Hacker Alliance Demands Ransom: Scattered LAPSUS$ Hunters Claim 1 Billion Records Stolen from Salesforce

A newly formed cybercrime consortium known as Scattered Lapsus$ Hunters (SLSH) — also dubbed the “Trinity of Chaos” — has launched a massive global extortion campaign targeting Salesforce tenants, claiming to have stolen over 1 billion customer records across 39 organizations.

According to Palo Alto Networks’ Unit 42, “threat actors claiming to be part of a new conglomerate dubbed Scattered Lapsus$ Hunters (aka SP1D3R HUNTERS, SLSH) have asserted responsibility for laying siege to customer Salesforce tenants as part of a coordinated effort to steal data and hold it for ransom.”

The report suggests that this syndicate is not an entirely new player but rather a coalition of notorious threat groups — Muddled Libra (Scattered Spider), Bling Libra (ShinyHunters), and LAPSUS$ — operating under a shared structure for extortion. Unit 42 noted that, “‘Trinity’ is used because the conglomerate is likely composed of individuals tied to three groups… all of which are representative of the broader cybercriminal community known as The Com.”

The attackers claim to have exfiltrated over one billion Salesforce records in two separate operations targeting customer data. Bling Libra — known for its data theft and extortion campaigns since 2020 — is believed to be the main orchestrator behind the current wave.

Unit 42 confirmed that “the threat actors posted the names of 39 global organizations from which they claim to have stolen Salesforce data” and set an October 10, 2025 deadline for ransom payment, threatening to publish the data if victims did not comply.

Further, the report revealed that the group is actively recruiting collaborators to enhance its extortion operations:

“Based on Unit 42 observations across Telegram channels operated by the threat group, they are also recruiting other threat actors to help send extortion notes to victims via email, specifically focusing on communicating with executives.”

Even Salesforce itself was reportedly targeted for direct extortion attempts. The company publicly responded that it had “no intentions of negotiating with or paying a ransom to the cybercriminals.”

The Unit 42 report highlights the commercialization of extortion tactics, describing how Bling Libra has transformed into an Extortion-as-a-Service (EaaS) provider.

“Bling Libra recently told Bleeping Computer that they have been privately operating as an EaaS provider for some time now. They claimed to take a revenue share (typically 25–30%) from extortion payments made to threat actors they are collaborating with.”

Unlike ransomware groups, these actors skip file encryption and focus purely on data theft, reputation damage, and coercive payments. As Unit 42 notes, “The primary differentiator between EaaS and RaaS is the lack of malware deployment… EaaS relies on extortion through stolen data, not encryption.”

The “Trinity” appears to be expanding. A new group called Crimson Collective has recently entered the scene, partnering with SLSH in extortion campaigns.

“Based on Unit 42 observations and news reports, Crimson Collective claimed to have breached Red Hat on or about Oct. 1, 2025… exfiltrating approximately 570 GB of compressed data from more than 28,000 internal development repositories.”

This breach included 800 Red Hat Customer Engagement Reports (CERs) containing client infrastructure details — a goldmine for targeted follow-up attacks. Crimson Collective has also been spotted targeting AWS cloud environments, signaling a coordinated shift toward cloud-based data theft.

The campaign reached a new chapter when, on October 9, 2025, the FBI seized domains associated with BreachForums, the site hosting SLSH’s data leak portal. Bling Libra acknowledged the seizure but stated that “none of its core members had been arrested and that the darknet version of their DLS was not impacted by the FBI’s activity.”

Unit 42 analysts note that cybercriminals are pivoting from ransomware to EaaS models to avoid law enforcement scrutiny.

Because EaaS operations do not deploy disruptive malware, they can often evade the detection patterns and international crackdowns that crippled many ransomware gangs between 2022 and 2024.

Related Posts:

• Inside Hunters International Group: How a Retailer Became the Latest Ransomware Victim
• Beyond Email: Why Your Microsoft Teams Chat Is Now a Phishing Danger Zone
• Trinity of Chaos: How LAPSUS$, Scattered Spider, and ShinyHunters Forged a Cybercrime Alliance
• $60 Million and Counting: Microsoft Rewards Bug Bounty Hunters
• Teen Genius to Hospital Prison: Lapsus$ Hacker’s Cyber Crimes Cost Him Freedom