Met Police: Ransomware cartels fragment into splinter groups

Speaking at Infosecurity Europe 2026 in London, William Lyne, head of economic and cybercrime at the Metropolitan Police, warned that global ransomware cartels are fragmenting into smaller, more volatile splinter groups. He attributed the change to the spread of cryptocurrency and the use of artificial intelligence by criminal actors.

Lyne described the cyber criminal ecosystem as having moved from separate, stovepiped factions to a blended market of products and services that lowers the barrier to entry. He compared the underground to a place where actors can “get everything but a good drink,” saying the old divisions between hacktivists, state actors and organised ransomware gangs have blurred.

On payment methods, Lyne said cryptocurrency has solved a long-standing cash-out problem. Where threat actors once lost up to 75% of their revenue moving funds through complex money-mule networks, digital currency now allows faster conversion with lower risk. That ease of payment has coincided with a rise in smaller independent operators following takedowns of large groups such as LockBit and disruptions to phishing-as-a-service platforms.

The demise of large cartel brands has produced what Lyne called a “post-trust” environment inside the criminal ecosystem. Without the moderation and internal rules imposed by cartel administrators, smaller splinter groups are behaving more aggressively and unpredictably. Lyne said the fragmentation increases the diversity of threats and complicates responses by businesses and law enforcement.

Lyne also noted a geographic shift in activity, with actors spreading beyond traditional Russian-speaking hubs to include groups in Brazil and Türkiye, and English-speaking collectives such as Scattered Spider. He said the broader pool of actors creates new challenges for investigators working across jurisdictions.

Addressing artificial intelligence, Lyne rejected the idea of fully autonomous, end-to-end cyberattacks in the immediate term but warned of a growing threat to corporate data privacy. He explained that criminal groups have hoarded petabytes of stolen enterprise data for years, and are now using AI tools to mine those datasets for new extortion opportunities and other revenue streams. “These guys are generally not innovative,” he added, noting they change tactics when it affects their profits.

Faced with a more fragmented and commoditised threat, the Metropolitan Police and international partners are changing their approach. Lyne said traditional enforcement has limits—”we can’t arrest our way out of this problem”—and described a shift toward systemic disruption, psychological operations to undermine criminal trust, and strikes against the infrastructure that supports cybercrime. He called for closer intelligence-sharing and operational collaboration with private sector security teams and international partners to support those efforts.