A new cybercriminal conglomerate known as Scattered Lapsus$ Hunters has emerged as a significant threat to global organizations, claiming responsibility for massive data breaches targeting Salesforce customer tenants.
The group, also referred to as SP1D3R HUNTERS or SLSH, has reportedly stolen over one billion Salesforce records across two separate extortion campaigns, marking one of the most extensive data theft operations in recent history.
Industry experts have dubbed this criminal syndicate the “Trinity of Chaos,” reflecting its composition of individuals from three notorious threat groups: Muddled Libra (Scattered Spider), Bling Libra (ShinyHunters), and LAPSUS$.
These groups are believed to be part of the broader cybercriminal community known as “The Com,” representing a sophisticated network of threat actors operating coordinated extortion campaigns.
The primary orchestrator behind these extortion attempts is Bling Libra, a threat group that has been active since at least early 2020 and has claimed responsibility for numerous high-profile data breaches over recent years.
Their evolution from traditional data selling to direct victim extortion represents a significant shift in cybercriminal monetization strategies.
According to Unit 42 research, global retail and hospitality organizations have been particularly targeted by this data theft extortion activity throughout 2025.
The threat actors have specifically focused their efforts on infiltrating Salesforce customer environments to steal sensitive customer information and corporate data.
Launch of Extortion-as-a-Service Operations
On October 3, 2025, Scattered Lapsus$ Hunters officially launched their data leak site (DLS), initially hosted on a domain previously associated with the notorious BreachForums cybercrime forum.
The site featured a list of 39 global organizations from which the group claimed to have stolen Salesforce data, setting an initial deadline of October 10, 2025, for ransom payments.
The threat actors have adopted an extortion-as-a-service (EaaS) model, taking a revenue share of typically 25-30% from extortion payments made to collaborating threat actors.
This approach mirrors the successful ransomware-as-a-service (RaaS) model but differs significantly by focusing on data theft and extortion without deploying file-encrypting malware.
Bling Libra has been actively recruiting other threat actors through Telegram channels to assist in sending extortion notes to victims via email, specifically targeting executive-level communications.
The group has even attempted to directly extort Salesforce itself, though the company has publicly refused to negotiate or pay any ransom demands.
Law Enforcement Response
The situation intensified when the FBI announced on October 9, 2025, that it had seized all domains associated with BreachForums, including the clearnet version of the threat actors’ newly launched DLS.
However, Bling Libra confirmed that none of its core members had been arrested and that the darknet version of their site remained operational.
In response to the FBI action, the group doubled down on their threats, warning of potential data releases and posting ominous messages about the October 10, 2025 deadline.
Despite law enforcement intervention, the threat actors have demonstrated resilience and adaptability in maintaining their extortion operations.
The emergence of additional threat groups has further complicated the threat landscape. Crimson Collective, a previously unknown group, has begun collaborating with Scattered Lapsus$ Hunters and claimed responsibility for breaching Red Hat on October 1, 2025.
The group allegedly exfiltrated approximately 570 GB of compressed data from over 28,000 internal development repositories, including sensitive Customer Engagement Reports.
Implications
The targeting of Salesforce environments poses particular risks for retail and hospitality organizations that rely heavily on customer relationship management platforms.
For retailers, the theft of customer data can lead to identity theft, social engineering attacks, account takeover, and various forms of fraud. Most critically, these breaches can erode consumer trust during crucial periods such as peak shopping seasons.
Hospitality organizations face similar risks but with distinct fraud patterns. While retail organizations primarily encounter returns and gift card fraud, hospitality companies are more likely to experience loyalty rewards fraud involving airline miles and hotel points.
This has contributed to a growing underground trend of fraudulent travel agency advertisements on dark web forums and Telegram channels.
The shift toward EaaS models represents a concerning evolution in cybercriminal tactics. Unlike traditional ransomware operations that encrypt files and disrupt operations, EaaS focuses solely on data theft and extortion, potentially allowing threat actors to operate under the radar of law enforcement efforts that have traditionally focused on ransomware disruption.
Organizations must implement comprehensive security measures including automated credential scanning tools, zero trust architecture principles, and conditional access policies to mitigate these evolving threats.
Industry participation in Information Sharing and Analysis Centers (ISACs) provides access to real-time threat intelligence and best practices for both reactive and proactive defensive measures.
The Scattered Lapsus$ Hunters case demonstrates the increasing sophistication and coordination of modern cybercriminal operations, highlighting the critical need for robust security frameworks and incident response capabilities across all sectors handling sensitive customer data.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
