Trinity of Chaos: How LAPSUS$, Scattered Spider, and ShinyHunters Forged a Cybercrime Alliance
Ddos 
A new report from Resecurity sheds light on the growing convergence between three of the most notorious English-speaking cybercrime groups: LAPSUS$, Scattered Spider, and ShinyHunters. Once distinct, these groups are now seen as part of a loosely connected, highly adaptive cybercrime ecosystem that poses an advanced persistent threat (APT) to enterprises worldwide.
Resecurity explains, “Recent developments (especially since 2023 to 2025) reveal significant connections, tactical overlaps, and even direct collaboration. These connections are evident in their shared proclivity for social engineering, overlapping membership, joint public channels, and coordinated attacks on high-profile targets.”
One of the most striking examples came in August 2025, when “a Telegram channel explicitly combined the brands and apparent memberships of Scattered Spider, LAPSUS$, and ShinyHunters… to coordinate threats, tease data leaks, and market a new Ransomware-as-a-Service (RaaS) offering dubbed ‘shinysp1d3r.’”
This collaboration was visible in headline-grabbing campaigns, including the Salesforce and Snowflake breaches, where initial access, data exfiltration, and extortion were carried out by different members of the alliance.
The three groups thrive on social engineering. According to the report, “These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting them access.”
Other overlaps include:
- MFA bypass: “LAPSUS$ pioneered the use of SIM swapping and MFA bombing (push fatigue)… techniques now widely used by Scattered Spider and, to a lesser extent, ShinyHunters.”
- Extortion and publicity: All three groups weaponize public leak sites and polls to pressure victims, with Resecurity noting, “The collective has recently gamified data leaks, using public polls to decide which victim’s data to release next.”
- Target sectors: Victims range from Fortune 100 corporations to airlines, retailers, and telecoms. Attacks have impacted Qantas, Victoria’s Secret, Adidas, AT&T, T-Mobile, and Jaguar Land Rover.
High-Profile Campaigns and Real-World Impact
- Airlines: In July 2025, ShinyHunters claimed a breach at Qantas exposing the data of 6 million customers, part of a vishing campaign targeting Salesforce accounts.
- Retailers: Scattered Spider and DragonForce hit Marks & Spencer, Co-op, and Harrods, while Victoria’s Secret was forced to take its U.S. e-commerce offline, incurring an estimated $10 million loss.
- Telecoms: AT&T confirmed in 2024 that a breach affecting 73 million customers was linked to Snowflake compromises; T-Mobile and France’s Bouygues Telecom were also targeted.
- Automotive: Jaguar Land Rover suffered a devastating September 2025 breach attributed to the trio, shutting down global production lines and costing up to £50 million ($67 million) per week.
The trio is deeply tied to The Com, an English-speaking cybercriminal movement. Resecurity notes, “This loosely organized network operates more as a cybercrime youth movement, encompassing a broad and constantly shifting range of actors, mainly teens and 20somethings.”
Their recruitment channels, branding, and public theatrics have made them both a security nightmare and a cultural phenomenon, attracting young hackers into coordinated campaigns.
Despite recent announcements claiming they were ceasing operations, Resecurity is skeptical: “Resecurity does not believe that the group’s recent announcement of ceasing operations is sincere… our team has become aware of multiple previously undisclosed victims who are currently being extorted privately.”
Like Conti before them, these groups may simply rebrand and resurface under new banners.
Related Posts:
- ShinyHunters Expands With AI-Powered Vishing, Supply Chain Intrusions, and Insider Recruitment
- Teen Genius to Hospital Prison: Lapsus$ Hacker’s Cyber Crimes Cost Him Freedom
- Cyber Safety Review Board (CSRB) investigative report on Lapsus$ Hacking Group
- Microsoft admits to being hacked by hacker group LAPSUS$
- US Enterprises Targeted: Silent Push Unmasks Scattered Spider’s Phishing Web
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
