Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chief
Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
The global cyber threat landscape is undergoing a radical transformation, moving away from monolithic ransomware cartels toward highly volatile, fragmented splinter groups, a top UK police official has warned.
Speaking at Infosecurity Europe 2026, William Lyne, Head of Economic and Cybercrime at the Metropolitan Police Service, told IT and security leaders that the modern cyber crime ecosystem has evolved into a highly accessible space.
Lyne compared the underground landscape to a bar where threat actors can "get everything but a good drink."
"It felt like cyber threats were all quite stovepiped. You had hacktivists, you had hostile state actors," Lyne explained, reflecting on his early career. Today, however, those lines have blurred. "Those kind of stovepipes... no longer really exist."
Instead, Lyne described a blended ecosystem of products, goods, and services that has dramatically lowered the barrier to entry for prospective criminals.
This shift has been heavily accelerated by cryptocurrencies, which solved the traditional criminal bottleneck of "cashing out."
Previously, threat actors lost up to 75% of their profits navigating complex, expensive money-mule networks. Today, cryptocurrency allows them to realize illicit gains almost instantly and with very little risk.
Fragmentation and the 'post-trust' era
While massive international law enforcement operations have successfully dismantled groups like LockBit and disrupted phishing as a service (PhaaS) platforms, Lyne cautioned that the criminal underground is rapidly adapting.
"It's getting more diverse... [and] also much more fragmented," Lyne said. Following high-profile law enforcement crackdowns, cybercriminals have realized that operating as a massive, centralized brand or ransomware as a service scheme is "actually quite bad for business."
Lyne told attendees the cyber crime landscape is becoming more fragmented and volatile.
As a result, major ransomware operators are breaking off into smaller, independent factions.
This fragmentation is leading to a dangerous "post-trust" trend within the criminal ecosystem. Without the strict moderation and internal rules previously enforced by large cartel administrators, smaller threat actors are exhibiting more extreme, aggressive, and unpredictable behaviors.
The demographics of these attackers are also shifting. Lyne noted that the threat landscape is moving beyond traditional Russian-speaking hubs to include actors from Brazil, Türkiye, and English-speaking groups like the notorious Scattered Spider collective.
AI weaponizing hoarded data
Addressing the inevitable topic of AI, Lyne dispelled fears of autonomous systems launching end-to-end cyber attacks, but highlighted a pressing new risk for enterprise data privacy.
"These guys are generally not innovative," Lyne noted, explaining they only change their methods if they are “systematically earning less money... or they spy an opportunity to make more money."
Having stolen and hoarded petabytes of corporate data over the last decade, data that was rarely deleted even when victims paid the ransom, cyber criminals are now using AI tools to operationalize these massive "treasure troves" and mining historic datasets for new extortion and revenue streams.
Rewriting the law enforcement playbook
Faced with this agile, commoditized threat, the Met Police and its international partners are adopting aggressive new disruptive strategies.
"We can't arrest our way out of this problem," Lyne admitted, citing the jurisdictional complexities of cross-border cybercrime.
Instead, policing has shifted toward systemic disruption, psychological operations designed to undermine criminal trust, and targeting the foundational infrastructure of the cybercrime supply chain.
Crucially, this requires unprecedented collaboration with the private sector. Lyne emphasized that the Met Police is increasingly sharing intelligence with enterprise IT security teams and even naming industry partners who assist in operations on their site takedown pages.
"Ultimately, like, lots of these things just come down to trust," Lyne concluded, addressing the security professionals in the room.
"We want to have meaningful, both strategic and tactical collaboration with industry partners that we know hold some of the keys to... the challenges that we have in this space. The cultural change that we have undertaken, I think will continue so that we collaborate better moving forward."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
-
The channel is heading straight for an AI infrastructure wallIndustry Insights AI ambition is accelerating faster than channel infrastructures, however data architecture and enterprise readiness can support
-
Logitech’s new keyboard and mouse aim to make you as comfortable as possible while you work from home (or in the office)News The Signature Comfort Plus keyboard and mouse are soft and padded, and full of customisable buttons
-
Hackers are turning up at law firms to gain physical access to machinesNews The FBI is warning companies to look out for fake IT staff
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
-
Security leaders overconfident about ransomware recovery
News Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
