In an unexpected public statement, members of Scattered Spider, Lapsus$, ShinyHunters, and others operating under the broader Com ecosystem have declared they are “going dark.” Their final communique emphasizes that their objectives have been fulfilled, and that some members will fade into anonymity, while others “will keep on studying and improving systems you use in your daily lifes. In silence.”
While the announcement carries all the hallmarks of a theatrical exit, defenders should not feel relieved. This is more likely a pivot point than a conclusion. The group's ability to weaponize identity, exploit SaaS platforms, and extort through public spectacle has fundamentally reshaped cybercrime.
For SOC teams, this is not the end of the story, but a reminder to stay focused on detecting subtle signals of compromise before data theft becomes leverage.
Inside The Com: An Ecosystem of Crews
To understand Scattered Lapsus$ Hunters, you need to understand The Com. Short for The Community, it is not a single hacking group but a cybercriminal ecosystem with thousands of members worldwide. Factions constantly emerge, merge, and rebrand. Scattered Spider, Lapsus$, and ShinyHunters are simply the most visible names, and many more remain undiscovered.
Origins and Evolution
The Com’s roots trace back to the late 2010s, when teenagers hijacked Instagram accounts to sell valuable short handles. This quickly evolved into SIM swapping, where telecom employees were bribed or tricked into redirecting phone numbers. That gave attackers control of SMS-based multi-factor authentication, opening the door to email, cloud services, and cryptocurrency wallets. One victim lost more than 20 million dollars in crypto to Com-linked actors.
Law enforcement made early arrests in 2018, and by 2019 several members had been sentenced for stealing millions. Yet the network proved resilient. Subgroups splintered and adapted, moving beyond SIM swaps into SMS phishing, SaaS exploitation, extortion, and even swatting.
What makes The Com dangerous is its scale, adaptability, and youth. Membership is fluid, tactics range from crude harassment to sophisticated intrusions, and many members are digital natives who see breaching networks as just another online activity. It is a living ecosystem that regenerates constantly, ensuring that even when one crew falls, others quickly rise.
Core Factions
While The Com is sprawling and decentralized, three factions rose above the noise and shaped the playbook that defenders now recognize:
- Scattered Spider focused on social engineering at scale. They mastered vishing calls, IT helpdesk impersonation, and SIM swaps to hijack credentials. Their targets were single sign-on providers, telecom carriers, and large enterprises where one compromised identity could unlock an entire environment.
- ShinyHunters specialized in bulk data theft and monetization. They broke into SaaS platforms and developer environments, stole databases, and funneled them through forums like RaidForums and BreachForums. Their reputation as reliable sellers of access and data made them central to the underground economy.
- LAPSUS$ thrived on spectacle. Instead of ransomware encryption, they relied on insider recruitment, access theft, and public leaks to maximize pressure. They treated extortion like theater, turning Telegram channels into live broadcasts of their breaches.
Together, these factions built a complementary model. Scattered Spider pried open the door through social engineering, ShinyHunters turned access into profit, and LAPSUS$ weaponized publicity to coerce payment.
The farewell message confirmed that these crews weren’t separate brands competing for attention, but interdependent pieces of the same ecosystem.
Who Else Was Named in the Farewell?
“We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark.”
The farewell message did more than announce a retreat. It listed a roster of handles that, when examined together, reveal the breadth of The Com.
- Forum brokers and administrators like IntelBroker and Yukari ran the marketplaces where stolen data was traded, bridging the gap between access and monetization.
- Veteran defacers such as Prosox, Kurosh, TOXIQUEROOT, Pertinax, and WyTroZz trace their roots back to web defacement culture of the 2010s, showing how early notoriety evolved into extortion-driven crime.
- Operational specialists including Trihash, Yurosh, yaxsh, N3z0x, Nitroz, and Clown rarely fronted claims, but their presence signals the infrastructure roles — phishing kits, access brokers, and negotiators — needed to keep the machine running.
The Com is not one gang but a supply chain. Access, data, and publicity are divided across roles, and old-school hackers sit comfortably alongside younger operators.
Publishing the names was itself a tactic, muddying attribution and ensuring successors inherit reputation without maintaining a fixed brand.
This mosaic of groups, veterans, and specialists shows that The Com thrives on division of labor rather than a single banner. And it sets the stage for their defining innovation: moving extortion beyond ransomware, where access, data, and perception became the real weapons.
Beyond Ransomware: Extortion as the New Model
Ransomware crews like LockBit and Global now operate as RaaS platforms, generating custom payloads on demand. Their model still relies on encryption, malware deployment, and extended dwell time, all of which create noise defenders can sometimes detect.
For Scattered Lapsus$ Hunters and other Com factions, the approach is different. They focus on access, theft, and exposure. Screenshots from Jaguar Land Rover’s systems or Salesforce vendor data exfiltrated through OAuth tokens are not precursors to encryption, they are the leverage itself.
Extortion is no longer about restoring access but about maximizing pressure throughthe threat of public humiliation, customer backlash, and regulatory scrutiny.
This model thrives in environments where identity and SaaS platforms are trusted by default. Attackers blend into normal traffic, abuse legitimate integrations, and impersonate IT staff in real time. Some use phishing domains that convincingly mimic Okta or other SSO providers, even capturing MFA codes on spoofed “factor” pages. Others call employees directly, persuading them to hand over session tokens. By the time the intrusion becomes visible, it is often through a leak on Telegram rather than an internal alert.
The Salesloft Drift OAuth breach showed how quiet these compromises can be. Attackers siphoned Salesforce data, including credentials and API keys, without triggering malware defenses. The data itself was the bargaining chip. Subtle signals such as unusual identity use, unexpected SaaS integrations, or irregular MFA prompts are now the true indicators of compromise.
The Security Gap in the Age of SaaS and AI
The Com exposes a critical security gap. Traditional tools were built to catch malware and ransomware encryption, but extortion-first groups operate in ways those defenses rarely see. They exploit identity and SaaS platforms that enterprises inherently trust, turning blind spots into entry points.
This gap is visible in several ways:
- Malware-centric defenses miss OAuth abuse. When attackers siphon Salesforce or Google Workspace data using stolen tokens, no malware ever runs. Endpoint security has nothing to detect.
- Network monitoring misses SaaS traffic. Data moves between cloud applications over encrypted channels that perimeter tools cannot parse, leaving exfiltration hidden in legitimate flows.
- MFA logs alone miss social engineering. When employees are convinced on a live call to share a session token, authentication tools show only a “valid login,” not a compromise.
The ransomware era was defined by encryption and noisy operations.
The extortion era thrives on stealth, identity abuse, and SaaS exploitation.
Closing this gap requires visibility into behaviors, not just signatures. The Vectra AI Platform delivers that visibility by detecting subtle signals of misuse across cloud, SaaS, network, and identity systems, giving your team the chance to stop extortion before stolen data becomes leverage.
See how it works in practice by exploring our self-guided demo.