In an unexpected public statement, members of Scattered Spider, Lapsus$, ShinyHunters, and others operating under the broader Com ecosystem have declared they are “going dark.” Their final communique emphasizes that their objectives have been fulfilled, and that some members will fade into anonymity, while others “will keep on studying and improving systems you use in your daily lifes. In silence.”
While the announcement carries all the hallmarks of a theatrical exit, defenders should not feel relieved. This is more likely a pivot point than a conclusion. The group's ability to weaponize identity, exploit SaaS platforms, and extort through public spectacle has fundamentally reshaped cybercrime.
For SOC teams, this is not the end of the story, but a reminder to stay focused on detecting subtle signals of compromise before data theft becomes leverage.
Inside The Com: An Ecosystem of Crews
To understand Scattered Lapsus$ Hunters, you need to understand The Com. Short for The Community, it is not a single hacking group but a cybercriminal ecosystem with thousands of members worldwide. Factions constantly emerge, merge, and rebrand. Scattered Spider, Lapsus$, and ShinyHunters are simply the most visible names, and many more remain undiscovered.
Origins and Evolution
The Com’s roots trace back to the late 2010s, when teenagers hijacked Instagram accounts to sell valuable short handles. This quickly evolved into SIM swapping, where telecom employees were bribed or tricked into redirecting phone numbers. That gave attackers control of SMS-based multi-factor authentication, opening the door to email, cloud services, and cryptocurrency wallets. One victim lost more than 20 million dollars in crypto to Com-linked actors.
Law enforcement made early arrests in 2018, and by 2019 several members had been sentenced for stealing millions. Yet the network proved resilient. Subgroups splintered and adapted, moving beyond SIM swaps into SMS phishing, SaaS exploitation, extortion, and even swatting.
What makes The Com dangerous is its scale, adaptability, and youth. Membership is fluid, tactics range from crude harassment to sophisticated intrusions, and many members are digital natives who see breaching networks as just another online activity. It is a living ecosystem that regenerates constantly, ensuring that even when one crew falls, others quickly rise.
Core Factions
While The Com is sprawling and decentralized, three factions rose above the noise and shaped the playbook that defenders now recognize:
- Scattered Spider focused on social engineering at scale. They mastered vishing calls, IT helpdesk impersonation, and SIM swaps to hijack credentials. Their targets were single sign-on providers, telecom carriers, and large enterprises where one compromised identity could unlock an entire environment.
- ShinyHunters specialized in bulk data theft and monetization. They broke into SaaS platforms and developer environments, stole databases, and funneled them through forums like RaidForums and BreachForums. Their reputation as reliable sellers of access and data made them central to the underground economy.
- LAPSUS$ thrived on spectacle. Instead of ransomware encryption, they relied on insider recruitment, access theft, and public leaks to maximize pressure. They treated extortion like theater, turning Telegram channels into live broadcasts of their breaches.
Together, these factions built a complementary model. Scattered Spider pried open the door through social engineering, ShinyHunters turned access into profit, and LAPSUS$ weaponized publicity to coerce payment.
The farewell message confirmed that these crews weren’t separate brands competing for attention, but interdependent pieces of the same ecosystem.
Who Else Was Named in the Farewell?
“We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark.”
The farewell message did more than announce a retreat. It listed a roster of handles that, when examined together, reveal the breadth of The Com.
- Prosox and Kurosh (also known as Kuroi’SH or Kuroi-SH) gained worldwide notoriety in April 2018 for the Vevo YouTube hack. They breached Vevo’s accounts and defaced multiple music videos, most famously deleting Despacito (then the most viewed video on YouTube) and posting “Free Palestine” messages. Two 18-year-olds, believed to be Prosox and Kuroi’SH, were later arrested in Paris. Prosox described the hack as “just for fun,” an early example of the audacity and clout-chasing that would later define LAPSUS$.
- Pertinax surfaced in the same French defacement scene. In 2018, a hacker calling himself “Galack” defaced a site and left a shout-out list including Prosox, Neimad, Head, Pertinax, and others. This graffiti confirmed Pertinax’s place in that community, which later fed into the broader Com ecosystem.
- IntelBroker has often been portrayed as a pivotal figure in this network, linking ShinyHunters with the BreachForums underworld. Law enforcement identified him as British hacker Kai Logan West, a 23-year-old British hacker, and tied him to the sale of stolen corporate and government data. However, BreachForums administrators later denied that IntelBroker was ever the actual owner or held administrative privileges. According to their July 2025 statement, the “owner” title was intentionally assigned to him as a diversion tactic, while the forum’s infrastructure and leadership remained elsewhere.
- Yukari gained infamy on BreachForums as a prolific seller of stolen databases, often tied to tech companies and at times gaming or anime-related breaches. Their prominence was underscored in August 2023, when ShinyHunters themselves posted an unprecedented $500,000 bounty in Monero for information leading to Yukari’s identification. The bounty, accompanied by a dedicated Telegram channel for collecting leads, highlighted how influential Yukari had become even within criminal circles.
- Yurosh was directly responsible for the October 2024 Free Mobile breach in France. Along with an associate, he accessed 19.2 million customer records, including bank details. The data was briefly put up for auction on BreachForums but, according to Yurosh, never sold. Instead, he framed the breach as a protest against poor security and government surveillance, even sharing the Free CEO’s personal data with a journalist as proof.
- WyTroZz earned notoriety for SQL injection attacks. In April 2018, he dumped the credentials of roughly 1,700 Skype users, including plaintext passwords, posting the data to Ghostbin and Pastebin. This early activity demonstrated his skill in exploiting web apps and stealing sensitive data.
- TOXIQUEROOT (or TOXIQUERoot) has been active since at least 2018, when a rival hacker known as Cerberus published a dox claiming to expose his identity and activities. That leak included screenshots of compromised accounts from major French firms, showing he had already gained notoriety in local circles. Beyond forum chatter, TOXIQUEROOT also carried out defacements in the same style as Prosox and Kurosh, including the takeover of a YouTube channel where his voice can be heard in the posted video. While less publicized than the Vevo hack, this shows he was part of the same French scene that treated defacement as both protest and performance.
The Com is not one gang but a supply chain where access, data, and publicity are divided across roles.
Old-school defacers appear alongside younger operators, each playing a part. By publishing a long list of names, the group is not just announcing a farewell, it is muddying attribution.
Just as IntelBroker was portrayed as a figurehead to draw law enforcement attention, this roster may serve as another diversion, spreading focus across multiple handles while the core machinery continues.
What it really shows is that The Com thrives on division of labor rather than a single banner, and that its defining innovation remains extortion without ransomware, where access, data, and perception are the weapons.
Beyond Ransomware: Extortion as the New Model
Ransomware crews like LockBit and Global now operate as RaaS platforms, generating custom payloads on demand. Their model still relies on encryption, malware deployment, and extended dwell time, all of which create noise defenders can sometimes detect.
For Scattered Lapsus$ Hunters and other Com factions, the approach is different. They focus on access, theft, and exposure. Screenshots from Jaguar Land Rover’s systems or Salesforce vendor data exfiltrated through OAuth tokens are not precursors to encryption, they are the leverage itself.
Extortion is no longer about restoring access but about maximizing pressure throughthe threat of public humiliation, customer backlash, and regulatory scrutiny.
This model thrives in environments where identity and SaaS platforms are trusted by default. Attackers blend into normal traffic, abuse legitimate integrations, and impersonate IT staff in real time. Some use phishing domains that convincingly mimic Okta or other SSO providers, even capturing MFA codes on spoofed “factor” pages. Others call employees directly, persuading them to hand over session tokens. By the time the intrusion becomes visible, it is often through a leak on Telegram rather than an internal alert.
The Salesloft Drift OAuth breach showed how quiet these compromises can be. Attackers siphoned Salesforce data, including credentials and API keys, without triggering malware defenses. The data itself was the bargaining chip. Subtle signals such as unusual identity use, unexpected SaaS integrations, or irregular MFA prompts are now the true indicators of compromise.
The Security Gap in the Age of SaaS and AI
The Com exposes a critical security gap. Traditional tools were built to catch malware and ransomware encryption, but extortion-first groups operate in ways those defenses rarely see. They exploit identity and SaaS platforms that enterprises inherently trust, turning blind spots into entry points.
This gap is visible in several ways:
- Malware-centric defenses miss OAuth abuse. When attackers siphon Salesforce or Google Workspace data using stolen tokens, no malware ever runs. Endpoint security has nothing to detect.
- Network monitoring misses SaaS traffic. Data moves between cloud applications over encrypted channels that perimeter tools cannot parse, leaving exfiltration hidden in legitimate flows.
- MFA logs alone miss social engineering. When employees are convinced on a live call to share a session token, authentication tools show only a “valid login,” not a compromise.
The ransomware era was defined by encryption and noisy operations.
The extortion era thrives on stealth, identity abuse, and SaaS exploitation.
Closing this gap requires visibility into behaviors, not just signatures. The Vectra AI Platform delivers that visibility by detecting subtle signals of misuse across cloud, SaaS, network, and identity systems, giving your team the chance to stop extortion before stolen data becomes leverage.
See how it works in practice by exploring our self-guided demo.