After observing the formation of a powerful alliance between three notorious ransomware groups—Shiny Hunters, Scattered Spider, and Lapsus$—it appears that cybercriminals are adapting to law enforcement pressures by forming even larger, more coordinated networks. In a strategic move to dominate the ransomware landscape, three more high-profile hacking groups—LockBit, DragonForce, and Qilin—have come together to form their own cartel. Their goal is to strengthen their operations, making them more resilient to law enforcement crackdowns and expanding their influence in the increasingly sophisticated world of cybercrime.
A recent study by ReliaQuest sheds light on the evolution of this coalition, revealing that these three groups began negotiations to combine their resources and expertise. Their goal was to create a unified front to more effectively tackle challenges posed by international law enforcement agencies. As authorities ramp up their surveillance and enforcement efforts, conducting ransomware-as-a-service (RaaS) operations has become increasingly difficult for cybercriminal organizations. Managing complex IT infrastructures, extorting money from victims, providing customer support, and avoiding legal repercussions have all become major headaches for these illicit networks.
To counter these challenges, LockBit, DragonForce, and Qilin have formed a collaborative alliance aimed at streamlining their operations, sharing resources, and operating in a more covert and distributed manner. By working together, they can not only reduce overhead costs but also ensure that if one faction is compromised—whether through arrests or law enforcement crackdowns—the remaining groups can continue their operations, minimizing disruption. The cartel’s efforts to conceal their activities and diversify their operations will make it more difficult for agencies like the FBI or Europol to dismantle them entirely.
According to the ReliaQuest report, DragonForce, which has ties to Scattered Spider, initiated the coalition, and LockBit and Qilin soon agreed to consolidate their efforts. This consolidation is seen as a way for the groups to increase their operational efficiency and longevity, ensuring that their cybercrime activities can continue smoothly even under the pressure of heightened law enforcement scrutiny.
However, history has shown that such coalitions often struggle with internal issues, particularly when it comes to the distribution of illicit funds. The most recent example of this is the collapse of the Scattered Spider, Lapsus$, and Shiny Hunters alliance, which dissolved in September 2025 due to disagreements over financial splits. While this dissolution is a cautionary tale, the new Russian-speaking cartel formed by LockBit, DragonForce, and Qilin is attempting to avoid these pitfalls by keeping their operations tightly controlled.
The key difference between the current cartel and the previous English-speaking alliance is the linguistic and cultural divide. The new coalition is primarily made up of Russian-speaking cybercriminals, while the former group had English-speaking members at the helm. This shift may play a role in the way the cartel operates, as the dynamics and organizational structure of these groups can vary significantly depending on their linguistic and regional backgrounds.
Despite the differences, one thing remains clear: these criminal networks are increasingly focused on bringing down networks through sophisticated cyberattacks, using ransomware as their primary weapon. The growing sophistication and cooperation between these groups suggest that the ransomware market will continue to evolve, making it harder for authorities to shut down these operations entirely.
Join our LinkedIn group Information Security Community!
