The Cyber Underworld’s Most Shocking Alliance: Scattered Spider, LAPSUS$, and ShinyHunters Unite in a Game-Changing Merger!
Picture this: a band of notorious cyber criminals banding together like a high-stakes business merger, but with stakes that could cripple entire organizations. It’s not fiction—it’s the real story of a new collective that’s shaking up the digital crime scene. But here’s where it gets controversial: are these hackers just greedy opportunists, or are they evolving into something more like digital revolutionaries? Stick around, because this alliance is redefining how cyber threats operate, and it’s got everyone in the industry buzzing.
This emerging group, born from the fusion of three infamous cybercrime outfits—Scattered Spider, LAPSUS$, and ShinyHunters—has been making waves since early August. They’ve spawned an astounding 16 Telegram channels starting from August 8, 2025, each time bouncing back after platform moderators shut them down. It’s a relentless game of cat and mouse, where the group’s operators keep reinventing their online presence under slight variations of the same name. As Trustwave SpiderLabs, a division of LevelBlue, explains in their detailed report shared with The Hacker News (check it out at https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-lapsuss-hunters-anatomy-of-a-federated-cybercriminal-brand/), this cycle underscores both the challenges of online moderation and the hackers’ unyielding resolve to maintain a public voice in the cyber realm.
Dubbed Scattered LAPSUS$ Hunters (or SLH for short), this alliance first hit the headlines (as covered at https://thehackernews.com/2025/08/cybercrime-groups-shinyhunters.html) in early August, kicking off a spree of data extortion strikes against various companies, including those relying on platforms like Salesforce in recent times. At its heart, SLH offers something called Extortion-as-a-Service (EaaS)—think of it as a subscription model for crime, where other cybercriminals can sign up to leverage the group’s name and reputation to demand ransoms from victims in exchange for not releasing stolen data. For beginners wondering what that means, it’s essentially a service that lowers the entry barrier for less-skilled hackers, allowing them to tap into established notoriety without building everything from scratch.
All three founding groups are believed to be part of a broader, loosely connected cybercriminal network known as The Com. This network thrives on flexible partnerships and shared branding, creating a fluid ecosystem where groups collaborate seamlessly. SLH has also shown ties to other related clusters, such as CryptoChameleon (detailed at https://thehackernews.com/2024/03/new-phishing-kit-leverages-sms-voice.html) and Crimson Collective (explored in https://thehackernews.com/2025/10/threatsday-bulletin-ms-teams-hack-mfa.html#crimson-collective-targets-aws-environments), highlighting how these entities cross-pollinate tactics and resources.
Telegram serves as the nerve center for SLH’s operations, much like a digital headquarters. The cybersecurity experts at Trustwave describe it as a hub for coordination and publicity, mimicking the flair of hacktivist collectives—those groups driven by ideology as much as profit. This dual role makes their channels a powerful tool: a loudspeaker for spreading messages and a marketplace for promoting services. As the group grew, their posts started sporting signatures from an ‘SLH/SLSH Operations Centre,’ a self-proclaimed title that evokes an image of a structured command, adding a veneer of officialdom to what might otherwise seem like chaotic chatter. And this is the part most people miss: in the shadowy world of cybercrime, perception is power—building a ‘brand’ can make fragmented efforts feel like a well-oiled machine.
Beyond coordination, SLH’s Telegram presence has become a stage for bold moves. Members have publicly accused Chinese government-backed hackers of exploiting the same vulnerabilities they’ve targeted, while also lashing out at U.S. and U.K. law enforcement. To top it off, they’ve encouraged their followers to join in harassment campaigns, such as tracking down email addresses of top executives (think CEOs and CFOs) and bombarding them with messages—all for a small fee of just $100. This tactic blurs the line between crowdsourced activism and outright cyberbullying, raising eyebrows about ethics in the digital age.
The alliance boasts a roster of affiliated clusters, forming a tight-knit confederation within The Com network that pools diverse skills under one banner. Here’s a breakdown for clarity:
- Shinycorp (also known as sp1d3rhunters): This group handles coordination and shapes the overall brand image, acting like a PR team for the underworld.
- UNC5537 (linked to the Snowflake data breach, as reported at https://thehackernews.com/2024/06/snowflake-breach-exposes-165-customers.html): They specialize in extortion tactics tied to large-scale data thefts.
- UNC3944 (connected to Scattered Spider, per https://thehackernews.com/2025/06/google-warns-of-scattered-spider.html): Experts in social engineering to infiltrate systems.
- UNC6040 (involved in recent Salesforce phishing scams, detailed at https://thehackernews.com/2025/06/google-exposes-vishing-group-unc6040.html): Masters of vishing—voice-based phishing that tricks people over the phone.
Key figures in the mix include personas like Rey and SLSHsupport, who keep the community engaged, and yuka (also called Yukari or Cvsp), a seasoned exploit developer who positions themselves as an Initial Access Broker (IAB)—someone who sells entry points into secure systems, much like a real estate agent for hackers. These individuals and groups work together, showcasing how SLH is more than a sum of its parts.
While stealing data and demanding ransoms remain SLH’s bread and butter, they’ve teased a new ransomware variant called Sh1nySp1d3r (or ShinySp1d3r), designed to compete with heavyweights like LockBit and DragonForce (mentioned in https://thehackernews.com/2024/09/microsoft-identifies-storm-0501-as.html). This hints at potential future operations where they deploy malware to encrypt files and hold them hostage, adding ransomware to their arsenal.
Trustwave paints SLH as straddling the divide between profit-driven crime and attention-seeking hacktivism—a mix where money and social kudos drive their actions. By blending theatrical branding, recycled reputations, cross-platform hype, and intricate identity management, these actors demonstrate a savvy understanding of how to wield perception as a weapon in the cybercrime world. As Trustwave puts it, their tactics blend social engineering (manipulating people), exploit creation (finding and using software weaknesses), and narrative warfare (crafting stories to sway opinions)—a sophisticated approach more akin to seasoned pros than rookie crooks.
But Wait, There’s More: The Cartelization of Cyber Threats Escalates
This revelation comes hot on the heels of insights from Acronis, revealing that the crew behind DragonForce has rolled out a fresh malware version. It exploits weak drivers like truesight.sys and rentdrv2.sys (components of the BadRentdrv2 toolkit, available at https://github.com/keowu/BadRentdrv2) to sidestep security defenses and shut down protected processes. This is an example of a Bring Your Own Vulnerable Driver (BYOVD) attack (explained further at https://www.crowdstrike.com/en-us/blog/falcon-prevents-vulnerable-driver-attacks-real-world-intrusion/), where attackers use known flaws in drivers to gain elevated privileges—think of it as sneaking through a back door in a secure building.
DragonForce, which debuted its own ransomware cartel (as covered at https://thehackernews.com/2025/05/dragonforce-exploits-simplehelp-flaws.html) earlier this year, has now teamed up (reported at https://thehackernews.com/2025/10/lockbit-qilin-and-dragonforce-join.html) with giants like Qilin and LockBit. The goal? To share tools, tricks, and infrastructure, boosting everyone’s capabilities in a cartel-like setup. As Acronis researchers note (in their post at https://www.acronis.com/en/tru/posts/the-dragonforce-cartel-scattered-spider-at-the-gate/), affiliates can wield their own malware using DragonForce’s resources while flying under their banner. This democratizes ransomware operations, letting both veterans and newcomers launch attacks without the hassle of building a full ecosystem from zero.
DragonForce is also closely linked to Scattered Spider, with the latter acting as a subcontractor. They specialize in breaching targets via advanced social engineering, such as targeted spear-phishing emails or vishing calls, then installing remote tools like ScreenConnect, AnyDesk, TeamViewer, or Splashtop for deep scouting before unleashing DragonForce. Acronis highlights how DragonForce built on leaked Conti source code, tweaking it just enough to create a ‘dark successor’ with an encrypted config to hide command-line traces—keeping the core mechanics intact while adding their unique stamp.
What do you think? Is this merger a sign of cybercrime maturing into organized syndicates, or just opportunists piggybacking on each other’s fame? Do you believe these groups’ hacktivist leanings make them more or less dangerous, and should platforms like Telegram do more to curb them? Share your thoughts in the comments—we’d love to hear your take on this evolving threat landscape!
Found this piece intriguing? Stay updated by following us on Google News (https://news.google.com/publications/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ), Twitter (https://twitter.com/thehackersnews), and LinkedIn (https://www.linkedin.com/company/thehackernews/) for more exclusive insights.