, are still hit, but the lure of finance is strong. Data is valuable. Access is leverage.
Different in Style
The groups themselves differ in style. ShinyHunters made their name selling stolen data in forums and boasting in public. Scattered Spider honed the art of social engineering; clear English, convincing impersonations, support desks tricked into granting access. Both methods work. Blended, they work better.
Defenders cannot count on names. Groups change banners, split, reappear under new aliases. What endures are the tactics: phishing, vishing, credential harvesting, the patient use of impersonating domains. ReliaQuest urges focus on these. Watch the infrastructure. Cut access fast. Reset passwords. Kill sessions. Disable accounts.
The evidence is mounting. ShinyHunters adopt Scattered Spider’s playbook. Scattered Spider expands to finance. Both thrive within a wider collective, The Com, where sub-groups trade tricks and tools. Some call it collaboration. Others see shared infrastructure and imitation.
Either way, the effect is the same: sharper campaigns, broader reach.
“Going Dark”
However, this activity comes just after the group’s affiliates announced, via Telegram on 15 September, that: “We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark.”
The collective added: “As you know, the last weeks have been hectic. Whilst we were diverting you, the FBI, Mandiant, and a few others by paralyzing Jaguar factories, (superficially) hacking Google 4 times, blowing up Salesforce and CrowdStrike defences, the final parts of our contingency plans were being activated.”
They framed their silence as a strategic choice: “This is why we have decided that silence will now be our strength… Our objectives having been fulfilled, it is now time to say goodbye.”
At first glance, this conflicts with ReliaQuest’s findings. The Telegram message suggests the group is stepping back. Yet the evidence shows active targeting of financial institutions. The threat is far from gone.
Domain analysis supports the warning. Ticket-themed domains, Salesforce impersonation pages, and Okta-styled phishing sites are all active. Financial services and technology providers are likely next. The campaign is coordinated. The attackers share tools and tactics. They move quickly and adapt constantly.
Take it With a Pinch of Salt
“Organizations should take these announcements with a pinch of salt,” said Nivedita Murthy, Senior Staff Consultant at Black Duck. “It could be possible that some of these groups may have decided to step back and enjoy their payday, but it does not stop copycat groups from rising up and taking their place.”
She says while there has been increased awareness about security, it has not reached a level to deter bad actors. “Organizations should continue to make application security an executive mandate and ensure uncompromised trust in software for the increasingly regulated, AI-powered world.”
Plausible Deniability
James Maude, Field CTO at BeyondTrust, added: “Cybercrime groups have a bit of a history when it comes to retiring that is often no more than lying low while the heat is on. Back in 2019, the GandCrab crew announced they were retiring after earning more than $2bn. A few months later, REvil appeared with the same hallmarks.”
He said these groups are loosely connected individuals who disband and reform in new groups rather than truly retire. “Anyone believing their retirement claims shouldn’t get complacent. The one objective they have clearly met is highlighting the weaknesses of identity security. By announcing a retirement, they may be attempting to throw some focus off and establish new groups, creating plausible deniability.”
More of a PR Stunt
“It’s safest to consider this announcement as more of a PR stunt than a genuine farewell,” said Casey Ellis, founder of Bugcrowd. “Historically, cybercriminals rarely retire in the traditional sense.”
He says the statement about ‘silence being their strength’ could signal a shift toward quieter, more targeted attacks or selling expertise to other groups. “This is an interesting signal, but not a reason to relax. We should expect them to evolve, leveraging their wealth, experience, and access.”
Ellis says it’s possible that certain members will transition into other forms of cybercrime, such as hacking-for-hire or fraud. “In terms of motivations, law enforcement pressure and international collaboration against these groups has increased markedly over the last twelve months. Competition is also a factor. As more groups emerge, the market becomes saturated, and the profitability of ransomware campaigns may diminish.”
Part of a Lifecycle
Dave Tyson, Partner in Intelligence Operations at iCOUNTER, framed it as part of a lifecycle. “It’s never retirement, it’s simply part of the normal lifecycle of criminality. Groups come together for specific purposes, form into units to execute their plans, and exit the definable identity to lower the focus on that collective or unit. Eventually, we will see them re-appear sometime later in different units.”
He says although it’s fair to say there is always law enforcement pressure for them to be concerned about, it is more likely what he calls “Brand Shedding”.
Track Techniques, Not Names
The key lesson is track techniques, not names. Threat actors shift constantly. Infrastructure changes. Aliases vanish. Methods evolve. Detection is always a step behind. The Telegram message may signal a real exit. Or it may be just a pause, and another tactic. Either way, banks and tech firms cannot assume the danger has passed.
ReliaQuest’s findings show that activity continues. The human element remains exposed, and attackers know it and exploit it without pause.
The collective may be quiet, but it is far from gone. Vigilance must never rest. Their “farewell” could be nothing more than the next act in the ongoing saga of cybercrime.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.