The cybersecurity landscape continues to evolve as three of the most notorious English-speaking cybercrime groups—LAPSUS$, Scattered Spider, and ShinyHunters—have been found to share significant operational connections, tactical overlaps, and direct collaboration since 2023.
These relationships have created what security experts now describe as a highly adaptive cybercrime ecosystem that poses an advanced persistent threat to global enterprises.
Recent developments reveal that the lines between these groups have become increasingly blurred, with their shared proclivity for social engineering, overlapping membership, and coordinated attacks on high-profile targets demonstrating a level of organization previously unseen in cybercrime operations.
The attack vectors employed by these groups are not particularly sophisticated in terms of technical complexity but showcase remarkable coordination and exploitation of both human weaknesses and technological misconfigurations.
Their primary method of gaining access to target networks remains social engineering-based attacks, where actors impersonate employees or contractors to deceive IT help desks into granting unauthorized access.
.webp)
Despite their “retirement” announcement in September 2025, intelligence suggests these groups continue operating discreetly, having established substantial credibility and a proven track record of successful breaches that allows them to leverage their commanding reputation for private extortion without immediate media amplification.
Resecurity analysts identified the most concrete evidence of collaboration in August 2025 when a Telegram channel explicitly combined the brands and apparent memberships of all three groups.
This chaotic channel, eventually banned by Telegram, was used to coordinate threats, tease data leaks, and market a new Ransomware-as-a-Service offering dubbed “shinysp1d3r.”
The operational division of labor became clear: ShinyHunters confirmed that Scattered Spider provided initial access to targets while they handled data exfiltration and dumps, with LAPSUS$ members serving as active participants in high-profile campaigns including the Salesforce and Snowflake breaches.
The groups’ association with “The Com” collective further demonstrates their interconnected nature.
This predominantly English-speaking cybercriminal ecosystem operates as a loosely organized network encompassing a broad range of actors, mainly teenagers and individuals in their twenties.
The amplification of successful data breaches through official Com channels suggests shared ideology, membership, resources, and possible operational coordination, prompting the FBI to issue warnings about the risks associated with joining such movements.
Social Engineering and Multi-Factor Authentication Bypass Techniques
The trinity of hacker groups has refined sophisticated social engineering methodologies that serve as their primary attack vector, with particular expertise in bypassing modern security controls that many organizations consider robust.
Their approach to multi-factor authentication (MFA) circumvention demonstrates the evolution of social engineering from simple phishing to complex, multi-stage psychological manipulation campaigns.
LAPSUS$ pioneered the use of SIM swapping combined with MFA bombing techniques, also known as “push fatigue,” where attackers flood victims with authentication requests until they approve one out of frustration or confusion.
This technique has been widely adopted by Scattered Spider and increasingly used by ShinyHunters in their Salesforce-focused campaigns.
The groups employ sophisticated vishing (voice phishing) operations where attackers impersonate IT staff members, often armed with detailed organizational knowledge obtained through reconnaissance or previous breaches.
%20(Source%20-%20Resecurity).webp)
Their help desk impersonation techniques involve extensive preparation, including gathering employee names, organizational structures, and internal terminology through social media reconnaissance and data broker services.
Attackers often call help desks claiming to be employees who have lost their devices or been locked out of accounts, providing enough authentic-seeming information to convince support staff to reset credentials or provide access.
In OAuth token abuse scenarios, particularly targeting Salesforce environments, the groups exploit the trust relationship between applications and cloud services.
The technical implementation involves tricking users into authorizing malicious “Connected Apps” in Salesforce, which generates long-lived OAuth tokens that grant persistent access to data while bypassing MFA and other security controls.
These tokens, once obtained, allow attackers to access customer relationship management (CRM) data at scale, as demonstrated in ShinyHunters’ claims of stealing over 1.5 billion Salesforce records from 760 companies.
The abuse of OAuth tokens associated with legitimate integrations like Salesloft and Drift showcases how attackers exploit the interconnected nature of modern cloud environments to maintain persistent access while appearing as legitimate application traffic.
Infostealers play a crucial role in their authentication bypass strategy, with the groups utilizing malware families including Azorult, Lumma, RedLine, Raccoon, and Vidar to harvest not only usernames and passwords but also active session cookies.
These cookies allow attackers to hijack authenticated sessions and gain immediate access to systems without triggering login alerts or MFA challenges.
The sophisticated nature of these attacks demonstrates how traditional security measures often fail against well-orchestrated social engineering campaigns that combine technical exploitation with psychological manipulation, making detection and prevention increasingly challenging for organizations relying solely on technological solutions.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
