The New Voice of Fraud: Cybercrime ‘Supergroup’ Recruits Female Callers to Breach Corporate IT Help Desks

Cybersecurity threats are no longer just about malicious code and zero-day vulnerabilities; they are increasingly about human psychology. In a shift in social engineering tactics, a notorious cybercriminal syndicate is now actively recruiting women to carry out voice phishing (vishing) attacks against corporate IT help desks.

According to a newly released threat brief by Dataminr, the Scattered Lapsus$ Hunters (SLH) hacking collective posted advertisements on a public Telegram board on February 22, 2026, seeking female callers. The financial incentives are significant: the group is offering to pay recruits anywhere from $500 to $1,000 upfront for every successful call they make.

To understand why this is happening, it helps to look at how corporate security works. IT support staff are frequently trained to recognize the “traditional” profiles of attackers trying to reset passwords or bypass security controls over the phone. Historically, many of these threat actors have been young men. By changing the voice on the other end of the line, the hackers hope to disarm support personnel and slip past these mental defenses.

As the Dataminr report explains, “This recruitment drive represents a calculated evolution in SLH’s tactics.” By supplying these new recruits with highly polished, pre-written scripts, the group is essentially franchising its social engineering operations so that anyone can execute a convincing attack.

The threat intelligence firm notes that “SLH is diversifying its social engineering pool by specifically recruiting women to conduct vishing attacks, likely to increase the success rate of help desk impersonation.”

The organization orchestrating this campaign is not a small-time operation. Dataminr’s analysis points out that “SLH is a high-profile cybercrime ‘supergroup’ formed by an alliance between Lapsus$, Scattered Spider, and ShinyHunters.”

These three groups have a well-documented history of bypassing multi-factor authentication (MFA) and compromising major global corporations. Instead of relying purely on technical software exploits, they specialize in tricking human beings—often posing as frantic employees who are locked out of their accounts or who need a remote management tool installed to do their jobs.

To protect against these highly rehearsed, script-driven vishing attacks, organizations must move away from relying solely on voice recognition or basic security questions. IT help desks should implement strict, out-of-band identity verification—such as requiring a secondary video call or utilizing internal manager approvals—before processing any password resets or MFA changes over the phone.