Unprecedented Cybercrime Alliance: Scattered Spider, LAPSUS$, and ShinyHunters Unite
In a significant development within the cybercriminal landscape, three notorious hacking groups—Scattered Spider, LAPSUS$, and ShinyHunters—have merged to form a formidable collective known as Scattered LAPSUS$ Hunters (SLH). This alliance, emerging in early August 2025, has rapidly escalated its operations, particularly targeting organizations utilizing Salesforce platforms.
Formation and Operations
Since its inception on August 8, 2025, SLH has established at least 16 Telegram channels, each iteration reflecting the group’s resilience against platform moderation efforts. Trustwave SpiderLabs, a cybersecurity firm, observed this pattern, noting the group’s determination to maintain a public presence despite repeated disruptions.
SLH’s primary modus operandi involves data extortion attacks. The group offers an extortion-as-a-service (EaaS) model, allowing affiliates to leverage the collective’s brand and notoriety to demand ransoms from targeted organizations. This approach not only amplifies their reach but also diversifies their revenue streams.
Affiliations and Structure
The alliance is part of a broader, loosely connected cybercriminal enterprise referred to as The Com. This network is characterized by fluid collaborations and brand-sharing among various threat actors. Within this framework, SLH has exhibited associations with other clusters, notably CryptoChameleon and Crimson Collective.
Key entities within SLH include:
– Shinycorp (aka sp1d3rhunters): Acts as a coordinator, managing the group’s brand perception and strategic direction.
– UNC5537: Linked to the Snowflake extortion campaign, contributing technical expertise and operational support.
– UNC3944: Associated with Scattered Spider, bringing additional resources and capabilities to the collective.
– UNC6040: Connected to recent Salesforce vishing campaigns, enhancing the group’s phishing and social engineering tactics.
Administrative roles within SLH are filled by individuals such as Rey and SLSHsupport, who focus on sustaining engagement and coordinating activities. Additionally, a figure known as yuka (aka Yukari or Cvsp) is recognized for developing exploits and serves as an initial access broker (IAB), facilitating entry points for cyberattacks.
Communication and Coordination
Telegram serves as the central hub for SLH’s coordination and public relations efforts. The group utilizes this platform to disseminate messages, coordinate operations, and market their services, adopting a style reminiscent of hacktivist groups. This strategy not only amplifies their reach but also fosters a sense of community among members and affiliates.
Administrative posts within these channels often include signatures referencing the SLH/SLSH Operations Centre, projecting an image of an organized command structure. This bureaucratic facade lends legitimacy to their communications and operations, despite the inherently fragmented nature of cybercriminal activities.
Tactics and Targets
SLH has been particularly aggressive in targeting organizations using Salesforce, employing sophisticated vishing (voice phishing) campaigns to gain unauthorized access. These attacks involve impersonating legitimate entities to deceive individuals into divulging sensitive information, which is then exploited for financial gain.
The group’s activities are not limited to data theft and extortion. They have hinted at developing a custom ransomware family named Sh1nySp1d3r (aka ShinySp1d3r), positioning themselves to rival established ransomware groups like LockBit and DragonForce. This potential expansion into ransomware operations signifies a strategic diversification aimed at increasing their impact and profitability.
Public Engagement and Propaganda
Beyond their direct cybercriminal activities, SLH engages in public propaganda efforts. They have used their platforms to accuse Chinese state actors of exploiting vulnerabilities they claim to have discovered, positioning themselves as both victims and vigilantes. Simultaneously, they have targeted U.S. and U.K. law enforcement agencies, portraying these institutions as adversaries.
In a bid to involve their audience, SLH has invited channel subscribers to participate in pressure campaigns. These initiatives encourage individuals to identify and relentlessly email C-suite executives of targeted organizations, offering a minimum payment of $100 for their efforts. This tactic not only amplifies their extortion campaigns but also creates a sense of participation among their followers.
Implications and Outlook
The formation of SLH represents a significant evolution in the cybercriminal ecosystem. By uniting the resources, expertise, and reputations of Scattered Spider, LAPSUS$, and ShinyHunters, the collective poses an enhanced threat to organizations worldwide. Their collaborative approach allows for more sophisticated attacks, increased operational resilience, and a broader range of targets.
Organizations, particularly those utilizing platforms like Salesforce, must remain vigilant. Implementing robust cybersecurity measures, conducting regular security audits, and fostering a culture of awareness among employees are critical steps in mitigating the risks posed by such advanced threat actors.
As SLH continues to evolve, the cybersecurity community must adapt its strategies to counteract the growing sophistication and coordination of cybercriminal alliances. Collaborative efforts between private sector entities, law enforcement agencies, and cybersecurity researchers are essential in developing effective defenses against these emerging threats.
