A new cybercrime alliance is taking shape. The emerging collective (combining three of the most notorious groups, Scattered Spider, LAPSUS$, and ShinyHunters) has launched no fewer than 16 Telegram channels since 8 August 8.
In a new advisory, Trustwave SpiderLabs says the group, now dubbed Scattered LAPSUS$ Hunters (SLH), is positioning itself as a federated collective. It’s a shift from earlier hints of tactical cooperation to something a lot more structured and persistent.
“Since its debut, the group’s Telegram channels have been removed and recreated at least 16 times under varying iterations of the original name – a recurring cycle reflecting platform moderation and the operators’ determination to sustain this specific type of public presence despite disruption,” Trustwave SpiderLabs said.
The merger has been rumored for months, but the new research appears to codify it. SLH surfaced in early August, quickly launching data-extortion attacks, some targeting organizations using Salesforce.
An EaaS Model
At its core is an Extortion-as-a-Service (EaaS) model. Affiliates can join in, demanding payments from victims while borrowing the “brand” and notoriety of the larger entity.
All three founding clusters are believed to be part of The Com, a loose, federated cybercriminal ecosystem known for “fluid collaboration and brand-sharing.” SLH has since displayed links with other groups including CryptoChameleonand Crimson Collective, signaling a deliberate strategy to merge reputations under one hybrid brand.
The timing is telling. SLH’s arrival follows the collapse of BreachForums, long a central marketplace for leaks and recruitment. That shutdown left a vacuum in the underground scene, one SLH seems eager to fill.
By reviving the reputations of its predecessor groups, the collective is recycling infamy into a new business model. The goal: to attract displaced operators and reassert dominance in a fractured cybercrime landscape.
Thriving on Takedowns
Trustwave’s analysis describes a group that’s not just surviving takedowns but thriving on them. Each time Telegram removes a channel, a new one appears, often within hours. One version, “Scattered LAPSUS$ Hunters 7.0,” was deleted only for the group to hint at “going dark for a while,” a familiar move in the cat-and-mouse cycle of cybercrime branding.
Unlike traditional gangs, SLH isn’t built around hierarchy. It’s built around visibility. The group’s Telegram activity mixes extortion threats, polls, and performative taunts aimed at law enforcement. Members boast of “Sh1nySp1d3r ransomware,” tease leaked data, and invite followers to join harassment or doxing campaigns for pay or clout.
That blend of spectacle and commerce makes SLH hard to categorize. It behaves like a cross between a ransomware gang and a social media influencer collective—part financial operation, part performance.
The Operation is Small
Behind the noise, though, Trustwave analysts believe the operation is small. Dozens of online personas appear active, but linguistic and behavioral patterns suggest fewer than five individuals drive the core.
Among them: @shinycorp, believed to be the main orchestrator, issuing breach claims and mocking enforcement efforts. Others like “Sevy,” “Rey,” and “Alg0d” amplify the message. One member, “Yukari/Cvsp,” stands out for technical skill, previously linked to exploit development and tools like the BlackLotus UEFI bootkit and Medusa rootkit.
Technically, SLH operates with precision. Its campaigns focus on cloud-first targets (SaaS, CRMs, and corporate databases) where data aggregation makes for fast ROI. The group also shows signs of exploit acquisition, referencing vulnerabilities like CVE-2025-61882 (Oracle E-Business Suite), previously seen in Cl0p operations. Whether that claim is true remains unclear.
What’s clear is that SLH represents an evolution. It’s less a formal merger than a brand alliance, a flexible identity structure where multiple actors collaborate, impersonate, and amplify each other under a single banner.
In other words, cybercrime is learning the power of the collective. SLH’s emergence shows that today’s threat actors no longer need to be centralized to be dangerous. They just need to be connected, and loud.
As Trustwave said, this is “a federated identity model” built on attention, reputation, and reinvention.
SLH’s persistence, despite repeated disruption, suggests that the future of cybercrime may not look like a cartel, but like a franchise.
A Merger of Extreme Convenience
Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit, said: “This is a merger of extreme convenience. Scattered Spider brings social engineering expertise that helps the group bypass enterprise MFA implementations, while LAPSUS$ is apt at moving laterally inside networks. ShinyHunters brings in data extortion and exfiltration capabilities. Combine all three together and enterprises face a threat group who are experts in initial access, lateral movement and data exfiltration. From what we can see, they colluded at BreachForums. However, since its takedown the group has moved operations to Telegram, a P2P-based resilient network, which really got the groups together.”
Based on the recent Red Hat heist, Dani added that the prime candidate for the next merger in his opinion will be the threat actor group named Crimson Collective. “They bring in a focus on cloud-native infrastructure attacks that Scattered Spider, LAPSUS$, and Shiny Hunters are lacking.”
Extortion-as-a-Service
Lauren Rucker, Senior Cyber Threat Intelligence Analyst at Deepwatch, says this highlights the ongoing maturity of cybercriminal operations, using a self-applied label projects an organized command structure, and gives legitimacy to fragmented groups.
“Bringing together three groups affiliated with the loose-knit The Com enterprise the merger markets an Extortion-as-a-Service (EaaS) model with Scattered Spider contributing expertise in advanced social engineering, ShinyHunters handling large-scale data theft, and LAPSUS$ supplying reputational capital.”
Rucker explained that future mergers will likely follow this pattern of consolidation into larger umbrella groupings to establish further legitimacy in their reputation, especially as SLH already associates with adjacent clusters CryptoChameleon and Crimson Collective.
“SLH’s ambition to deploy a custom ransomware family, Sh1nySp1d3r, demonstrates their intent to rival other major groups like LockBit and DragonForce. Additionally, continued collaboration with initial access brokers and exploit developers, like the persona Yuka, ensures specialized technical capabilities drive future integrations.”
Andy Bennett, Chief Information Security Officer at Apollo Information Systems, added that whether or not an organization is more concerned with this group of attackers working together than they are a nation-state attacker likely depends on whether or not they are more likely to be targeted by this group or a nation-state. Organizations with a mature understanding of the most likely attack vectors they face will be less likely to be more concerned about a new group just because they have made some headlines.”
Attackers Will Keep Up the Pressure
Bennett said: “If you see attackers starting to take aims at the types of technologies and systems or processes you use in your organization, then you should pay attention and take the appropriate steps to dynamically address that shift in your threat models. For some organizations, it may mean tweaking configurations and optimizing detection and tools; for others, it may mean education and awareness to combat social engineering attacks. Something I would recommend for all organizations is to run tabletop exercises to test and improve the organization’s ability to respond to the types of attacks they are most likely to face.”
Organizations hit by this collective’s ransomware attacks (and others) are more likely to be targeted again, Bennett added. “Paying a ransom drastically increases that likelihood. Victims’ data, including both the information used to initially compromise them and the data stolen during the ransomware attack, can be repackaged and sold on the dark web for other attackers to use.
“Unfortunately, until we find ways to limit attackers’ ability to monetize cybercrime, the incentive will remain for attackers to keep up the pressure. We shouldn’t stop pursuing them, and we should be ramping up arrests and prosecutions. However, there is a lot of work to be done and many more arrests to be made before we see an appreciable impact in lowering cybercriminal activity.”
The Trinity of Chaos
Agnidipta Sarkar, Chief Evangelist at ColorTokens, added: “The Trinity of Chaos, as many call them, consistently manages to breach organizations through a third-party platform first, then uses that beachhead to pivot inward. As if their motto is to “log-in, not hack-in → start in someone else’s cloud → end at the target.” In almost every major breach that we can reconstruct, be it Salesforce, Snowflake, Okta-managed tenants, SAP SaaS, or even ESXi hypervisor environments, the initial access was a credential misuse of a valid account and that did not happen on the victim’s corporate LAN or VPN, but inside a SaaS or PaaS console that the victim’s business units already trusted.”
In Sarkar’s view, companies must immediately microsegment critical digital systems and move to cryptographic passwordless credential management. “If your SaaS admins can download a CSV, you are in scope. Considering microsegmentation can be implemented quickly, even affected companies can gain an advantage even if they deploy microsegmentation within hours of being attacked.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.