An extortion group calling itself Crimson Collective claimed responsibility for a major breach at Red Hat Consulting.
With only 22 followers on Telegram at the time, the group’s rapid rise to notoriety has stunned security experts. By the end of that day, Red Hat confirmed the breach and began notifying affected clients.
Red Hat Consulting provides expert technical services to large enterprises handling complex technology challenges.
Early evidence suggests that the attackers exfiltrated customer documentation, source code, and other sensitive assets.
Crimson Collective’s Ties to LAPSUS$-Linked Actors
Security researcher Brian Krebs noted that “Miku,” a Telegram handle linked to Thalha Jubair a UK teenager charged in connection with the Scattered Spider and LAPSUS$ incidents is tied to Crimson Collective.
Jubair is currently remanded pending trial for alleged involvement in the Transport for London cyberattack.
Intriguingly, Crimson Collective’s first leaked victim was Claro, the same telecom targeted by LAPSUS$ in 2021.
Screenshots from the breach also highlight Vodafone, previously breached by LAPSUS$ in 2022, underscoring a possible pattern of targeting major service providers.
On September 13, 2025, the compromise date listed by the group, Crimson Collective began leaking proof via a portal styled with hallmark LAPSUS$ traits intentional typos, casual racism in HTML comments, jokes, and even Pokémon tunes embedded in the page.
The initial leak included a file tree showing 370,852 directories and 3,438,976 files. Sample Consultancy Engagement Reports (CERs) for seven organizations AIR, AMEX_GBT, Atos_Group (NHS Scotland), BOC, HSBC, and Walmart were published to demonstrate legitimacy.
A subsequent release delivered a 2.2 GB ZIP containing an “unprecedented” file tree of over 32 million files.
Analysis of the directory structure suggests more than 5,000 enterprise customers are impacted, spanning consultancy reports, proprietary code, and various internal assets.
Sensitive items such as .pfx private certificates for ING Bank and Delta Airlines were among the leaked files, a clear indicator of high risk exposure. Enterprises should assume that all stolen data may become public.
Impacted organizations must urgently contact Red Hat Consulting support to obtain the list of stolen files.
They should immediately rotate certificates and credentials, review security configurations, and apply comprehensive remediation plans.
Paying ransom is discouraged, as it may incentivize further attacks. Continuous monitoring for traded copies of the stolen data is also critical.
Red Hat remains under pressure to bolster its consulting practice security measures. Meanwhile, organizations should strengthen internal controls and incident response preparations. For ongoing updates, follow Kevin Beaumont on Mastodon.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
