Hacker Alliance Demands Ransom: Scattered LAPSUS$ Hunters Claim 1 Billion Records Stolen from Salesforce
Ddos 
A newly formed cybercrime consortium known as Scattered Lapsus$ Hunters (SLSH) β also dubbed the βTrinity of Chaosβ β has launched a massive global extortion campaign targeting Salesforce tenants, claiming to have stolen over 1 billion customer records across 39 organizations.
According to Palo Alto Networksβ Unit 42, βthreat actors claiming to be part of a new conglomerate dubbed Scattered Lapsus$ Hunters (aka SP1D3R HUNTERS, SLSH) have asserted responsibility for laying siege to customer Salesforce tenants as part of a coordinated effort to steal data and hold it for ransom.β
The report suggests that this syndicate is not an entirely new player but rather a coalition of notorious threat groups β Muddled Libra (Scattered Spider), Bling Libra (ShinyHunters), and LAPSUS$ β operating under a shared structure for extortion. Unit 42 noted that, ββTrinityβ is used because the conglomerate is likely composed of individuals tied to three groupsβ¦ all of which are representative of the broader cybercriminal community known as The Com.β
The attackers claim to have exfiltrated over one billion Salesforce records in two separate operations targeting customer data. Bling Libra β known for its data theft and extortion campaigns since 2020 β is believed to be the main orchestrator behind the current wave.
Unit 42 confirmed that βthe threat actors posted the names of 39 global organizations from which they claim to have stolen Salesforce dataβ and set an October 10, 2025 deadline for ransom payment, threatening to publish the data if victims did not comply.
Further, the report revealed that the group is actively recruiting collaborators to enhance its extortion operations:
βBased on Unit 42 observations across Telegram channels operated by the threat group, they are also recruiting other threat actors to help send extortion notes to victims via email, specifically focusing on communicating with executives.β
Even Salesforce itself was reportedly targeted for direct extortion attempts. The company publicly responded that it had βno intentions of negotiating with or paying a ransom to the cybercriminals.β
The Unit 42 report highlights the commercialization of extortion tactics, describing how Bling Libra has transformed into an Extortion-as-a-Service (EaaS) provider.
βBling Libra recently told Bleeping Computer that they have been privately operating as an EaaS provider for some time now. They claimed to take a revenue share (typically 25β30%) from extortion payments made to threat actors they are collaborating with.β
Unlike ransomware groups, these actors skip file encryption and focus purely on data theft, reputation damage, and coercive payments. As Unit 42 notes, βThe primary differentiator between EaaS and RaaS is the lack of malware deploymentβ¦ EaaS relies on extortion through stolen data, not encryption.β
The βTrinityβ appears to be expanding. A new group called Crimson Collective has recently entered the scene, partnering with SLSH in extortion campaigns.
βBased on Unit 42 observations and news reports, Crimson Collective claimed to have breached Red Hat on or about Oct. 1, 2025β¦ exfiltrating approximately 570 GB of compressed data from more than 28,000 internal development repositories.β
This breach included 800 Red Hat Customer Engagement Reports (CERs) containing client infrastructure details β a goldmine for targeted follow-up attacks. Crimson Collective has also been spotted targeting AWS cloud environments, signaling a coordinated shift toward cloud-based data theft.
The campaign reached a new chapter when, on October 9, 2025, the FBI seized domains associated with BreachForums, the site hosting SLSHβs data leak portal. Bling Libra acknowledged the seizure but stated that βnone of its core members had been arrested and that the darknet version of their DLS was not impacted by the FBIβs activity.β
Unit 42 analysts note that cybercriminals are pivoting from ransomware to EaaS models to avoid law enforcement scrutiny.
Because EaaS operations do not deploy disruptive malware, they can often evade the detection patterns and international crackdowns that crippled many ransomware gangs between 2022 and 2024.
Related Posts:
- Inside Hunters International Group: How a Retailer Became the Latest Ransomware Victim
- Beyond Email: Why Your Microsoft Teams Chat Is Now a Phishing Danger Zone
- Trinity of Chaos: How LAPSUS$, Scattered Spider, and ShinyHunters Forged a Cybercrime Alliance
- $60 Million and Counting: Microsoft Rewards Bug Bounty Hunters
- Teen Genius to Hospital Prison: Lapsus$ Hacker’s Cyber Crimes Cost Him Freedom
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
