For years, defenders have modeled cyber threats as separate actors operating in parallel. Ransomware groups chased profit. Nation state actors focused on espionage. Hacktivists caused disruption. Each had distinct motives, tooling, and targets.
That mental model no longer reflects reality.
Today, many of the most capable threat actors are collaborating, sharing intelligence, and combining skill sets in adaptive, outcome-driven alliances. It is not a permanent merger or a single unified group. It is closer to a supergroup model. Different players come together, pool their strengths, execute campaigns, and either disband or continue working together when cooperation proves effective.
It may sound informal, but this “boy band” effect is becoming one of the most important dynamics in the modern threat landscape.
From isolated groups to coordinated operations
Threat actor collaboration is not new. Criminal forums and marketplaces have existed for years. What has changed is the depth and intent of cooperation.
Recent reporting on overlapping activity between groups such as ShinnyHunters, LAPSUS$, and Scattered Spider illustrates how this model plays out in practice. These actors have demonstrated repeated convergence around shared access, tooling, or opportunities, collaborating when incentives align rather than operating as fixed, monolithic organizations. The result is a fluid ecosystem where roles and partnerships evolve based on what works, not rigid group identity.
We are now seeing groups coordinate across the full attack lifecycle. One team may specialize in initial access. Another focuses on lateral movement or credential abuse. A third handles data theft, extortion, or resale. Each contribution on its own may look unremarkable. Together, they form a campaign that is faster, more adaptive, and harder to detect.
These collaborations do not need to last long to be effective. A single coordinated operation can create more damage than months of isolated activity. In some cases, partnerships dissolve after a specific objective is met. In others, successful operations reinforce continued cooperation across multiple campaigns.
This is not chaos. It is optimization shaped by economics, opportunity, and protection.
Economics reward collaboration
The economics of cybercrime increasingly favor cooperation over competition.
As defenses improve and law enforcement pressure grows, easy wins are disappearing. Attackers are responding by reducing risk and increasing return. Sharing access shortens dwell time. Pooling reconnaissance lowers cost. Dividing profit across a successful campaign beats walking away empty handed after a failed solo attempt.
From the attacker’s perspective, taking a smaller share of a larger outcome is simply rational. Collaboration allows them to move faster, minimize exposure, and adapt when conditions change.
That logic is not emotional or ideological. It is business.
The line between crime and espionage continues to blur
While collaborative criminal operations are reshaping the threat landscape, the blurring of criminal and nation state activity is driven by a different set of incentives.
Tools originally built for espionage are repurposed for ransomware. Access gained through criminal campaigns is later used for intelligence collection. In many cases, criminal groups operate with an understanding of who provides protection, tolerance, or de facto safe harbor, shaping how and where they act. Malware families evolve into modular frameworks that can support multiple objectives depending on who controls them.
In this environment, labels like “criminal” or “state sponsored” are less useful than understanding behavior, relationships, and the conditions that enable certain actors to operate with relative impunity. The same infrastructure, techniques, and access paths can support both motivations.
For defenders, this means planning for overlap, not separation. A campaign that looks financially motivated today may serve strategic objectives tomorrow using the same tooling.
Why defenders struggle to keep up
While attackers collaborate freely, defenders remain fragmented.
Threat intelligence is still siloed across vendors, industries, and regions. Valuable signals are often treated as proprietary rather than shared. Many organizations see only a small slice of a much larger campaign.
This creates a dangerous asymmetry. Attackers combine partial insights into a complete picture. Defenders dismiss anomalies because each one appears benign in isolation.
Many major incidents follow this pattern. Something looks unusual but not urgent. No single alert demands action. The connection is only obvious after the damage is done.
Speed compounds the problem
The pace of modern attacks makes this gap even more dangerous.
In many cases, attackers are in and out within minutes. Telemetry still needs to move from endpoints to back end systems, through analysis pipelines, and into the hands of an analyst. By the time a human sees the alert, the opportunity to stop the attack has passed.
This makes trust in untested controls risky. Detection and response capabilities must work as expected without human intervention. Assumptions are no longer sufficient.
Defenders need confidence that their controls will detect coordinated, multi stage attacks the moment they occur.
What needs to change
The rise of adversary supergroups requires a shift in defensive thinking.
First, intelligence sharing must become more operational. Reports alone are not enough. Insights must be timely, contextual, and usable across environments.
Second, organizations must continuously validate their defenses against real attacker behavior. Testing whether controls can stop today’s tactics is the only way to know they will perform tomorrow.
Finally, security teams must reward curiosity. Many threats are missed not because data is unavailable, but because the signal looks normal enough to ignore. In a collaborative threat landscape, that assumption is costly.
The new shape of cyber conflict
Cyber threats are no longer solo acts. They are coordinated performances built from shared access, shared intelligence, and shared tooling.
The “boy band” era of cybersecurity is not a metaphor for show. It reflects a structural shift in how attacks are assembled and executed. Defenders who continue to plan for isolated actors will fall behind those who recognize collaboration as the new baseline.
Attackers are already working together. Defense strategies must keep up accordingly.
Join our LinkedIn group Information Security Community!
