Cybersecurity giant CrowdStrike has terminated an employee who allegedly shared sensitive internal system information with a notorious hacking collective.
The incident involved the leak of internal screenshots posted on a public Telegram channel operated by the threat group known as “Scattered Lapsus$ Hunters“.
Insider Threat Detected Through Screen Sharing
The leaked images displayed internal dashboards, including an Okta Single Sign-On (SSO) panel used by employees to access corporate applications.
The hackers claimed these screenshots proved a broader compromise achieved through a third-party breach at Gainsight, a customer success platform used by Salesforce clients.
However, CrowdStrike maintains that the situation involved human vulnerability rather than a technical breach.
Reports indicate that threat actors allegedly offered the insider $25,000 to facilitate access to the network.
While the hackers claimed to have received authentication cookies, CrowdStrike’s security operations center detected the activity before any malicious access could be fully established.
CrowdStrike swiftly addressed the claims, clarifying that the leaked images resulted from an employee sharing pictures of their screen rather than a systemic network intrusion.
A CrowdStrike spokesperson told Cybersecurity News, “We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally.
Our systems were never compromised, and customers remained protected throughout. We have turned the case over to the relevant law enforcement agencies”.
This incident is part of a larger aggressive campaign by Scattered Lapsus$ Hunters, a self-proclaimed “supergroup” comprising members from Scattered Spider, LAPSUS$, and ShinyHunters.
The group has recently targeted major corporations by exploiting third-party vendors like Gainsight and Salesloft.
In October 2025, the group claimed to have exfiltrated nearly 1 billion records from Salesforce customers, listing high-profile victims such as Allianz Life, Qantas, and Stellantis on its data-leak site.
The group’s modus operandi often involves high-pressure social engineering and recruiting insiders to bypass perimeter defenses. This tactic has become increasingly common in 2025.
While CrowdStrike successfully contained this specific insider threat without customer impact, the event highlights the persistent danger posed by recruited employees in high-stakes cybersecurity environments.
The convergence of sophisticated social engineering with the pooled resources of three major cybercrime gangs represents a significant evolution in the threat landscape facing tech enterprises today.
The incident underscores the critical importance of monitoring insider threats and implementing robust detection systems to identify suspicious behavior before sensitive information can be leaked to malicious actors.
CrowdStrike’s quick detection and response demonstrate how proper security operations can prevent what could have been a more serious breach.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.