Scattered LAPSUS$ Hunters Emerges as New Extortion-as-a-Service Cybercriminal Alliance
Published
- Federated alliance: The new cybercriminal group Scattered LAPSUS$ Hunters (SLH) was formed by Scattered Spider, ShinyHunters, and LAPSUS$ members.
- Extortion-as-a-Service: The group operates an Extortion-as-a-Service (EaaS) model, leveraging its members' reputations to intimidate victims and demand higher payouts.
- Advanced tactics: SLH uses social engineering, such as AI-automated vishing, and technical exploits, including zero-days targeting SaaS and CRMs.
Scattered LAPSUS$ Hunters (SLH) has emerged as a formidable new threat group, apparently the result of the consolidation of three well-known cybercriminal collectives. This alliance signals a professionalization of cybercriminal branding, where narrative control is as crucial as technical skill.
The group uses Telegram as its primary operational hub for communication, brand-building, and public messaging – a style more typical of hacktivist groups than of purely financially motivated hackers.
Tactics and Operational Model
First observed in early August 2025, this "federated alliance" comprising Muddled Libra (aka Scattered Spider), Bling Libra (aka ShinyHunters), and LAPSUS$ and part of a broader community of cybercriminals dubbed The Com, which is short for The Community, leverages the infamous branding of its predecessors to create a powerful, intimidating presence.
The core of SLH's business model is Extortion-as-a-Service (EaaS), offering its capabilities to affiliates and soliciting customers for targeted attacks. The group’s tactics are a hybrid of sophisticated social engineering and advanced technical exploitation.
Researchers at Trustwave have observed the use of AI-automated vishing tools to harvest credentials, followed by lateral movement to escalate privileges and exfiltrate data rapidly.
SLH also demonstrates significant exploit development capabilities, with a focus on high-value targets like SaaS providers, corporate CRMs, and large databases, suggesting a focus on high-return data theft and extortion. The group also created a new leak site in early October.
Implications for Cybersecurity Threats
The rise of Scattered LAPSUS$ Hunters represents a significant evolution in the landscape of cybersecurity threats. By merging the skills, resources, and reputations of previously semi-autonomous groups, SLH has created a more capable and versatile operational structure.
Their focus on cloud-first extortion and demonstrated ability to research and acquire zero-day vulnerabilities make them a serious threat to organizations worldwide.
This consolidation highlights a trend toward more organized and strategically branded cybercriminal operations, making attribution more complex and requiring defenders to adapt to this new hybrid model of performative and profit-driven attacks.
Other cybersecurity firms published reports on this supergroup of hackers, including Panda Security reporting on their Telegram channels allegedly going dark, Palo Alto’s Unit 42 in a recent analysis, and Picus Security calling it “2025's most dangerous cybercrime supergroup.” In September, the group announced its retirement, most probably as a theatrical exit.
SLH was linked to several intrusions over the past months. The most prominent was the Salesforce data breach that impacted several organizations, including Google, Cisco, Air France-KLM Group, Red Hat, and others.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular