Scattered Lapsus$ Hunters Resurgence and ShinySp1d3r RaaS Platform Launch
The Scattered Lapsus$ Hunters threat group has re-emerged after a period of inactivity, unveiling a new Ransomware-as-a-Service (RaaS) platform called ShinySp1d3r. This platform is reportedly a collaboration involving operators from ShinyHunters, Scattered Spider, and Lapsus$, and marks a shift in the group’s tactics toward structured insider recruitment and commission-based access deals. The group is actively seeking insiders from large organizations, particularly those with annual revenues over $500 million, and is excluding targets in Russia, China, North Korea, Belarus, and the healthcare sector. Recruitment efforts are focused on individuals who can provide privileged access to corporate systems, with tiered commissions for different types of access, and the group is leveraging underground forums and Telegram channels to coordinate these activities.
Simultaneously, security researchers have been monitoring and countering the group’s activities. Resecurity deployed a honeypot that successfully engaged members of the Scattered Lapsus$ Hunters, leading to the exposure of internal communications and operational details. These communications revealed ongoing harassment campaigns against U.S. government officials and connections to high-profile breaches, such as the Snowflake incident, which impacted at least 160 organizations. The group’s renewed operations and aggressive insider recruitment strategy represent a significant escalation in their threat profile, with implications for a wide range of industries and government entities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Resecurity publishes report exposing Binns-linked communications
Resecurity released a report containing more than 1,000 messages tied to John Erin Binns, exposing communications with associates and ongoing malicious activity. The report linked Binns to Cameron John Wagenius and Connor Riley Moucka and described continued operations under new aliases using foreign infrastructure.
Actors leak CrowdStrike and Okta screenshots to build credibility
As part of their insider-recruitment campaign, the operators shared screenshots allegedly taken from CrowdStrike and Okta systems to demonstrate access and reassure potential collaborators. The tactic was presented as evidence of active insider-enabled compromises.
Group launches ShinySp1d3r RaaS and recruits insiders
The revived group began promoting a new ransomware-as-a-service platform called ShinySp1d3r, described as a collaboration involving operators from ShinyHunters, Scattered Spider, and Lapsus$. At the same time, it aggressively recruited insiders and initial access brokers with access to VPN, VDI, Citrix, or AnyDesk environments in targeted sectors.
Scattered Lapsus$ Hunters resume operations after inactivity
After a period of inactivity following earlier supply-chain attacks on Salesforce third-party integrations, the Scattered Lapsus$ Hunters group resumed operations. The group restructured its operations and shifted toward a more organized criminal model.
ID Ransomware begins identifying Sh1nySp1d3r cases
ID Ransomware reportedly started identifying Sh1nySp1d3r ransomware in mid-November 2025, with activity observed through November and December 2025. The operation was described as a low-prevalence ransomware threat focused on VMware ESXi environments and associated with ShinyHunters-linked actors.
Cameron John Wagenius arrested over telecom intrusions
U.S. authorities arrested Cameron John Wagenius, a U.S. Army soldier, for infiltrating telecommunications providers and leaking sensitive call logs. The case was linked in reporting to the broader Snowflake and ShinyHunters-related activity.
AT&T reportedly pays ransom over stolen data
AT&T reportedly paid $370,000 to prevent the public release of data stolen in the Snowflake-linked breach campaign. The payment was described as part of the extortion activity carried out by the ShinyHunters-linked actors.
Snowflake-linked breach campaign impacts at least 160 organizations
Threat actors associated with ShinyHunters conducted a large-scale breach campaign tied to Snowflake environments, compromising sensitive data from at least 160 organizations including AT&T and Ticketmaster. The intrusions led to extortion attempts and raised national security concerns.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Шифровальщики-вымогатели The Digest "Crypto-Ransomware": ShinySpider, Sh1nySp1d3r
id-ransomware.blogspot.com
Open sourceScattered Lapsus$ Hunters Resurface with New RaaS Platform ‘ShinySp1d3r’ and Aggressive Insider Recruitment
cybersecuritynews.com
Open sourceResecurity Went on the Cyber Offensive – When ‘Shiny Objects’ trick ‘Shiny Hunters’
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Scattered LAPSUS Hunters Insider Incident at CrowdStrike and Ransomware Developments
CrowdStrike confirmed that an insider was terminated after sharing screenshots of internal systems with the Scattered LAPSUS$ Hunters, a cybercrime collective comprising Scattered Spider, LAPSUS$, and ShinyHunters. The threat actors posted these screenshots on Telegram and claimed to have paid the insider $25,000 for access, including SSO authentication cookies, but CrowdStrike detected the activity and shut down access before any customer data was compromised. The company emphasized that its systems were not breached and that law enforcement has been notified. Meanwhile, the Scattered LAPSUS$ Hunters collective has escalated its operations, launching a new Telegram channel and increasing its public activity. The group, which has a history of social engineering and SaaS supply chain breaches, is also linked to the development of a new ransomware-as-a-service platform called ShinySp1d3r. This RaaS, created by ShinyHunters and Scattered Spider, is being built from scratch and features advanced capabilities, signaling a shift from using third-party ransomware to deploying their own tools in future attacks.
Mar 21, 2026
Emergence and Operations of the Scattered LAPSUS$ Hunters Cybercrime Supergroup
A new cybercrime supergroup known as Scattered LAPSUS$ Hunters has emerged in 2025, combining the capabilities and tactics of three notorious threat actors: Scattered Spider, LAPSUS$, and ShinyHunters. This alliance marks a significant escalation in the threat landscape, as the group leverages a blend of social engineering, technical attacks, and public extortion to target high-value enterprise environments. The group is known for its multi-phase assaults, which often begin with sophisticated social engineering techniques such as phone-based vishing to gain initial access, particularly by targeting help desks and exploiting human vulnerabilities. Once inside, the attackers employ insider recruitment, source code theft, and large-scale data exfiltration, drawing on the distinct strengths of each constituent group. Scattered LAPSUS$ Hunters have focused their attacks on major SaaS platforms, including Salesforce, as well as enterprise applications from Oracle and SAP. Their victim list includes prominent organizations across retail, aviation, insurance, and automotive sectors, with named targets such as Home Depot, Marriott, the National Bank of Canada, and Tata Motors' Jaguar Land Rover. The group’s operations are characterized by unpredictability and a willingness to disrupt major businesses, often causing significant operational and reputational damage. Unlike traditional ransomware groups, Scattered LAPSUS$ Hunters do not limit themselves to endpoint infections and ransom demands; they also engage in ransoming stolen data and public extortion campaigns. The group’s members, reportedly including Western teenagers with substantial cryptocurrency holdings, operate with little regard for the consequences of their actions, further complicating law enforcement efforts. Their tactics reflect a shift from the previously dominant Russian ransomware model to a more chaotic, opportunistic approach. The group’s emergence from the cybercrime community known as The Com highlights the evolving nature of cybercriminal alliances and the increasing sophistication of their playbooks. Security experts have noted that the group’s attacks are not only technically advanced but also highly adaptive, making them particularly challenging to defend against. Organizations are advised to strengthen their social engineering defenses, monitor for insider threats, and enhance detection capabilities for unusual access patterns. The rise of Scattered LAPSUS$ Hunters underscores the need for a holistic security posture that addresses both technical and human vulnerabilities. Their activities in 2025 have set a new benchmark for the scale and impact of cybercrime supergroups, prompting urgent calls for improved cross-sector collaboration and intelligence sharing.
Mar 21, 2026
Scattered Lapsus$ Hunters Data Leaks and Threats Following Law Enforcement Action
The Scattered Lapsus$ Hunters (SLSH), a cybercrime collective formed from members of Scattered Spider, Lapsus$, and ShinyHunters, announced a temporary retreat from online activity after the FBI seized their clearweb site. The group, known for its Western and English-speaking membership, issued a series of aggressive messages on Telegram, vowing to retaliate against the FBI and promising a return in 2026. This announcement followed a period of heightened law enforcement scrutiny, including the arrest and charging of two teenagers in the UK for their alleged involvement in attacks attributed to Scattered Spider, a component of SLSH. The group has a history of dramatic exits and returns, having previously declared a hiatus only to reappear days later. SLSH has gained notoriety for targeting large organizations and for the scale of its operations. In parallel with their public threats, the group claimed responsibility for a massive data breach affecting 39 major companies worldwide, exploiting a Salesforce vulnerability to steal 989 million records. They demanded negotiations with Salesforce and the affected firms, threatening to release the data if ignored. When their demands were unmet, SLSH published data allegedly belonging to six companies, including Qantas Airways, Vietnam Airlines, Fujifilm, GAP Inc., Engie Resources, and Albertsons Companies. The leaked datasets reportedly contain extensive personally identifiable information (PII), such as full names, addresses, passport numbers, phone numbers, email addresses, and, in the case of Qantas, detailed frequent flyer information and internal business data. The Qantas dataset alone is said to be 153 GB and includes over 5 million records. The authenticity of the data has been partially verified by independent analysis, though only the affected companies can fully confirm the breach. The exposure of such sensitive information poses significant risks for identity theft, fraud, and targeted attacks against both individuals and organizations. The SLSH collective's actions have prompted calls for increased vigilance and improved cybersecurity measures among large enterprises, especially those using cloud-based platforms like Salesforce. Law enforcement agencies continue to investigate and pursue members of the group, while the cybersecurity community monitors for further developments and potential retaliatory actions promised by SLSH upon their return.
Mar 21, 2026