Increasing Collaboration of Cybercrime Groups: How ThreatResponder Can Prevent Advanced Threats

Cybercrime is undergoing a structural transformation. What was once a fragmented ecosystem of independent ransomware operators and data extortion gangs has evolved into a highly collaborative network. These alliances are not informal partnerships—they resemble organized crime cartels, pooling resources, sharing infrastructure, and exchanging tactics to maximize impact. For defenders, this means faster attacks, more sophisticated techniques, and a broader threat surface.

This article explores the growing trend of cybercrime collaboration, highlights recent alliances such as Scattered LAPSUS$ Hunters and the LockBit–Qilin–DragonForce coalition, and explains how ThreatResponder equips organizations to counter these advanced threats.

The Shift Toward Cybercrime Cartels

Why Groups Are Joining Forces

The ransomware economy thrives on efficiency. By collaborating, threat actors can:

Accelerate attack timelines through division of labor—initial access brokers, social engineering specialists, and ransomware affiliates working in sync.
Share infrastructure and tooling, reducing operational costs and increasing resilience against law enforcement actions.
Expand affiliate networks, ensuring continuity even after major takedowns.

Notable Collaborations in 2025

Scattered LAPSUS$ Hunters

One of the most significant developments this year was the emergence of Scattered LAPSUS$ Hunters, a supergroup combining Scattered Spider, LAPSUS$, and ShinyHunters. This alliance blended social engineering expertise, insider recruitment tactics, and large-scale data trading capabilities, enabling rapid compromise and monetization.

LockBit, Qilin, and DragonForce Coalition

Another major event was the announcement of a coalition between LockBit, Qilin (also known as Agenda), and DragonForce. This partnership aims to consolidate resources, share affiliates, and dominate the ransomware market. While joint operations have yet to be confirmed, the intent signals a future of coordinated campaigns and shared tradecraft.

Affiliate Fluidity and Brand Churn

Groups like Scattered Spider exemplify the affiliate-driven model. Known for partnering with ALPHV/BlackCat, RansomHub, and now DragonForce, Scattered Spider demonstrates how initial access specialists pivot between brands seamlessly. Similarly, Hunters International emerged from the remnants of Hive, reusing code and infrastructure to maintain operational momentum.

Why This Matters for Defenders

The implications of these alliances are profound:

Faster Intrusions: Coordinated crews can move from initial compromise to full-scale ransomware deployment in hours.
Tooling Convergence: Techniques pioneered by one group—such as LockBit’s automation and double-extortion model—are rapidly adopted across coalitions.
Brand Obfuscation: Rebrands and co-branded attacks render “block by name” strategies ineffective. Behavioral detection is now essential.
Expanded Targeting: Coalitions are focusing on high-value sectors, including healthcare, retail, and government, with increased emphasis on ESXi environments and SaaS platforms.

How ThreatResponder Counters Cartel-Style Threats

ThreatResponder is engineered to neutralize advanced threats through proactive detection, rapid containment, and forensic depth. That’s where NetSecurity’s ThreatResponder changes the game. Unlike point solutions, ThreatResponder delivers an all-in-one platform that combines:

EDR + ITDR — to detect endpoint and identity threats, including credential abuse that often follows perimeter compromises.
Threat Hunting & Forensics — enabling security teams to investigate post-exploitation activity and uncover stealthy ransomware behaviors.
Integrated Vulnerability Management — giving CISOs visibility into exposed assets and missing patches before attackers exploit them.
Threat Intelligence Feeds — enriched with global insights on adversary tactics, techniques, and procedures used by cybercrime groups.

With ThreatResponder, organizations gain unified visibility, proactive detection, and automated response to stop advanced ransomware attacks before they cause damage.

Start a Free Demo

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that NETSECURITY CORPORATION copyrights the contents of this page. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).