Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Cybercrime gangs as cooperatives: what this means for defenders


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Trustwave reports that ShinyHunters, Lapsus$, and Scattered Spider are resurfacing as a loosely organised “Scattered LAPSUS$ Hunters” brand, with core operators using Telegram, Tor, and service-style extortion to market access, reputation, and ransomware capability. The shift matters because criminal cooperation now scales expertise faster than traditional group names can be tracked, and the attack surface is broadening through rented skills and reused trust.

NHIMG editorial — based on content published by Swarmnetics: ShinyHunters, Lapsus$, Scattered Spider cybercrime gangs are back as a tag team. Or are they?

Questions worth separating out

Q: How should defenders respond when cybercrime groups rebrand but keep the same infrastructure?

A: Treat the name change as a surface-level event and focus on continuity in infrastructure, credentials, and behaviours.

Q: Why do criminal cooperatives increase the risk from stolen credentials?

A: Because rented expertise lets attackers operationalise stolen access faster and with less skill than a single solo operator would need.

Q: What do security teams get wrong about tracking cybercrime gangs?

A: They often track the public brand instead of the operational ecosystem behind it.

Practitioner guidance

  • Map criminal brand reuse to infrastructure reuse Build detection logic around repeated domains, Tor endpoints, payment paths, and messaging handles rather than relying on group names.
  • Harden identity artefacts that syndicates can monetise Prioritise short-lived sessions, rapid token revocation, and tighter service account scopes for systems most exposed to extortion actors.
  • Reduce the value of a single foothold Segment high-risk access paths, require step-up verification for privileged actions, and remove standing administrative paths wherever possible.

What's in the full article

Swarmnetics' full analysis covers the operational detail this post intentionally leaves for the source:

  • The specific Trustwave observations behind the SLH assessment, including why the group is thought to be smaller than its branding suggests.
  • The Telegram and Tor infrastructure patterns used to maintain continuity after repeated channel bans and reappearances.
  • The underground service model behind extortion-as-a-service and how it changes the criminal market structure.
  • The article's discussion of how AI tooling may interact with criminal cooperation and campaign scale.

👉 Read Swarmnetics' analysis of the Scattered LAPSUS$ Hunters syndicate →

Cybercrime gangs as cooperatives: what this means for defenders?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

The brand is becoming less important than the criminal operating model. When groups claim retirement and return under a shared banner, practitioners should assume the real continuity is capability, infrastructure, and trust, not the public name. That makes brand-based threat tracking unreliable for defence planning. The right lens is repeatable access, monetisation paths, and shared tradecraft, which maps more closely to attack surface governance than to public group taxonomy.

A question worth separating out:

Q: How can IAM and PAM teams reduce the impact of syndicate-style attacks?

A: Shrink the usefulness of any stolen identity artefact by limiting standing privilege, shortening session lifetimes, and removing stale accounts quickly. When attackers can no longer turn one credential into broad access, the economics of cooperative criminal campaigns get worse.

👉 Read our full editorial: Cybercrime gangs are shifting toward syndicates and rented expertise



   
ReplyQuote
Share: