Scattered Spider, Lapsus$, and ShinyHunters Form New Cybercrime Alliance

In recent weeks, a new cybercrime alliance has formed that ties together three notorious hacking crews: Scattered Spider, Lapsus$, and ShinyHunters. These groups, known for social engineering, data breaches, and brazen extortion, appear to have joined forces under a banner called Scattered Lapsus$ Hunters.

The collaboration became public via a Telegram channel where the threat actors began leaking stolen data, extorting victims, and taunting authorities in a public way. Security researchers have long suspected overlaps between these gangs through an underground community called “The Com,” and now the cybercriminals themselves are effectively confirming it with this joint effort.

Scattered Spider is a financially motivated group that has been active since 2022, infamous for voice-phishing help desks and SIM-swapping to breach companies (often assisted by ransomware via partners like ALPHV/BlackCat). They have targeted telecom, retail, insurance, and aviation companies, disrupting US casinos as well as UK retailers like Marks & Spencer and the Co-op.

Lapsus$ used extensive social engineering and public extortion (like holding polls on who to hack next) to attract media attention in 2021–2022 for their daring hacks of Okta, NVIDIA, Microsoft, and other companies. Multiple Lapsus$ members were arrested in 2022, pausing its activity, but its tactics unfortunately live on.

ShinyHunters, active from around 2020, built a reputation by stealing databases of user data from companies (often via credential leaks or API access) and selling or extorting with that information. They were behind a spree of breaches in 2020 and have recently resurfaced targeting cloud apps like Salesforce.

All three groups are loosely connected through “The Com” community, often sharing members or collaborating on attacks. This new alliance essentially rolls their combined tactics and clout into one operation.

On August 8, 2025, a Telegram channel with the name “scattered lapsu$ hunters – The Com HQ SCATTERED SP1D3R HUNTERS” went live. In its first few days, the channel’s admins, using handles tied to “Shiny” (ShinyHunters’ alias) and others, posted a whirlwind of leaks and claims. They shared partially redacted screenshots as proof of newly breached victims, dropped snippets of stolen data, and even announced plans to launch their own ransomware-as-a-service offering called “SH1NYSP1D3R”.

Observers noted that the content resembled what each group had done individually on their own channels: data leak teasers, direct sale offers, polls, and brash taunts, but now all in one place. After just four days of chaotic activity, Telegram banned the channel, but the crew quickly reappeared in a backup channel to continue their spree.

This Telegram channel essentially became the public face of their collaboration, mixing the groups’ signature antics. Posts included “hit me up” messages offering stolen data for sale, meme-filled rants at security firms, and countdown timers threatening data dumps if ransom demands weren’t met.

In one poll, they even let followers vote on which victim’s data to leak next, a tactic straight out of Lapsus$’ playbook. The channel’s very title smashed together the brands “Scattered,” “Lapsus$,” and “Hunters,” making it clear that these cybercriminals want the world to know they’ve united their forces.

Scattered Lapsus$ Hunters wasted no time outing victims and dumping data. Between the channel’s launch on a Friday and its disappearance by Monday, they claimed hacks of multiple high-profile organizations. These included luxury fashion brands Gucci and Chanel, retailer Victoria’s Secret, and even automotive giant Subaru.

The cybercriminals didn’t stop at corporate targets; they boasted of breaching government entities like the U.S. Department of Homeland Security and Britain’s National Crime Agency (NCA), though such claims remain unverified.

To prove their bona fides, the group leaked snippets of stolen databases. For example, they published a database purportedly from Coca-Cola Europacific Partners (a major Coca-Cola bottler) and provided a download link. In one Gucci sample, they exposed 100 customer records (names, birthdays, contact info, etc.) as a teaser.

In another post, the group listed CSV files and explicitly offered the Neiman Marcus data to interested buyers. The criminals even leaked internal documents: they dropped legal papers like an injunction that Qantas Airways served to block ShinyHunters from leaking data, as well as a subpoena Google received, showcasing that even the victims’ legal responses were being scooped and weaponized.

Several extortion demands accompanied these leaks. According to private chats shared by the group, Qantas was asked to pay A$1 million (≈$650k USD) to prevent a leak. Tech giant Google also received a ransom note (amount undisclosed) after the attackers stole data from Google’s employee Salesforce system.

Posts on the channel referenced these shakedowns, and in Google’s case the cybercriminals even leaked the notification email that Google sent to affected parties about the breach.

The message to Google was clear: we have your data and will leak it if you don’t pay. For companies that tried legal avenues instead of paying, the group seemed happy to leak the legal docs themselves as retaliation (as happened with Qantas and the UK’s Legal Aid Agency).

One notable characteristic of this alliance is its extreme communication style.

The Telegram channel was nothing like a typical cybercrime network, it was more like a rowdy group chat. The cybercriminals would drop a serious threat one moment and a meme or trolling remark the next. Partial leaks were posted as teasers (e.g. a few rows from a stolen database), often accompanied by the caption “HMU” (“hit me up”) for anyone interested in buying the full data.

They spiced their posts with internet slang and mockery, even the technical instructions came with jokes.

For example, one message warned victims in deliberately broken English: “DO NAAT REDEAM DA SALESFARCE COADE!!!”. This line (“Do not redeem the Salesforce code”) referred to the one-time login codes they phished from employees, the cybercriminals were taunting organizations not to invalidate those codes, because that would cut off their access.

The Telegram channel also became a stage for directly confronting authorities and security firms. In one dramatic post (shown below), the group demanded the release of an arrested comrade and threatened to leak a UK government database if it didn’t happen. They signed off that threat with “come get me NCA uwu meow”, mixing a challenge to the UK’s National Crime Agency with anime-style emoticons, a blend of outrage and trolling.

In another instance, a channel admin personally name-dropped the CEO of CrowdStrike, claiming to have insider information for sale and warning the CEO to cooperate or else. (There’s no sign CrowdStrike gave in to this extortion). This performative brazenness is very much in line with Lapsus$’s old antics, where they’d openly ridicule their victims and law enforcement.

It’s all about public spectacle: the group knows that by acting outrageous in public channels, they can embarrass victims and attract media attention, which in turn puts even more pressure on those victims to pay up.

Beyond the showmanship, the Scattered Lapsus$ Hunters are also sharing tools and techniques. They have advertised a range of exploits for sale or use, claiming to possess zero-day exploits for enterprise software. The group released a proof-of-concept exploit for SAP NetWeaver (an enterprise application platform) on their channel.

Perhaps the most problematic development is their plan to launch a new ransomware-as-a-service program dubbed “SHINYSP1D3R.” On Telegram they hyped it up as a “first kernel-level ESXi locker” and bragged that “LockBit and DragonForce are nothing compared to SHINYSP1D3R upcoming RaaS!!!!!!!!”.

They essentially claim to be building a supercharged ransomware (targeting VMware ESXi hypervisors at the kernel level) that they could lease out to affiliates. While this is likely bluster until proven, it does show an intent to pivot from data theft into full blown ransomware operations.

Scattered Spider in the past has already dabbled in ransomware by collaborating with established gangs. If ShinyHunters’ data theft expertise merges with Scattered Spider’s ransomware partnerships, the result could be a more end-to-end extortion threat (steal data and encrypt networks).

One of the leaders, known as “Shiny,” said in a chat, “If trillion-dollar companies like Google can’t stop us, then billionaires don’t stand a chance… We’ll go quiet for a while, then return with another long campaign, Snowflake 3.0, and it’ll be much worse next time.” This shows their strategy: launch major attacks, disappear to avoid attention, then come back stronger, learning and growing each time.

They’re even trying to recruit employees with access to Fortune 500 companies. They want employees to help them break into new targets in exchange for a share of the profits. Their boldness, openly recruiting and bragging in public, shows they feel untouchable or want others to believe they are.

What we’re seeing from the Scattered Lapsus$ Hunters alliance isn’t just a handful of cybercriminals acting out online, it’s a coordinated effort that’s already having a tangible impact on companies and governments. If organizations aren’t prepared for these kinds of threats, they’re setting themselves up for disaster.

That’s why solutions like BlackFog are more important than ever.

ADX delivers advanced anti data exfiltration (ADX) technology that helps you detect and block threats before they can cause real damage, protecting against ransomware, data theft, and more. It’s not just about reacting to an attack, but preventing it from ever succeeding.

If you’re serious about protecting your business from groups like this, visit blackfog.com/ADX to learn how ADX can help.