In a significant blow to cybercrime, law enforcement agencies from the United States and France have successfully seized the onion leak website operated by the notorious Scattered LAPSUS$ Hunters collective. This operation, executed around October 9, 2025, involved prominent entities such as the U.S. Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), France’s Central Brigade of Cybercrime (BL2C), and the Paris Prosecutor’s Office. The seized website now displays a seizure notice featuring logos from these agencies, signaling a coordinated international effort to disrupt cybercriminal activities.
Background on Scattered LAPSUS$ Hunters
Emerging in August 2025, Scattered LAPSUS$ Hunters is an alliance of infamous hacking groups, including Scattered Spider, LAPSUS$, and ShinyHunters. This coalition, often referred to as the Trinity of Chaos within the cybercrime underworld, quickly escalated its activities by launching social engineering attacks on Salesforce tenants. They claimed to have stolen over one billion records from high-profile organizations such as Adidas, Cisco, McDonald’s, and Qantas Airways.
Their campaign blended data theft with extortion demands, utilizing BreachForums—a hacking bazaar previously shut down in 2023—as both a clearnet and Tor-based leak site to pressure victims into paying ransoms. By early October, the group had listed dozens of compromised entities, setting a deadline of October 10, 2025, for payments to avoid data dumps.
The Takedown Operation
The coordinated takedown targeted the BreachForums infrastructure, which the group had repurposed as a data extortion portal following a massive breach of Salesforce customer databases. Law enforcement agencies took control of BreachForums’ domains and backend servers, including database backups dating back to 2023. Visitors to the site, both on the clearnet (breachforums.hn) and onion versions, encountered an animated banner confirming the infrastructure’s transfer to federal hands, mirroring past takedowns like RaidForums in 2022.
Immediate Aftermath and Group’s Response
Although the Tor site was briefly restored, the operation prevented immediate large-scale leaks. The group defiantly posted on Telegram that seizing a domain does not really affect our operations. In response, Scattered LAPSUS$ Hunters leaked data from six companies across aviation, energy, and retail sectors on October 10, including personal details like names, emails, and phone numbers, before declaring no further releases.
Despite the disruption, the collective announced a temporary dissolution on October 11, 2025, halting activities until 2026 to evade heightened law enforcement scrutiny. They also teased an Extortion-as-a-Service (EaaS) model and potential targets like the FBI and NSA.
Implications and Recommendations
Cybersecurity firms note that domain seizures rarely end such groups’ operations entirely, as they maintain Telegram channels and could relaunch mirror sites swiftly. Organizations are urged to monitor for renewed activity, enhance Salesforce security, and review for indicators of compromise from social engineering tactics.
This event underscores the persistent challenge of combating loosely organized cybercrime syndicates, with experts predicting the group’s return in a more covert form. As the dust settles, the incident highlights international cooperation’s role in curbing digital extortion, though vigilance remains essential in the evolving threat landscape.
