Scattered Lapsus$ Hunters Data Leaks and Threats Following Law Enforcement Action
The Scattered Lapsus$ Hunters (SLSH), a cybercrime collective formed from members of Scattered Spider, Lapsus$, and ShinyHunters, announced a temporary retreat from online activity after the FBI seized their clearweb site. The group, known for its Western and English-speaking membership, issued a series of aggressive messages on Telegram, vowing to retaliate against the FBI and promising a return in 2026. This announcement followed a period of heightened law enforcement scrutiny, including the arrest and charging of two teenagers in the UK for their alleged involvement in attacks attributed to Scattered Spider, a component of SLSH. The group has a history of dramatic exits and returns, having previously declared a hiatus only to reappear days later. SLSH has gained notoriety for targeting large organizations and for the scale of its operations. In parallel with their public threats, the group claimed responsibility for a massive data breach affecting 39 major companies worldwide, exploiting a Salesforce vulnerability to steal 989 million records. They demanded negotiations with Salesforce and the affected firms, threatening to release the data if ignored. When their demands were unmet, SLSH published data allegedly belonging to six companies, including Qantas Airways, Vietnam Airlines, Fujifilm, GAP Inc., Engie Resources, and Albertsons Companies. The leaked datasets reportedly contain extensive personally identifiable information (PII), such as full names, addresses, passport numbers, phone numbers, email addresses, and, in the case of Qantas, detailed frequent flyer information and internal business data. The Qantas dataset alone is said to be 153 GB and includes over 5 million records. The authenticity of the data has been partially verified by independent analysis, though only the affected companies can fully confirm the breach. The exposure of such sensitive information poses significant risks for identity theft, fraud, and targeted attacks against both individuals and organizations. The SLSH collective's actions have prompted calls for increased vigilance and improved cybersecurity measures among large enterprises, especially those using cloud-based platforms like Salesforce. Law enforcement agencies continue to investigate and pursue members of the group, while the cybersecurity community monitors for further developments and potential retaliatory actions promised by SLSH upon their return.
Timeline
Oct 14, 2025
Qantas confirms stolen customer data was released
Qantas confirmed that cybercriminals had released stolen customer data, publicly acknowledging the leak after the threat actors published the dataset. This represented an official response from one of the named victims.
Oct 13, 2025
Threat actors say no further data will be leaked
After publishing the initial datasets, the threat actors later stated on Telegram that no additional data would be released. This left the status of the remaining claimed victim data uncertain.
Oct 13, 2025
Researchers assess leaked files as likely legitimate
Analysis published by Hackread said the leaked files appeared legitimate, while noting that only the affected companies could definitively verify the breach. The report also highlighted the scale of the claimed theft, including 989 million records across 39 organizations.
Oct 10, 2025
Datasets allegedly from six companies are published
On October 10, 2025, the group marked as public datasets allegedly belonging to Fujifilm, GAP, Vietnam Airlines, Engie Resources, Qantas Airways Limited, and Albertsons. The leaked Qantas and Vietnam Airlines data was described as especially large and sensitive, including PII, loyalty/CRM data, and internal metadata.
Oct 10, 2025
Threat actors set October 10 deadline for victim negotiations
A group calling itself “Scattered Lapsus$ Hunters” claimed it had stolen data from 39 companies via a Salesforce vulnerability and warned that data would be released unless victims opened negotiations by October 10, 2025.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
1 more from sources like hackread
Related Stories
Scattered LAPSUS$ Hunters Target Salesforce via Gainsight Supply Chain Attack
The cybercriminal alliance known as Scattered LAPSUS$ Hunters (SLSH), an amalgamation of groups including Scattered Spider, LAPSUS$, and ShinyHunters, has intensified its campaign of data theft and extortion against major corporations. In November 2025, Salesforce detected unusual activity involving Gainsight-published applications, leading to the revocation of access tokens and removal of affected apps from its AppExchange. Salesforce determined that the incident was not due to a vulnerability in its platform, but rather unauthorized access to customer data through compromised app connections. The breach was traced back to a supply chain attack on Salesloft Drift in August 2025, which enabled attackers to obtain secrets used to access additional Salesforce instances. Gainsight confirmed that stolen OAuth tokens were used in the attack, and indicators of compromise were shared with affected customers. SLSH has leveraged this access to threaten public data leaks and extort both Salesforce and its customers, with a new extortion portal listing dozens of victim companies, including Toyota, FedEx, Disney/Hulu, and UPS. The group has also escalated its tactics by openly recruiting insiders from large organizations, offering rewards for internal access to facilitate further breaches. Recent reports indicate that SLSH's activities are coordinated through Telegram channels, and the group has been linked to high-profile incidents involving both data theft and attempted insider recruitment. Security advisories and ongoing investigations highlight the persistent threat posed by SLSH and the importance of monitoring supply chain risks and insider threats.
1 months ago
Emergence and Operations of the Scattered LAPSUS$ Hunters Cybercrime Supergroup
A new cybercrime supergroup known as Scattered LAPSUS$ Hunters has emerged in 2025, combining the capabilities and tactics of three notorious threat actors: Scattered Spider, LAPSUS$, and ShinyHunters. This alliance marks a significant escalation in the threat landscape, as the group leverages a blend of social engineering, technical attacks, and public extortion to target high-value enterprise environments. The group is known for its multi-phase assaults, which often begin with sophisticated social engineering techniques such as phone-based vishing to gain initial access, particularly by targeting help desks and exploiting human vulnerabilities. Once inside, the attackers employ insider recruitment, source code theft, and large-scale data exfiltration, drawing on the distinct strengths of each constituent group. Scattered LAPSUS$ Hunters have focused their attacks on major SaaS platforms, including Salesforce, as well as enterprise applications from Oracle and SAP. Their victim list includes prominent organizations across retail, aviation, insurance, and automotive sectors, with named targets such as Home Depot, Marriott, the National Bank of Canada, and Tata Motors' Jaguar Land Rover. The group’s operations are characterized by unpredictability and a willingness to disrupt major businesses, often causing significant operational and reputational damage. Unlike traditional ransomware groups, Scattered LAPSUS$ Hunters do not limit themselves to endpoint infections and ransom demands; they also engage in ransoming stolen data and public extortion campaigns. The group’s members, reportedly including Western teenagers with substantial cryptocurrency holdings, operate with little regard for the consequences of their actions, further complicating law enforcement efforts. Their tactics reflect a shift from the previously dominant Russian ransomware model to a more chaotic, opportunistic approach. The group’s emergence from the cybercrime community known as The Com highlights the evolving nature of cybercriminal alliances and the increasing sophistication of their playbooks. Security experts have noted that the group’s attacks are not only technically advanced but also highly adaptive, making them particularly challenging to defend against. Organizations are advised to strengthen their social engineering defenses, monitor for insider threats, and enhance detection capabilities for unusual access patterns. The rise of Scattered LAPSUS$ Hunters underscores the need for a holistic security posture that addresses both technical and human vulnerabilities. Their activities in 2025 have set a new benchmark for the scale and impact of cybercrime supergroups, prompting urgent calls for improved cross-sector collaboration and intelligence sharing.
1 months ago
Formation of Scattered LAPSUS$ Hunters Cybercriminal Alliance
Scattered Spider, LAPSUS$, and ShinyHunters have merged to form a new cybercriminal collective known as Scattered LAPSUS$ Hunters (SLH), launching in early August 2025. This alliance operates as a federated entity, leveraging the reputations and operational tactics of its constituent groups to offer Extortion-as-a-Service (EaaS) to affiliates. The group has used Telegram as its primary platform for coordination, public announcements, and brand-building, frequently recreating channels to evade platform moderation. SLH has also established data leak sites on both the clear web and the dark web to publish proof-of-compromise materials and intimidate victims, including organizations using Salesforce. The collective is closely associated with the broader cybercriminal milieu known as "The Com," which is characterized by fluid collaboration and brand-sharing among threat actors. SLH's emergence marks a deliberate attempt to consolidate influence and amplify the impact of extortion campaigns by uniting well-known cybercrime brands. The group has also displayed affiliations with other clusters such as CryptoChameleon and Crimson Collective, further expanding its operational reach and narrative. The adoption of a centralized "Operations Centre" label on Telegram posts projects an image of organizational legitimacy, enhancing the group's ability to market its services and attract affiliates.
1 months ago