Cybercrime Merger Like No Other — Scattered Spider, Lapsus$, And...
The nascent collective that combines three prominent cybercrime groups, Scattered Spider, LAPSUS$, and ShinyHunters, has created no less than 16 Telegram channels since August 8, 2025.
"Since its debut, the group's Telegram channels have been removed and recreated at least 16 times under varying iterations of the original name – a recurring cycle reflecting platform moderation and the operators' determination to sustain this specific type of public presence despite disruption," Trustwave SpiderLabs, a LevelBlue company, said in a report shared with The Hacker News.
Scattered LAPSUS$ Hunters (SLH) emerged in early August, launching data extortion attacks against organizations, including those using Salesforce in recent months. Chief among its offerings is an extortion-as-a-service (EaaS) that other affiliates can join to demand a payment from targets in exchange for using the "brand" and notoriety of the consolidated entity.
All three groups are assessed to be affiliated with a loose-knit and federated cybercriminal enterprise referred to as The Com that's marked by "fluid collaboration and brand-sharing." The threat actors have since exhibited their associations with other adjacent clusters tracked as CryptoChameleon and Crimson Collective.
Telegram, according to the cybersecurity vendor, continues to be the central place for its members to coordinate and bring visibility to the group's operations, embracing a style akin to hacktivist groups. This serves a fold purpose: turning its channels into a megaphone for the threat actors to disseminate their messaging, as well as market their services.
"As activity matured, administrative posts began to include signatures referencing the 'SLH/SLSH Operations Centre,' a self-applied label carrying symbolic weight that projected the image of an organized command structure that lent bureaucratic legitimacy to otherwise fragmented communications," Trustwave noted.
Some of the known threat clusters part of the crew are listed below, highlighting a cohesive alliance that brings together several semi-autonomous groups within The Com network and their technical capabilities under one umbrella -
Also part of the group are identities like Rey and SLSHsupport, who are responsible for sustaining engagement, along with yuka (aka Yukari or Cvsp), who has a history of developing exploits and presents themselves as an initial access broker (IAB).
While data theft and extortion continue to be Scattered LAPSUS$ Hunters' main
Source: The Hacker News
