Scattered LAPSUS$ Hunters: Anatomy of a Federated Cybercriminal Brand

Trustwave SpiderLabs’ Cyber Threat Intelligence team is tracking the emergence and communication dynamics of the cybercriminal brand known as Scattered LAPSUS$ Hunters (SLH), consolidating observed activity across public platforms to provide updated insights into its structure, evolution, and operational behavior.

Figure 1. The main page of the Scattered LAPSUS$ Hunters data-leak site (DLS), announcing Salesforce as one of its victims.

Public-facing materials and channel names indicate that this new umbrella brand appropriates the reputational assets tied to Scattered Spider, ShinyHunters, and LAPSUS$. Our analysis shows various actors using these legacy brand names collaboratively, or impersonating them, to present a single, federated public front. However, at the moment of publication, we do not assess that this represents a formal, centralized organization composed exclusively of those former tree entities.

The Launch of a Consolidated Threat Group

Emerging in early August 2025, SLH appeared on Telegram as a self-declared hybrid entity, blending naming, reputational and operational traits from three of the most recognized The Com-linked collectives of recent years: Scattered Spider, ShinyHunters, and LAPSUS$ (while being non-solely cyber related community, in our context, The Com is understood as an informal cybercriminal milieu characterized by fluid collaboration and brand-sharing across multiple operators).

Figure 2. SLH member unc3944 claims Scattered Spider, ShinyHunters, and LAPSUS$ as “branches” of SLH, while asserting that SLH itself is “parent-owned by ShinyHunters.” All such claims remain unverified.

Over time, SLH’s associations expanded, showing affiliations (with varying degrees of permanence) with other The Com-adjacent clusters such as CryptoChameleon, suggesting a deliberate attempt to merge established reputations into a new, unified narrative. The collaboration between Crimson Collective and Scattered LAPSUS$ Hunters (October 2025, Red Hat incident) follows the same pattern – independent clusters temporarily aligning under a unified extortion umbrella. This substantiates our interpretation of SLH as a situational alliance, not a formal merger.

Retrospectively speaking, the first verified channel linked to the group appeared on August 8, 2025, under the handle “scattered lapsu$ hunters – The Com HQ SCATTERED SP1D3R HUNTERS.” From inception, Telegram served as the group’s primary operational environment and the nucleus of its brand identity. While SLH intermittently hosted clear-web and onion-based data-leak sites to stage limited proof-of-compromise materials, Telegram remained central to its narrative construction – the stage where members performed, coordinated, and curated public visibility. As its activity matured, administrative posts began including signatures referencing the “SLH/SLSH Operations Centre” – a self-applied label projecting bureaucratic legitimacy and the image of an organized command structure. 

And while some public reporting has noted overlaps between Scattered Spider, ShinyHunters, and LAPSUS$, we do not view Scattered LAPSUS$ Hunters as a federation or merger of those three clusters at the individual-operator level, and our current analysis focuses solely on the brand itself and how its members position that brand through public messaging.

Contextual Emergence, Operational Persistence, and Platform Cycles

Since its debut, SLH’s Telegram channels have been removed and recreated at least 16 times under various iterations of the original name – a recurring cycle reflecting platform moderation and the operators’ determination to sustain this specific type of public presence despite disruption.

Figure 3. Excerpt of a Telegram conversation showing member reactions and administrative responses following a channel takedown, referencing breachforums[.]hn, later seized by law enforcement.

One of the latest versions, “scattered LAPSUS$ hunters 7.0”, was also removed, with follow-up messaging indicating the group’s desire to go dormant in terms of publicity for an undefined period – signaling resilience through adaptive naming and coordinated re-establishment.

Table 1. Observed Telegram channels and activity periods.

As these cycles unfolded, SLH’s arrival coincided with turbulence across the broader cybercriminal underground. The collapse of BreachForums — long regarded as the successor to RaidForums and a key nexus for data leaks and recruitment — created a vacuum. Into that vacuum, Scattered LAPSUS$ Hunters inserted itself, repackaging reputational assets from defunct collectives and inheriting fragments of their audiences.

By adopting recognizable branding and recycling reputational capital, the group reasserted legitimacy within The Com network. Soon after, SLH publicly announced an Extortion-as-a-Service (EaaS) model, formalizing its operational ambitions and signaling alignment with the broader cyber-extortion economy.

Figure 4. Channel announcement advertising an Extortion-as-a-Service offering and soliciting customers.

This step revealed not only opportunism but intent: SLH positioned itself as both performer and service provider, using spectacle to attract customers, attention, and recruits.

Narrative Patterns and Messaging Themes

If its structure echoed old collectives, its messaging refined them. SLH channels consistently combined sensationalist rhetoric with theatrical claims of data theft, fusing entertainment with intimidation.

Posts frequently accused Chinese state actors of exploiting vulnerabilities allegedly targeted by SLH, while mocking Western law enforcement, particularly the FBI and NCA. This focus on US and UK agencies evidently signals which jurisdictions are at greatest risk and highlights the attention SLH members pay to these authorities.

Across iterations, channel content also alternated between proof-of-compromise displays, interactive polls, and coercive messaging. Snippets of leaked data served as teasers; polls invited participation in harassment or doxing campaigns; and occasional monetary incentives blurred the line between recruitment and crowdsourced extortion.

Figure 5. Telegram post inviting channel subscribers to participate, basically as freelancers, in pressure campaigns and doxing for payment or influence.

Parallel sales posts offered stolen credentials and exploits, while threats to executives and agencies amplified pressure and visibility. Although data exfiltration and extortion remain its main revenue channels, recurring mentions of “Sh1nySp1d3r Ransomware” also indicate aspirations toward ransomware operations – a claim yet to be verified.

Figure 6. Channel announcement referencing “Sh1nySp1d3r” as a proposed ransomware offering.

Together, these patterns show a deliberate fusion of technical signaling and social performance, and while financial gain appears to be the main motivation, the group’s reliance on attention, social validation, and audience reactions suggests an additional layer of social dependence. This positions SLH somewhere between financially motivated cybercrime and attention-driven hacktivism, blending monetary incentives with performative, socially contingent behavior.

There’s no clear evidence that SLH targets fall within a traditional hacktivist or socially motivated realm. While their behavior - relying heavily on public attention, social validation, and performative messaging - is unusual for purely financially motivated actors, their posts and campaigns do not convey any coherent political, ecological, religious, or other social agenda.

The group’s messaging, aside from its antagonism of law enforcement, appears primarily driven by financial incentives, even if delivered in a style that borrows from attention-driven or hacktivist practices. This deliberate blending of social performance and monetary objectives blurs traditional classifications but does not indicate genuine hacktivist motivations.

Persona Architecture and Sockpuppetry

At the same time, behind the loud narrative lies a more controlled reality. Although roughly thirty active handles have been observed across associated channels, ranging from operators to provocateurs, linguistic patterns, emoji usage, and posting cadence suggest that fewer than five individuals drive the core operation.

Table 2. Consolidated administrative and affiliated personas.

Among these, “shinycorp” (appearing under aliases such as @sp1d3rhunters, @sloke48, and @shinyc0rp) functions as the principal orchestrator, issuing breach claims, mocking enforcement efforts, and coordinating responses to takedowns. While auxiliary identities such as “sevyuwu,”/ Sevy, “Rey,” and “SLSHsupport” amplify narratives and sustain channel engagement, “Alg0d” operates as a high-visibility broker persona, primarily focused on data sales and negotiation.

One of the more technically intriguing members is “yuka” (also known as Yukari or Cvsp). This persona presents itself as an exploit and initial access broker (IAB) and has been historically associated with exploit development offerings targeting CRM and SaaS ecosystems.

Available evidence suggests that Cvsp’s technical proficiency, spanning exploit development, malware engineering, and vulnerability brokerage – is genuine. Previous associations with the BlackLotus UEFI bootkit and Medusa rootkit lend credibility to this assessment, further supported by reputation vouches from ShinyHunters and the consistent use of escrow services in high-value transactions.

However, in the context of the SLH brand, this persona appears less directly integrated, likely operating in cooperation with, rather than under, the SLH core, as part of its broader ecosystem.

Figure 7. GitHub repository page attributed to “Yukari/Cvsp” showing projects labeled BlackLotus (UEFI bootkit) and Medusa (modular rootkit).

While numerous online personas appear active under the SLH umbrella, it remains impossible to determine with confidence the exact number of distinct individuals operating behind them. Each consistently active persona acts simultaneously as amplifier and shield, complicating attribution, ensuring continuity even when accounts are removed, and despite periodic disputes and peer ridicule, SLH continues to frame itself as part of The Com – a loosely federated community rather than a fixed hierarchy.

Figure 8. An HTML message posted on a DLS page targeting a named individual and engaging in reputation/peer warfare.

Overall, this self-positioning may represent the first consolidated branding alignment among a small group of mature The Com–related individuals, leveraging mutual notoriety while maintaining fluid cooperation and opportunistic overlap. Alternatively, it may reflect the actions of the same small set of operators – with historical ties to The Com ecosystem, recycling legacy brands to establish a coherent new identity within the broader network of related clusters. 

Tactics, Techniques, and Procedures (TTPs)

Beyond identity management, SLH also demonstrates technical versatility consistent with experienced operators. Its activity suggests a continued prioritization of cloud-first extortion and data theft, focusing on high-value aggregation points such as SaaS providers, corporate CRMs, Database systems and other large data lakes offering immediate ROI. 

Notably, this technical proficiency appears to reflect a convergence of skills and strengths drawn from multiple merged clusters and operators, suggesting that SLH leverages complementary expertise across intrusion, exploitation, and social engineering domains to enhance operational impact.

Credential harvesting, often through AI-automated vishing or spearphishing, is typically followed by lateral movement for privilege escalation, persistence and rapid data exfiltration.

Figure 9. Screenshot shared in the channel by a member, depicting an operator running automated vishing tools that abuse Google Voice to scale social-engineering attempts.

SLH’s messaging history also indicates non-trivial exploit development and acquisition capabilities within the group, including tooling consistent with zero- and n-day research specifically targeting CRMs, DBMSs, and SaaS platforms.

Figure 10. Code snippet or exploit proof-of-concept circulated within channels claiming to target CVE-2025-31324 (SAP NetWeaver).

Since its inception, affiliated posts have consistently claimed exploit acquisitions, most notably CVE-2025-61882 (Oracle E-Business Suite) – a vulnerability widely associated in public reporting with Cl0p ransomware operators. This overlap suggests potential code leakage, sharing, or exploit brokerage. However, the nature of SLH’s acquisition of this exploit remains unverified, and there is no independent evidence confirming that the group possessed it prior to the exploitation wave publicly attributed to Cl0p.

Figure 11. Telegram post in which the group claims initial possession of an Oracle E-Business Suite zero-day (CVE-2025-61882), its leakage, and expresses frustration that Cl0p exploited it first.

Historical references support continuity in this focus: the persona Yukari previously claimed exploitation of Oracle Access Manager in 2021, indicating a possible lineage of resources and expertise.

Figure 12. Terminal output published by the group that demonstrates a local privilege escalation exploit (CVE-2023-2163) with access to /etc/shadow.

Taken together, these behaviors illustrate an operational structure that combines social engineering, exploit development, and narrative warfare – a blend more characteristic of established underground actors than opportunistic newcomers.

Conclusion

The Scattered LAPSUS$ Hunters phenomenon demonstrates the increasing fluidity of modern cybercriminal branding. Rather than existing as a cohesive group, SLH represents a federated identity model: a shared narrative container within which multiple actors collaborate, impersonate, or amplify each other for collective visibility and credibility.

This structure – decentralized, attention-driven, and reputationally opportunistic – marks an evolution in The Com ecosystem. SLH’s blend of performance, extortion, and self-reinvention underscores the trend toward networked cybercrime as media performance, where the boundary between operator and audience blurs.

SLH’s continued reappearance, despite disruption, highlights the resilience of these federated threat identities and their capacity to adapt through the language of spectacle, irony, and shared mythology. As this hybrid ecosystem evolves, its use of identity fluidity, social amplification, growing tailored exploitation development capabilities and adaptive collaboration will likely shape the next phase of data-extortion activity into 2026.