72 Hours of Silence and a Manifesto. The Most Famous Hackers Retired, Leaving Only a Note
Hackers announced their retirement, leaving millions and puzzles for law enforcement.
Hackers announced their retirement, leaving millions and puzzles for law enforcement.
Fifteen of the most well-known cybercriminal groups, including Scattered Spider, ShinyHunters, and Lapsus$, have announced they are ceasing operations. Their collective statement appeared on BreachForums and became the most high-profile message from the underground in recent years. The authors emphasized that their goal was not so much extorting money as it was demonstrating the weakness of digital systems. Now, however, they have stated they are choosing "silence" over public attacks.
The document, published on behalf of numerous famous hacker aliases, claims the decision was made after three days of silence, which the participants dedicated to their families and reviewing their own contingency plans in case of persecution. They stated that they had "long waited" for the past 72 hours to finally confirm their exit strategy and internal cohesion.
The text lists high-profile incidents from recent months. Among them are the shutdown of Jaguar factories, attacks on Google that allegedly affected Workspace, Gmail, and Person Finder services, and strikes on the infrastructure of Salesforce and CrowdStrike. The authors emphasized that they deliberately halted the development of some hacks, leaving corporations in uncertainty, and gradually abandoned their own tools, including the Tutanota email service.
The statement also contains direct warnings. It mentions Kering, Air France, American Airlines, British Airways, and other major companies that, according to the group, have not yet received ransom demands, even though their data may have already been compromised. The message underscores that the governments of the US, UK, France, and Australia are under illusions about controlling the situation, while the malicious actors continue to watch their actions.
A special emphasis is placed on arrests. The hackers expressed sympathy for eight detainees, four of whom are in French prisons, calling them "scapegoats." According to them, these people became victims of investigations, but there is no serious evidence against them. The authors stated they intentionally left false trails to lead investigations in the wrong direction and reduce risks for the actual participants, using social engineering methods.
The conflict with law enforcement and intelligence agencies is separately mentioned. The text states that the participants learned methods of distraction from the "best," directly referencing CIA experience and "lessons from Langley." They note that in the long term, planning and influence are more important than technical ability.
The final part of the statement sounds like a farewell. The hacker groups claim their tasks are completed and it is time to disappear. Some plan to "enjoy golden parachutes" and accumulated millions, others intend to focus on studying and developing technologies, and others will simply fade into the shadows. At the same time, the authors did not rule out that their names would continue to surface in future publications about hacks of corporations and government structures, but stressed that this would not mean a continuation of active operations.
Despite the pathos of the farewell manifesto, analysts are skeptical about what is happening. Black Duck reminded that such statements should be taken with caution: they often only mean a temporary retreat. BeyondTrust added that the story of GandCrab, which "retired" in 2019 and returned in the guise of REvil, showed that loud announcements in the criminal world are rarely final. Bugcrowd emphasized that criminals either reorganize or create new structures, and iCOUNTER called such processes part of the normal cycle of the underground.
Thus, the synchronous "exit" of fifteen groups at once became a notable event in the world of cybercrime, but it is unlikely to mean the real disappearance of the threat. Changing names and roles does not eliminate the phenomenon of ransomware itself; it merely masks it, leaving companies and government structures facing the same risks.
