Scattered Spider has shifted its operational strategy, moving away from chaotic data leaks toward a more structured and professional model of cybercrime. Now functioning as a hybrid of Ransomware-as-a-Service (RaaS) and insider threat operations, the group is building a network of internal collaborators within some of the world’s largest tech and telecom companies, including Microsoft and Apple.
Scattered Spider Shifts from Loud Hacks to Quiet Access Deals
Once known for their high-profile breaches and attention-grabbing leaks, Scattered Spider and its affiliated groups, LAPSUS$, ShinyHunters, and the umbrella Scattered LAPSUS$ Hunters, have turned toward access brokerage. Instead of simply exfiltrating data, they’re actively buying and selling privileged access to corporate systems.
The group is now recruiting insiders across key industries: telecommunications, cloud software, gaming, server hosting, and business process outsourcing. Target companies include names like Microsoft, Apple, IBM, EA, Claro, Telefónica, OVH, and others in the US, UK, Australia, Canada, and France.
According to recent posts from the group, they are offering 25% of profits for insider access to Active Directory (AD) systems, and 10% for access to identity platforms like Okta, Azure, or AWS IAM root credentials. This represents a move toward a more profit-sharing, affiliate-based model, where insiders are treated as partners in crime rather than simple data sources.
“We Already Have the Data. We Need Access.”
A public statement by the group reads:
“We already have the data. We need access.”
This illustrates their transition from opportunistic hacking to a more calculated form of cyber extortion, aimed at gaining continuous footholds within high-value environments.
They also offered to purchase remote access tools like VPN credentials, Citrix sessions, and AnyDesk installations, which they then resell to ransomware affiliates for further exploitation.
One of their more detailed dark web posts—titled “SLSH 6.0 part 3 – lapsus$hiny$scattere…”, called for insiders to submit evidence of access, including SSH keys, OpenLDAP logs, and system network configurations. The group sets clear rules for participation: no companies under $500 million in revenue, and no targets from countries like Russia, China, North Korea, or Belarus.
Salesforce, Microsoft, Apple Among Targeted Firms
The Scattered LAPSUS$ Hunters have recently launched a new dark web leak site as part of their extortion efforts, following breaches at Salesloft and Salesforce. As of early October 2025, they claim to have compromised approximately 40 companies, with threats to release full datasets unless ransoms are paid by October 10.
Salesforce responded publicly on October 2, stating:
“There is no indication that the Salesforce platform has been compromised… Our findings indicate these attempts relate to past or unsubstantiated incidents.”
Still, the group continues to threaten legal consequences, claiming to have stolen nearly 1 billion records containing sensitive personally identifiable information (PII). They’ve named Berger Montague, a law firm known for data privacy litigation, as a potential partner in civil action against Salesforce if demands are not met.
They also threatened to expose regulatory violations under GDPR, CCPA, HIPAA, and other privacy laws. In one statement, the group said:
“We will be submitting a full document… how your company as a data controller… could have prevented such intrusions.”
Criticism of the Cloud Security Model
In comments to The Cyber Express, the group criticized the “shared responsibility” model of cloud security. They argued that Salesforce, like other platforms, shifts too much of the security burden onto customers.
“Salesforce is saying ‘yeah you can use our services but when it comes to security you have to deal with most of it yourself.’”
They further claimed that the use of known threat indicators—such as Mullvad VPN and TOR IPs—could have been blocked using basic YARA rules yet weren’t.
The leak site showcases the group’s aggressive tactics, listing household names like Microsoft, Apple, Google AdSense, Cisco, Toyota, FedEx, Disney/Hulu, UPS, McDonald’s, KFC, Instacart, Chanel, Adidas, Air France/KLM, and more.
