Ddos 
Researchers from Trustwave SpiderLabs’ Cyber Threat Intelligence team have identified the formation of a new federated threat alliance uniting three of the most infamous cybercriminal collectives of recent years — Scattered Spider, ShinyHunters, and LAPSUS$ — under a single banner known as Scattered LAPSUS$ Hunters (SLH).
According to the report authored by Serhii Melnyk, Cyber Threat Intelligence Analyst at Trustwave, “the recent emergence of what appears to be the consolidation of three well-known threat groups into a ‘federated alliance’ that offers, among its activities, Extortion-as-a-Service (EaaS)” marks a significant shift in the threat landscape.
Emerging in early August 2025, the alliance surfaced on Telegram, presenting itself as a hybrid group combining the reputational and operational traits of its founding members. Trustwave notes that the group “first appeared on Telegram, presenting itself as a hybrid entity blending reputational and operational traits from three of the most recognized The Com-linked collectives of recent years” — referring to The Com, an informal cybercriminal ecosystem known for fluid collaborations and brand-sharing.
The first verified channel operated under the handle “scattered lapsu$ hunters – The Com HQ SCATTERED SP1D3R HUNTERS.” From inception, Telegram served as the central hub for coordination, brand-building, and recruitment.
As the report explains, “While the group intermittently hosted clear-web and onion-based data leak sites to stage limited proof-of-compromise materials, Telegram remained central to its narrative construction — the stage where members performed, coordinated, and curated public visibility.”
Shortly after its launch, SLH unveiled its own Extortion-as-a-Service (EaaS) model, offering affiliates the ability to leverage its high-profile brand names to intimidate victims and demand higher ransoms.
“The group heavily uses a public encryption communication service as its primary operating base and allows its EaaS affiliates to use the member’s very well-known names to create fear, which it claims will generate a higher financial return,” the report states.
This formalized offering positions SLH as both a service provider and a media performer, where extortion campaigns double as public spectacles. Trustwave analysts observed that the group frequently used sensational Telegram posts, polls, and even interactive doxing campaigns to build engagement — tactics that “fuse entertainment with intimidation.”
Since its creation, SLH’s Telegram channels have been removed and recreated more than sixteen times, a pattern the report calls “a recurring cycle reflecting platform moderation and the operators’ determination to sustain this specific type of public presence despite disruption.”
Every iteration — from “Scattered LAPSUS$ Hunters 1.0” to “7.0” — reemerged almost immediately after takedowns.
Its emergence also coincided with the collapse of BreachForums, a long-standing hub for stolen data trading and cybercrime recruitment. “Into that vacuum, Scattered LAPSUS$ Hunters inserted itself, repackaging reputational assets from defunct collectives and inheriting fragments of their audiences,” Trustwave explains
Unlike traditional ransomware groups that operate quietly, SLH thrives on publicity, theater, and community validation. The group “actively uses Telegram as both a performative marketing and public messaging platform — a style more typical of hacktivist or attention-driven groups,” the report notes.
Trustwave stresses that SLH is not politically or socially motivated. Its antagonism toward law enforcement, particularly the FBI and UK’s National Crime Agency (NCA), is largely performative.
“The group’s messaging, aside from its antagonism of law enforcement, appears primarily driven by financial incentives, even if delivered in a style that borrows from attention-driven or hacktivist practices,” SpiderLabs researchers conclude.
Though dozens of handles appear active in SLH’s channels, linguistic and posting patterns suggest a small core team — likely fewer than five individuals — drive the operation.
Trustwave identifies “shinycorp” (also known as @sp1d3rhunters, @sloke48, or @shinyc0rp) as the principal orchestrator, responsible for breach claims and public coordination. Another notable figure, “Alg0d,” acts as a data broker and negotiator, while auxiliary identities like “UNC5537,” “Rey,” and “SLSHsupport” amplify messages and manage engagement.
One standout persona, “Yukari/Cvsp”, is described as an exploit and initial access broker with verified technical proficiency. “Previous associations with the BlackLotus UEFI bootkit and Medusa rootkit lend credibility to this assessment,” the report states, adding that Yukari’s reputation is reinforced by escrow-backed high-value exploit sales.
Beyond its public theatrics, SLH demonstrates operational maturity consistent with top-tier cybercrime groups. Its tactics integrate cloud-first data extortion, AI-powered phishing and vishing, and custom exploit development.
The group’s claimed exploits include CVE-2025-61882 (Oracle E-Business Suite) and CVE-2025-31324 (SAP NetWeaver) — vulnerabilities previously linked to sophisticated ransomware operators like Cl0p.
Related Posts:
- Hacker Alliance Demands Ransom: Scattered LAPSUS$ Hunters Claim 1 Billion Records Stolen from Salesforce
- Trinity of Chaos: New Alliance of Hackers Extorts 39 Firms, Leaking Data Stolen from Cisco, Google, and Global Airlines
- Scattered LAPSUS$ Hunters Pivot to EaaS, Launch Insider Recruitment Campaign After Salesforce Extortion
- Trinity Ransomware: A New Player with Troubling Connections to Established Threats
- Trinity of Chaos: How LAPSUS$, Scattered Spider, and ShinyHunters Forged a Cybercrime Alliance
Donate