A loosely connected cybercrime supergroup is exploiting social engineering to compromise Fortune 100 organizations and government agencies.
LAPSUS$, Scattered Spider, and ShinyHunters—three of the most notorious English-speaking cybercrime groups—have increasingly blurred their lines through shared tactics, overlapping membership, and joint public channels.
From 2023 through 2025, evidence has emerged of direct collaboration on high-profile breaches and a coordinated push to market a combined Ransomware-as-a-Service offering.
In August 2025, cybersecurity researchers discovered a Telegram channel uniting Scattered Spider, LAPSUS$, and ShinyHunters under the “shinysp1d3r” brand to coordinate threats, tease data leaks, and sell RaaS subscriptions.
ShinyHunters admitted Scattered Spider provided initial network access, while its members handled bulk data exfiltration. LAPSUS$ operatives also participated—collectively targeting Salesforce, Snowflake, and other major platforms.
On September 12, the FBI issued a FLASH alert on UNC6040 and UNC6395, groups tied to these alliances, for exploiting Salesforce environments to steal sensitive records.
Many Fortune 100 victims reported extortion emails signed by ShinyHunters, confirming coordinated attacks by the trio.
Despite a public “retirement” announcement, Resecurity’s HUMINT teams continue to observe private extortion of undisclosed victims, suggesting the group now operates discretely to leverage its reputation for coercion.
LAPSUS$, Scattered Spider, and ShinyHunters are part of “The Com,” a youth-driven, predominantly English-speaking cybercrime movement. Activities are amplified through channels like “The Comm Leaks,” where members share breach claims, leak notifications, and recruitment calls.
The FBI cautioned about joining such loosely organized collectives in a mid-2025 PSA. These movements splinter and recombine fluidly, enabling teens and young adults to pool resources, ideology, and technical know-how.
Tactics, Techniques, and Procedures
- Social Engineering and Phishing
All three groups excel at voice-based phishing (vishing), help-desk impersonation, and credential theft. ShinyHunters recently adopted Scattered Spider vishing playbook for Salesforce intrusions. - MFA Bypass and SIM Swapping
LAPSUS$ pioneered SIM swapping and MFA bombing (push fatigue), now replicated by Scattered Spider and, to a lesser extent, ShinyHunters. - Data Theft, Extortion, and Publicity
Their extortion campaigns include public polls to decide which victim’s data to leak next—maximizing media attention and psychological pressure. - Target Selection
Joint targets span finance, technology, retail, and aviation (e.g., Qantas, Allianz, Adidas, Google). They exploit cloud-service misconfigurations in VMware ESXi, Salesforce, and Snowflake.
Security analysts label this alliance a “cybercrime supergroup,” noting talent and infrastructure pooling across the three factions.
Some time ago, the hacking trio mentioned AT&T again and released a screenshot purportedly showing access to the RSA Token / VPN Management dashboard.
Rogue actors move seamlessly between groups, complicating attribution and maintaining a highly adaptive, fluid threat landscape.
Recent Developments (2023–2025)
- New Branding: The Fall 2024 announcement of “shinysp1d3r” foreshadowed the 2025 escalation in joint campaigns.
- Airlines Under Fire: Mid-2025 ransomware attacks by Scattered Spider and partners hit WestJet, Hawaiian, and Qantas, with ShinyHunters claiming a Qantas breach of 6 million customer records via vishing.
- Retail and Telecom Breaches: April 2025 saw Scattered Spider link with DragonForce ransomware to hit UK retailers (Marks & Spencer, Harrods) and ShinyHunters’ historic breaches of AT&T and T-Mobile exposed hundreds of millions of records.
- Snowflake Supply-Chain Attack: In 2024, collaborators exploited Snowflake flaws to access call-metadata for over 110 million AT&T customers—later confirmed by AT&T’s March 2024 admission.
The convergence of LAPSUS$, Scattered Spider, and ShinyHunters signals a new paradigm in cybercrime: loosely federated youth collectives leveraging social engineering, cloud misconfigurations, and public channels for maximum impact.
Their announced “exit” is likely a tactical pause—enabling continued private extortion and future rebranding.
Organizations must bolster human-centric defenses—including rigorous MFA policies, robust help-desk verification, and continuous phishing-awareness training—to counter these agile, socially driven adversaries.
Continuous threat intelligence sharing and proactive incident response collaboration remain critical to staying ahead of this evolving cybercrime supergroup.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
