Trinity of Chaos: New Alliance of Hackers Extorts 39 Firms, Leaking Data Stolen from Cisco, Google, and Global Airlines

A new report from Resecurity’s HUNTER team has exposed a massive data extortion operation conducted by a cybercriminal alliance calling itself “Trinity of Chaos”—a ransomware collective reportedly tied to Lapsus$, Scattered Spider, and ShinyHunters. The group has launched a Data Leak Site (DLS) on the TOR network, claiming responsibility for breaches at 39 global corporations, including Google, Cisco, Toyota, FedEx, Disney, Marriott, and Air France–KLM.

According to Resecurity, the Trinity of Chaos collective has evolved from a data theft group into a fully operational ransomware syndicate. The report explains: “The group aims to continue its activities and has shifted toward a traditional ransomware modus operandi.”

While no new attacks were announced, the threat actors released previously unreleased data from past intrusions and posted samples of stolen records on their DLS. The group’s message, allegedly directed at Salesforce, accused the company of negligence and threatened to release “a massive number of records.” Salesforce has since stated that it has found no evidence of new exploits, though it did not rule out the possibility that previous vulnerabilities led to large-scale customer compromise.

The Trinity of Chaos actors—styling themselves as “Scattered LAPSUS & Hunters”—have adopted a professional, corporate-like tone in their extortion messages. In their DLS statement, they boasted: “Specializing in high-value corporate data acquisition and strategic breach operations. Our expertise spans across automotive, financial, insurance, technological, telecommunications, ISPs, and numerous other sectors worldwide. We help you regain control.”

The group claims to have been active since at least 2019, suggesting extensive experience and maturity in its operations. Their tactics include threatening to report victims to regulatory bodies under data protection laws such as GDPR, framing it as “criminal negligence.” Such coercive measures mirror previous tactics seen in Cl0p and FIN11 ransomware campaigns.

On October 3, 2025, the group published a list of 39 companies on its DLS, setting an October 10 deadline for ransom negotiations. Victims include a mix of Fortune 100 firms, airlines, retailers, and luxury brands such as Toyota, FedEx, UPS, Walgreens, Stellantis, Adidas, Cartier, Gucci, Balenciaga, and Chanel.

Resecurity noted that the leaked data appears to include PII and business records, but few passwords—suggesting the attackers likely exfiltrated data through OAuth token abuse and Salesforce instance exploitation, possibly via Salesloft’s Drift AI integration. This aligns with an FBI flash alert issued in September warning of vishing attacks and OAuth token theft targeting Salesforce environments.

Among the victims are multiple major airlines—Air France, KLM, Qantas, and Aeroméxico—whose leaked datasets contain passenger information, loyalty program data, and internal communications. Resecurity confirmed the authenticity of the leaked records: “The stolen records have been validated by Resecurity; they contain sensitive passenger information, internal communications, references to loyalty points, and records of activity history.”

The report highlights how Aeroméxico’s breach, dated July 4, 2025, resulted in the exposure of 39 million records, including personally identifiable information (PII).

Perhaps the most alarming revelations involve Google and Cisco, both of which were listed on the Trinity of Chaos leak site.

Resecurity writes: “What is truly new is the publication of data related to technology giants like Cisco and Google.” The report adds that while the full scope remains unclear, samples include data from Google AdWords users and digital marketing agencies, as well as Salesforce records referencing Cisco’s customer and employee data.

Google had previously disclosed that one of its Salesforce instances was impacted by activity linked to UNC6040, a group known for vishing and data extortion operations.

The Cisco dataset, however, contained more sensitive material—including records tied to law enforcement and government agencies such as the FBI, DHS, NASA, and the Australian Ministry of Defense, potentially exposing internal procurement details and communications.

The Trinity of Chaos claims to possess a colossal archive of 1.5 billion records, spanning 760 companies. Their dataset allegedly includes:

• 254 million Account records
• 579 million Contact entries
• 171 million Opportunity records
• 59 million User accounts
• 458 million Case records

If even partially accurate, this trove would make it one of the largest single data leaks ever observed on the dark web.

Resecurity warns that the leaked data could fuel AI-driven cybercrime, stating: “Cybercriminals may exploit it for malicious purposes on a large scale, including in harmful artificial intelligence (AI) applications.” By cross-correlating datasets, adversaries could develop targeted phishing campaigns, identity theft schemes, and advanced social engineering operations across industries.

Related Posts:

• Trinity Ransomware: A New Player with Troubling Connections to Established Threats
• NVIDIA Patches Multi Flaws in Delegated License Service, Allows Unauthenticated Access and DoS
• Chaos Ransomware: New RaaS Group (Likely Former BlackSuit) Unleashes Vishing & Double Extortion
• Hackers launched SSH brute-force attacks on Linux systems to deploy Chaos backdoors