On September 8, the “scattered LAPSUS$ hunters 4.0” Telegram channel posted:
FBI and French LE, great job for the third time arresting the wrong person in France once again. DOJ please stop wasting your budget by flying your agents to France every time to make the WRONG arrest, as it’s almost the end of the fiscal year, please save your money, and please do a better job at investigating us instead of arresting innocent individuals and stop falling for our (most obvious) each and all of our schemes and disinformation campaigns.
That person who law enforcement allegedly arrested has been MIA for 6 hours and more. We have always been aware since the beginning. You can make as many arrests as you want and we’ll still be active with the same amount of efficiency as we always were.
Neither law enforcement nor scattered/LAPSUS$ hunters named the individual who has been arrested and French law enforcement has yet to make any official announcement, consistent with French law. But the Telegram post was followed shortly thereafter with another post:
This channel is now closed and we’re going away for a while. Thanks.
But now we learn that “a while” means “forever.” In a post timed to appear after DataBreaches posted the report on the Kering data breaches, the following statement appeared on BreachForums[.]hn:
Dear World,
We apologise for our silence and the ambiguities of our message, whose sole destinataries did not understand the profound meaning.
These 72 hours spent in silence have been important for us to speak with our families, our relatives, and to confirm the efficiency of our contingency plans and our intents.
These 72 hours had hoped for a long time.
As you know, the last weeks have been hectic. Whilst we were diverting you, the FBI, Mandiant, and a few others by paralyzing Jaguar factories, (superficially) hacking Google 4 times, blowing up Salesforce and CrowdStrike defences, the final parts of our contingency plans were being activated.
You might or might not have realized, but our behaviour evolved recently. When we entered into Google systems, we decided not to pursue over a certain point. In between others, we willingly left them in wonder of whether Google’s Workspace, Person Finder, GMAIL including legacy branches got dominated.
This has been happening more and more, as we decided to progressively abandon some of our tools (Hello, Tutanota) and our correspondents to their own faith.
Will Kering, Air France, American Airlines, British Airlines, and among many other critical infrastructure face THE CONSEQUENCES OF THEIR PUBLIC OR SECRET databreaches? I’d wonder too if I was them, as they know some have yet to receive any demand for ransom – or anything else.
Are their data currently being exploited, whilst US, UK, AU, and French authorities fill themselves with the illusions thinking they have gotten the situation under control?
Do they know that we’re observing them as they painfully try to upload their HD logos to the BF servers? As they painfully try to convince judges that they have found, for the second time in a row, the real Hollow? As they pretend to arrest members of the real dark forces, on the other side of the Mediterranean, to better protect the system and its real leaders?
Have they not realized we were everywhere?
Vanity is never but an ephemeral triumph. And manipulation of opinion is never anything else than vanity.
This is why we have decided that silence will now be our strength.
You may see our names in new databreach disclosure reports from the tens of other multi billion dollar companies that have yet to disclose a breach, as well as some governmental agencies, including highly secured ones, that does not mean we are still active.
Judicial decisions will keep on busy police officers, magistrates and journalists.
They will all be dead traces of the past.
We want to share a thought for the eight people that have been raided or arrested in relations to these campaigns, Scattered Spider and/or ShinyHunters groups since beginning on April 2024 and thereaftert 2025, and especially to the four who are now in custody in France.
We want to expand our regrets to their relatives, and apologise for their sacrifice. Any State needs its scapegoat. Those carefully selected targets are the last collateral victims of our war on power, and the use of our skills to humiliate those who have humiliated, predate those who have predated. We have ensured that the investigations targeting them will progressively fall apart, and that their mild vanity peccati will not inflict on them, long term consequences.
We have done so by ensuring that enough of our dirty laundry would hint to them, whilst keeping them away from any serious liability. We’ve learnt this from the best. This fine, funambulist equilibrium, so few are capable of reaching, is taught on an every day basis at Langley.
This is the last lesson we wanted to share with you. Talent and skill is not everything. Planning and power rule the world.
We will not try to help anyone anymore, directly or indirectly, to establish their innocence.
We’ve decided to let go.
It is now time to offer you what you have been waiting for. The truth.
We LAPSUS$, Trihash, Yurosh, yaxsh, WyTroZz, N3z0x, Nitroz, TOXIQUEROOT, Prosox, Pertinax, Kurosh, Clown, IntelBroker, Scattered Spider, Yukari, and among many others, have decided to go dark.
Our objectives having been fulfilled, it is now time to say goodbye.
If you worry about us, don’t. The most stupid (Yurosh, Intel – say hi, you poor La Santé impersonator) will enjoy our golden parachutes with the millions the group accumulated. Others will keep on studying and improving systems you use in your daily lifes. In silence.
Others finally will just go gentle into that good night.
Thank you to everyone who has watched and stuck around.
Goodbye.
Comment by DataBreaches
Will they really stay silent and avoid blackhat activities? That remains to be seen. But as they note, even if they do stick to a vow of silence, we may still be hearing about their activities when already-completed hacks first become publicly known.
There is much in their statement that raises questions that ShinyHunters declined to elaborate on, such as what government agencies they have hit and how they know what French law enforcement and the FBI are actually doing. You may have other questions as well.
DataBreaches assumes that there is a healthy dose of disinformation thrown into their statement as well, but to those who plan to go silent and actually retire from blackhat activities, DataBreaches wishes you success in changing your lives.
For those who don’t, please think of your families. I cannot tell you how many young people have contacted me in the past few years because they got caught. And while they were worried for themselves — and understandably so given that they were all facing felonies with long prison sentences — what got them most was seeing their parents crying and ripped apart.
Updates: Shortly after their goodbye message was also uploaded to their Telegram channel, they decided to say “goodbye” another way — they posted redacted screengrabs that look like they may have come from CJIS.
If so, DOJ has a serious problem depending on what these folks accessed or acquired. DataBreaches has emailed DOJ to ask if CJIS has been hacked and will update this post when a reply is received.
Update 2: ShinyHunters subsequently made some minor wording edits to their statement. Those changes have been incorporated in the version in this post.