Hackers Threaten Google with Data Breach Unless TIG and Mandiant Employees Are Fired
Published
- Google breach threat: A group of hackers claiming to be associated with known APTs warned Google of an imminent data breach.
- Hacker demands: “Scattered LapSus Hunters” threatened to attack the tech giant unless two employees were dismissed.
- Who hackers want fired: TIG threat analyst Austin Larsen and Mandiant CTO Charles Carmakal were named in the warning.
Scattered Spider, LapSus, and ShinyHunters members threatened with a Google data breach, asking the tech giant through encrypted Telegram communications to terminate the employment of two specific individuals within the Threat Intelligence Group (TIG) and Mandiant infrastructure: Austin Larsen and Charles Carmakal.
Hacking Group Demands Target Security Personnel
The threat actors, operating under the designation Scattered LapSus Hunters, have issued specific demands requiring Google to terminate cybersecurity personnel Austin Larsen (Principal Threat Analyst with TIG) and Charles Carmakal (Chief Technology Officer at Mandiant), according to reports.
The warning additionally demands suspension of all ongoing investigations conducted by the threat intelligence division against the criminal network.
The criminal organization has not provided forensic evidence to support its claimed database access capabilities.
Reports indicate that the Telegram post was signed by “Scattered LapSus Hunters,” which purportedly represents a consolidated cybercriminal coalition comprising members from established threat groups Scattered Spider, LapSus, and ShinyHunters.
Did Google Recently Have a Data Breach?
No recent confirmed breaches of Google's core infrastructure have been documented. However, in August 2025, the company acknowledged that ShinyHunters had successfully compromised data through Salesforce, a third-party service provider supporting Google's operations.
Google announced that the recent wave of Salesforce-related breaches was orchestrated by Scattered Spider (UNC3944) and ShinyHunters (UNC6040). In June, Google reported that UNC6040 targeted Salesforce in a phishing campaign.
Yet, various phishing attempts have been reported by Gmail users, including fake Gmail security alerts that prompt users to reset their passwords via email and phone.
In early August, a Telegram channel called "ScatteredLapsuSp1d3rHunters" claimed responsibility for several high-profile attacks and reportedly leaked the Allianz Life data breach. Meanwhile, a hacker associated with the Scattered Spider group was sentenced to 10 years in federal prison.
Implications for Enterprise Security
This incident illustrates the expanding scope of criminal targeting, which extends beyond financial motivations to include personnel intimidation and operational disruption. The demands reflect adversarial attempts to neutralize threat hunting capabilities through direct pressure on security teams.
Google has not provided official statements regarding the warning or protective measures for named personnel.
Other recent reports involving Google include the SharePoint exploits impacting 100 entities, some of which were linked to Chinese threat actors.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular