In the ever-evolving landscape of cybercrime, the lines between individual threat actors and coordinated alliances are blurring. A recent and particularly brazen development is the emergence of a new collective calling itself "Scattered Lapsus$ Hunters." This group represents a significant, if chaotic, merger of three well-known cybercrime entities: Lapsus$, ShinyHunters, and Scattered Spider.
A Brief History of the Players
To understand this new alliance, we must first look at the individual actors who comprise it.
Lapsus$ burst onto the scene in late 2021, quickly gaining notoriety for a series of high-profile attacks against technology giants like Nvidia, Samsung, Microsoft, and Okta. Unlike traditional ransomware gangs, Lapsus$ often did not deploy encryption malware. Instead, their primary tactics focused on extortion through data theft and public humiliation of their victims.
The group's signature was its use of Telegram channels for public communication. They would openly taunt victims, post updates on their breaches, and even poll their followers on which company to target next. Key members, largely young individuals from the UK and Brazil, have since been arrested and convicted — leading many to believe the group had dissolved. Until now.
Active since at least 2020, ShinyHunters is a financially motivated group specializing in large-scale data breaches and the subsequent sale of stolen data. They have been responsible for a string of major incidents involving companies like Ticketmaster, AT&T, and various LVMH brands.
The group's name, a nod to the "shiny" Pokémon found in video games, masks a highly effective and ruthless operation. Their methods have evolved from exploiting unsecured cloud buckets and scraping GitHub repositories to more sophisticated social engineering, including vishing (voice phishing) campaigns that impersonate IT staff.
Known for its sophisticated social engineering and SIM-swapping attacks, Scattered Spider has a reputation for being financially driven and highly effective. The group's members, primarily young, native English speakers from North America and the UK, are known for their ability to bypass multi-factor authentication (MFA) and infiltrate corporate networks.
They have been linked to attacks on major companies in the retail, technology, and financial sectors, often targeting organizations that use platforms like Salesforce. Scattered Spider is also part of a larger cybercrime network known as "The Community" or "The Com," which fosters collaboration among young hackers.
The Birth & Evolution of Scattered Lapsus$ Hunters
The recent collaboration between these groups became public with the launch of a new Telegram channel named "Scattered Lapsus$ Hunters." This alliance, believed to be a merger of members from all three groups, has wasted no time in making its presence known. The collective is part of a broader, loosely organized network of English-speaking hackers known as "The Community" or "The Com," which has historically been a breeding ground for these types of threat actors.
Tactics and Collaboration Details
The new collective has combined the signature tactics of its predecessors — leveraging Scattered Spider's expertise in social engineering and phishing, ShinyHunters' experience in mass data theft, and Lapsus$'s flair for public spectacle and direct extortion. This "log in, not hack in" philosophy bypasses traditional perimeter defenses by targeting human trust and identity management systems.
The group's Telegram channel serves as a public-facing platform for their activities. It has been used to post partially redacted screenshots of compromised systems, announce victims, and openly taunt law enforcement and security firms. In a particularly bold move, they have even used the channel to recruit malicious insiders from Fortune 500 companies, offering a share of the profits.
A prime example of their collaboration is the widespread Salesforce hack that affected multiple organizations, including Google, Qantas, Adidas, and Chanel. The attackers used a sophisticated vishing campaign to trick employees into installing a malicious replica of the Salesforce Data Loader app. Once authorized, it provided the attackers with persistent access and allowed them to exfiltrate vast amounts of sensitive customer and business data.
The JLR attack serves as a stark example of how a cyber intrusion can cripple a global enterprise. The attack forced the company to take its critical IT systems offline, leading to a temporary halt in production at factories in the UK and abroad. This disruption affected not only JLR's operations but also its network of suppliers and dealerships, costing the company millions in lost revenue.
The collective has advertised a new ransomware-as-a-service (RaaS) offering called "SH1NYSP1D3R" or "ShinySpider." This marks a potential pivot for the groups, combining their traditional data theft and extortion with the added threat of data encryption. They have reportedly bragged that their new offering will be more powerful than established ransomware groups.
The New Frontier: Infostealer Data as a Weapon
Attackers rarely start from scratch. Instead, they purchase vast quantities of "infostealer" data from underground marketplaces. This data, harvested by malware from compromised personal devices, often includes not only usernames and passwords but also session cookies that can bypass MFA.
Groups like Scattered Lapsus$ Hunters use this trove of information as an initial access vector. They can search the logs for credentials belonging to employees of a target company, giving them a foothold for a larger attack. This process makes their attacks more efficient and more difficult to defend against, as the initial compromise often occurs on an employee's personal device, outside of the company's direct security controls.
The Broader Impact on Industries
The targeting by this collective is not limited to any single sector. Their attacks have impacted a wide range of industries, demonstrating their adaptability and focus on high-value targets:
Brands like Louis Vuitton, Chanel, and Dior have been affected, with attackers targeting customer data and client service platforms.
Airlines like Qantas and Air France-KLM have had their loyalty and customer databases compromised.
Companies including Google and AT&T have been hit through credential theft and social engineering.
Banks and insurance companies have been compromised through their use of cloud-based CRM systems.
Any organization with valuable data and a digital presence is a potential victim, particularly if they rely on third-party SaaS platforms and have a global, interconnected supply chain.
How Mjolnir Security Can Help
Mjolnir Security has extensive experience tracking and mitigating the threats posed by groups like Lapsus$, ShinyHunters, and Scattered Spider. Our approach is proactive, focusing on preventing the initial access that these groups rely on.
- Social Engineering and Vishing Simulations: We conduct targeted simulations to test your employees' resilience against the very tactics used by Scattered Lapsus$ Hunters, including vishing and credential phishing. This service helps identify and correct vulnerabilities in your human firewall.
- Managed Detection and Response (MDR): Our team provides 24/7 monitoring and rapid incident response to detect and neutralize threats before they can escalate to a full data breach or extortion event. We leverage advanced threat intelligence to stay ahead of the latest TTPs.
- Identity and Access Management (IAM) Hardening: We help you implement and enforce robust IAM policies, including strong multi-factor authentication (MFA) and privileged access management (PAM), to make it significantly harder for these groups to gain a foothold even with compromised credentials.
Mjolnir Security has a proven track record of helping organizations defend against these threat actors. In several cases, our proactive defenses have successfully thwarted attacks linked to this collective. Our vishing simulation and employee training helped a major financial services firm identify a potential insider threat and prevent an attack that mirrored the tactics used by Scattered Spider and ShinyHunters.
References
- "Scattered Spider, Lapsus$, and ShinyHunters Form New Cybercrime Alliance," BlackFog, September 9, 2025. blackfog.com
- "ShinyHunters Targets Salesforce Amid Clues of Scattered Spider Collaboration," ReliaQuest, August 12, 2025. reliaquest.com
- "Scattered Spider-Linked Group Claims JLR Cyber-Attack," Infosecurity Magazine, September 4, 2025. infosecurity-magazine.com
- "Dark Web Profile: ShinyHunters," SOCRadar, March 17, 2024. socradar.io
- "Meet Lapsus$: An Unusual Group in the Cyber Extortion Business," ReliaQuest, March 17, 2022. reliaquest.com
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts