Dark Web Profile: Scattered Lapsus$ Hunters

[Update] November 28, 2025: “Is the DLS Already on Its Way Out?” and “Rey, ShinySp1d3r and the Gainsight Breach”

In mid-2025, attackers launched coordinated intrusions into the Salesforce environments of many major global companies. The attackers claimed to have stolen data from 91 organizations, with victims such as Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas, Air France–KLM, Allianz, Cisco, and Pandora.

The campaign is linked to a new cybercrime alliance called Scattered Lapsus$ Hunters, which unites members of Scattered Spider, Lapsus$, and ShinyHunters. These groups, already known for social engineering and extortion, now operate jointly and publicly through a Telegram channel where they leak stolen data, pressure victims, and taunt authorities. Importantly, no Salesforce vulnerabilities were exploited. Instead, the attackers relied entirely on social engineering.

Who Is Scattered Lapsus$ Hunters?

On August 8, 2025, a new Telegram channel appeared that allegedly united the brands and members of Scattered Spider, LAPSUS$, and ShinyHunters. The channel quickly became a hub for coordinated threats, staged data leaks, and even a promotion of an ‘’upcoming’’ Ransomware-as-a-Service (RaaS) offering called “shinysp1d3r.” Telegram eventually removed the channel, but not before it fueled several major campaigns.

Public statements from ShinyHunters suggested a clear division of labor: Scattered Spider provided initial access, ShinyHunters specialized in data theft and publication, and LAPSUS$ members acted as amplifiers and extortionists.

On September 12, the FBI issued a FLASH alert attributing widespread Salesforce platform intrusions to two clusters: UNC6040, which Google’s Threat Analysis Group tracks as linked to ShinyHunters, and UNC6395, which overlaps with Scattered Spider activity. Both were tied to Scattered Lapsu$ Hunters operations. Google confirmed the campaign relied entirely on social engineering, specifically vishing and OAuth abuse, rather than exploiting flaws in Salesforce infrastructure.

Although the group later announced a so-called retirement, such exits in cybercrime circles rarely mark the end, albeit at the time of writing this blog post, they had already launched a new Telegram channel.

The Com

That’s not all, Scattered Spider, LAPSUS$, and ShinyHunters are tied to an even broader underground ecosystem known as The Com. This network, largely English-speaking and made up of teens and young adults, has been described as a cybercrime subculture rather than a single group. Within it, actors share tools, trade access, and collaborate on operations, with alliances shifting as campaigns evolve.

Announcements of successful breaches often appeared on Com-linked Telegram channels such as “The Comm Leaks.” These outlets amplified operations, helped with recruitment, and acted as propaganda platforms. The FBI has warned that The Com is becoming a gateway into cybercrime for younger actors, driven by the lure of profit, notoriety, and shared identity.

What Are Scattered Lapsus$ Hunters’ Targets?

Scattered Lapsu$ Hunters attack organisations that hold large volumes of sensitive data or run critical services. They focus on Technology, Retail, Luxury Fashion, Aviation, and Insurance. High-profile victims include Adidas, Cartier, Google, Louis Vuitton, Dior, Chanel, Tiffany & Co., Qantas, Air France–KLM, Allianz, Cisco, and Pandora. They also target cloud platforms and SaaS providers such as Salesforce and Snowflake.

They take customer records, contact lists, loyalty and payment data, internal business documents, and engineering or source repositories. Stolen data often fuels extortion, public leaks, or downstream supply-chain attacks. In some cases, attackers used stolen access to disrupt operations, harm reputations, or sell access to other criminals.

Most victims are in English-speaking markets: the United States, United Kingdom, Canada, and Australia. Major firms in France and Germany have also been hit. The group targets multinational companies because they offer larger data pools and complex third-party integrations that attackers can exploit.

Target selection follows simple rules. The group prefers organisations with: large customer databases, extensive SaaS integrations, help-desk teams reachable by phone, weak controls around connected apps, and third-party vendors with broad access.

How Does Scattered Lapsus$ Hunters Operate?

In recent collaborative attacks of these threat groups, Initial access is gained through voice‑phishing (vishing) and social‑engineering schemes. ShinyHunters likely hires Scattered Spider members to pose as IT help‑desk staff and call employees or contractors. These calls often begin with a calm tone and a fake IT issue; the caller then persuades the target to reset Multi‑Factor Authentication (MFA) tokens, install remote‑management tools, or navigate to a /setup/connect page in Salesforce to authorize a malicious app.

AI‑driven voice agents allow them to automate calls, tailor responses to victim reactions and produce realistic accents, scaling vishing to thousands of targets easily. The alliance also leverages credential‑theft malware and insiders: infostealers harvest session cookies and passwords, while the group publicly recruits employees with access to Okta, Microsoft SSO or Git platforms. Exploiting simple misconfigurations or known vulnerabilities (e.g., in Oracle Access Manager) further expands their foothold. Scattered Spider is widely credited with securing this initial access, while ShinyHunters handles the subsequent data exfiltration and extortion.

Once inside an environment, the group abuses enterprise features to pivot laterally and harvest data at scale. Their campaigns against Salesforce illustrate this approach: vishing victims are tricked into authorizing connected apps in Salesforce, which produces long‑lived OAuth tokens that bypass MFA and grant programmatic access to CRM data.

In short, attackers call employees posing as IT, then ask them to reset MFA, install remote tools, or visit Salesforce’s connected-app setup and enter a code. That action authorizes a malicious OAuth app, often a trojanized Data Loader, giving the attackers API access to query and export records.

Group also exploit session cookies collected by infostealer malware to hijack authenticated sessions, and they exfiltrate data from compromised CRM dashboards, such as customer records, flight logs and chat transcripts, before using the same dashboards’ outbound call features for further vishing.

These attack patterns mirror the past methods used by ShinyHunters and Scattered Spider. If the group persists or can offer a RaaS program, future attacks will likely follow these patterns to some degree.

Is the DLS Already on Its Way Out?

It has come and is about to go. The latest version of BreachForums, branded as Scattered Lapsus$ Hunters’ data leak site (DLS), serves as the group’s new stage. Built on the same infrastructure that once hosted the forum, the portal switched to pure extortion mode.

The DLS was designed to publish data from companies that ignored ransom demands, with a public countdown timer set to mark each release. But just hours before the first leaks were due, law enforcement agencies moved in. The FBI and France’s BL2C seized the clearnet domain, taking the site offline and replacing it with a seizure notice.

While the group still operates its onion mirror, their control appears shaky. Internal messages hint at missing members and compromised servers, suggesting the takedown was more than just a domain seizure.

For further information check out our blog post: BreachForums Seized (Yes, Again)

Rey, ShinySp1d3r and the Gainsight Breach

Since this profile first went live, new research has revealed more about the people and tools behind Scattered Lapsus$ Hunters (SLH). Reporting by KrebsOnSecurity links a key persona called “Rey” to the role of main administrator and technical operator for SLH.

The same research connects Rey to earlier activity around the Hellcat ransomware leak site and to the most recent relaunch of BreachForums. This supports the idea that SLH does not act alone, but operates inside a wider English speaking cybercrime scene with a long history of data theft and extortion.

Furthermore, ShinySp1d3r samples are discovered as an active Windows ransomware family that SLH was promoting as a Ransomware as a Service offer. Earlier SLH posts treated ShinySp1d3r as something “coming soon”. New analysis shows live samples, a custom wallpaper and ransom note, and hints that Linux and ESXi builds may follow.

Recently, SLH has claimed a major supply chain breach that runs through Gainsight applications connected to Salesforce. Salesforce reported “unusual activity” involving Gainsight published apps and revoked all related access and refresh tokens, while also removing those apps from the AppExchange during the investigation.

Gainsight has since confirmed that attackers abused stolen OAuth tokens, originally taken in the earlier Salesloft Drift incident, to call Salesforce APIs through trusted integrations. Public reporting suggests that more than 200 Salesforce customers may be affected, while SLH claims about 300 Gainsight victims and close to 1,000 targets when they combine both campaigns.

For further reading: What You Need To Know About Gainsight Breach

How to Defend Against Scattered Lapsus$ Hunters?

Focus on people, apps, and rapid response. Use layered controls so social engineering cannot buy full access.

Prevent

• Train staff to verify calls. Tell users to call back to a published IT number before acting.
• Ban approving OAuth apps from unsolicited links. Require admin approval for any connected app.
• Enforce phishing-resistant MFA (hardware keys or FIDO2) and stop “MFA fatigue” workarounds.
• Limit who can install remote-management tools and require change control for them.
• Apply least privilege to SaaS and cloud accounts. Remove unused admin roles and service accounts.
• Allowlist approved connected apps and block unknown apps at the tenant level or via CASB.

Detect

• Log and alert on connected-app approvals, unusual OAuth grants, and spikes in API/data export volume.
• Monitor for new devices, new IPs, and uncommon session cookie reuse. Feed alerts into your SIEM.
• Watch for small, repeated queries from a single API client. That often precedes bulk exfiltration.
• Track recruitment or access offers on public channels, feeds and Dark Web. Ingest threat intel on UNC6040/ShinyHunters indicators.

Respond

• Revoke suspicious OAuth tokens and app grants immediately. Rotate impacted credentials.
• Freeze or isolate compromised user accounts and endpoints. Preserve logs and telemetry for forensics.
• Consider legal and law enforcement notification paths; retain evidence in a forensically sound way.

Hardening and Recovery

• Harden SSO: require conditional access, device posture checks, and block legacy auth.
• Restrict bulk export rights in SaaS apps and audit data export permissions.
• Run regular phishing and vishing drills with help-desk and remote staff.
• Keep offsite backups of critical data and test restores.

Short checklist to share with executives: verify calls, block unapproved connected apps, use hardware MFA, log and alert on OAuth grants, and have a tested incident playbook that includes rapid token revocation.

How Can SOCRadar Help?

SOCRadar turns threat signals into fast, practical actions you can use against vishing-driven OAuth attacks.

Threat Actor Intelligence

• Real-time tracking of relevant actors and campaigns.
• Early warning on extortion chatter and confirmed data leaks.

Attack Surface Management

• Find connected apps, admin roles, and unmanaged service accounts.
• Prioritize fixes to reduce exposure and enforce least privilege.

Dark Web & Telegram Monitoring 

• Watch underground channels for recruitment, access-for-sale posts, and teaser leaks.
• Translate mentions into verified alerts your team can act on.

Supply Chain Intelligence

• End-to-end visibility across extended supplier and partner networks.

• Monitor 50+ million companies and surface risky relationships.
• Dynamic risk scoring and tiered prioritization for the most critical vulnerabilities.
• Real-time alerts to focus remediation and preserve operational resilience.