Scattered LAPSUS Hunters Insider Incident at CrowdStrike and Ransomware Developments
CrowdStrike confirmed that an insider was terminated after sharing screenshots of internal systems with the Scattered LAPSUS$ Hunters, a cybercrime collective comprising Scattered Spider, LAPSUS$, and ShinyHunters. The threat actors posted these screenshots on Telegram and claimed to have paid the insider $25,000 for access, including SSO authentication cookies, but CrowdStrike detected the activity and shut down access before any customer data was compromised. The company emphasized that its systems were not breached and that law enforcement has been notified.
Meanwhile, the Scattered LAPSUS$ Hunters collective has escalated its operations, launching a new Telegram channel and increasing its public activity. The group, which has a history of social engineering and SaaS supply chain breaches, is also linked to the development of a new ransomware-as-a-service platform called ShinySp1d3r. This RaaS, created by ShinyHunters and Scattered Spider, is being built from scratch and features advanced capabilities, signaling a shift from using third-party ransomware to deploying their own tools in future attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Threat actors escalate activity with new channel and Gainsight breach
Researchers reported that the Scattered/LAPSUS$/Hunters-linked actors expanded operations using a new communication channel and tied the activity to a breach involving Gainsight. This represented a notable escalation in the campaign's scope and victim impact.
CrowdStrike identifies insider sharing information with hackers
CrowdStrike reported detecting an insider who was feeding information to hackers, revealing a new development in the broader activity associated with the threat cluster. The disclosure indicated that the attackers had support or intelligence from within an organization.
ShinyHunters launches ShinySp1d3r ransomware-as-a-service
A new ransomware-as-a-service operation called ShinySp1d3r was created and linked to the ShinyHunters threat actor. The launch marked an escalation from the group's prior data-theft and extortion activity into ransomware operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Scattered LAPSUS Hunters Escalate With New Channel and Gainsight Breach
socradar.io
Open sourceCrowdStrike catches insider feeding information to hackers
bleepingcomputer.com
Open sourceMeet ShinySp1d3r: New Ransomware-as-a-Service created by ShinyHunters
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Scattered Lapsus$ Hunters Resurgence and ShinySp1d3r RaaS Platform Launch
The Scattered Lapsus$ Hunters threat group has re-emerged after a period of inactivity, unveiling a new Ransomware-as-a-Service (RaaS) platform called ShinySp1d3r. This platform is reportedly a collaboration involving operators from ShinyHunters, Scattered Spider, and Lapsus$, and marks a shift in the group’s tactics toward structured insider recruitment and commission-based access deals. The group is actively seeking insiders from large organizations, particularly those with annual revenues over $500 million, and is excluding targets in Russia, China, North Korea, Belarus, and the healthcare sector. Recruitment efforts are focused on individuals who can provide privileged access to corporate systems, with tiered commissions for different types of access, and the group is leveraging underground forums and Telegram channels to coordinate these activities. Simultaneously, security researchers have been monitoring and countering the group’s activities. Resecurity deployed a honeypot that successfully engaged members of the Scattered Lapsus$ Hunters, leading to the exposure of internal communications and operational details. These communications revealed ongoing harassment campaigns against U.S. government officials and connections to high-profile breaches, such as the Snowflake incident, which impacted at least 160 organizations. The group’s renewed operations and aggressive insider recruitment strategy represent a significant escalation in their threat profile, with implications for a wide range of industries and government entities.
Apr 11, 2026
Emergence and Operations of the Scattered LAPSUS$ Hunters Cybercrime Supergroup
A new cybercrime supergroup known as Scattered LAPSUS$ Hunters has emerged in 2025, combining the capabilities and tactics of three notorious threat actors: Scattered Spider, LAPSUS$, and ShinyHunters. This alliance marks a significant escalation in the threat landscape, as the group leverages a blend of social engineering, technical attacks, and public extortion to target high-value enterprise environments. The group is known for its multi-phase assaults, which often begin with sophisticated social engineering techniques such as phone-based vishing to gain initial access, particularly by targeting help desks and exploiting human vulnerabilities. Once inside, the attackers employ insider recruitment, source code theft, and large-scale data exfiltration, drawing on the distinct strengths of each constituent group. Scattered LAPSUS$ Hunters have focused their attacks on major SaaS platforms, including Salesforce, as well as enterprise applications from Oracle and SAP. Their victim list includes prominent organizations across retail, aviation, insurance, and automotive sectors, with named targets such as Home Depot, Marriott, the National Bank of Canada, and Tata Motors' Jaguar Land Rover. The group’s operations are characterized by unpredictability and a willingness to disrupt major businesses, often causing significant operational and reputational damage. Unlike traditional ransomware groups, Scattered LAPSUS$ Hunters do not limit themselves to endpoint infections and ransom demands; they also engage in ransoming stolen data and public extortion campaigns. The group’s members, reportedly including Western teenagers with substantial cryptocurrency holdings, operate with little regard for the consequences of their actions, further complicating law enforcement efforts. Their tactics reflect a shift from the previously dominant Russian ransomware model to a more chaotic, opportunistic approach. The group’s emergence from the cybercrime community known as The Com highlights the evolving nature of cybercriminal alliances and the increasing sophistication of their playbooks. Security experts have noted that the group’s attacks are not only technically advanced but also highly adaptive, making them particularly challenging to defend against. Organizations are advised to strengthen their social engineering defenses, monitor for insider threats, and enhance detection capabilities for unusual access patterns. The rise of Scattered LAPSUS$ Hunters underscores the need for a holistic security posture that addresses both technical and human vulnerabilities. Their activities in 2025 have set a new benchmark for the scale and impact of cybercrime supergroups, prompting urgent calls for improved cross-sector collaboration and intelligence sharing.
Mar 21, 2026
Formation of Scattered LAPSUS$ Hunters Cybercriminal Alliance
Scattered Spider, LAPSUS$, and ShinyHunters have merged to form a new cybercriminal collective known as Scattered LAPSUS$ Hunters (SLH), launching in early August 2025. This alliance operates as a federated entity, leveraging the reputations and operational tactics of its constituent groups to offer Extortion-as-a-Service (EaaS) to affiliates. The group has used Telegram as its primary platform for coordination, public announcements, and brand-building, frequently recreating channels to evade platform moderation. SLH has also established data leak sites on both the clear web and the dark web to publish proof-of-compromise materials and intimidate victims, including organizations using Salesforce. The collective is closely associated with the broader cybercriminal milieu known as "The Com," which is characterized by fluid collaboration and brand-sharing among threat actors. SLH's emergence marks a deliberate attempt to consolidate influence and amplify the impact of extortion campaigns by uniting well-known cybercrime brands. The group has also displayed affiliations with other clusters such as CryptoChameleon and Crimson Collective, further expanding its operational reach and narrative. The adoption of a centralized "Operations Centre" label on Telegram posts projects an image of organizational legitimacy, enhancing the group's ability to market its services and attract affiliates.
Mar 21, 2026