Ethical Hacking News
The notorious Scattered Spider, ShinyHunters, and Lapsus$ gangs have united in a chaotic collaboration on a Telegram channel, sharing news of their exploits and boasting about their accomplishments. As cybersecurity experts warn that the channel's brief life and instant notoriety add weight to the theory that these miscreants are working together, it remains to be seen how long this alliance will last.
Three notorious cybercrime gangs - Scattered Spider, ShinyHunters, and Lapsus$ - have been observed collaborating on a Telegram channel.The channel's content includes breach samples, vendor lists, and boasts about their accomplishments.The groups are developing a ransomware-as-a-service operation named "ShinySpider" or "ShinySp1d3r".The collaboration adds weight to the theory that ShinyHunters and Scattered Spider are working together.Other domains have been registered using infrastructure associated with phishing kits used for single sign-on (SSO) login pages.The synchronized timing of attacks by Scattered Spider and ShinyHunters supports the likelihood of coordinated efforts between the two groups.
In a shocking turn of events, three notorious cybercrime gangs – Scattered Spider, ShinyHunters, and Lapsus$ – have been observed collaborating on a Telegram channel, sharing news of their exploits and boasting about their accomplishments. The "Scattered LAPSUS$ Hunters" channel, which appeared last Friday, has sent shockwaves throughout the cybersecurity community, as it appears to be a coordinated effort between the three groups.
According to an analysis published by ReliaQuest, the channel's content included partial breach samples, vendor lists, and a heavy dose of trolling about old and new claims of successful data theft. Messages mentioned raids on Victoria's Secret, customer info lifted from Gucci, and an attack on US department store chain Neiman Marcus that may be connected to the 2024 theft of its customer database. Other chats included screen shots of negotiations with Chanel, and claims of intrusions at the US Department of Homeland Security and government agencies in England, France, Brazil, and India.
The channel's administrators claimed to be developing a ransomware-as-a-service (RaaS) operation named "ShinySpider" or "ShinySp1d3r," and bragged that their data-locked malware could hit encryption speeds of 1 GB per second: "OUR RaaS IS ADAPTIVE BASED ON VICTIM RESOURCES – THE FASTEST WE'VE SEEN IS ~1/GBps," they claimed, adding: "Fk LockBit and DragonForce, yayayaya!."
The brief life and instant notoriety of the channel add weight to the theory that the band of miscreants, believed to be primarily teens and 20-something males located in the US, Canada, and Europe, are working together. According to ReliaQuest Director of Threat Research Brandon Tirado, "all the evidence we have... all fingers are pointing at some sort of alignment between ShinyHunters and Scattered Spider."
ShinyHunters has been around in some form since 2020, and is best known for high-profile attacks on Snowflake customers' databases, Ticketmaster, and AT&T. Some of its members, including French national Sebastien Raoult, have been imprisoned in the US, and Parisian cops arrested another in June. The group's latest wave of attacks moved beyond its usual credential theft, database exploitation, and extortion attacks, and included Scattered Spider's well-worn techniques: social engineering campaigns impersonating IT support staff to trick employees into authorizing access to fake "connected apps" masquerading as legitimate tools.
Scattered Spider is another SIM-swapping turned social-engineering and ransomware group. It went through a similar wringer last year when law enforcement arrested at least seven of its members following the high-profile Law Vegas casino digital heists. Those arrests slowed their attacks for a while, but then Scattered Spider roared back into action with several high-profile retail intrusions in April.
Lapsus$, a chaotic crew of teens and young people, undertook a crime spree in 2021 and 2022 when it broke into and attempted to extort telecoms giant BT, Nvidia, Microsoft, Samsung, Vodafone, fintech firm Revolut, and Okta. The crew's tactics included phone-based social engineering, SIM swapping, and even paying employees of target organizations for access to credentials and multi-factor authentication (MFA) codes.
The Com is a loosely knit band of primarily English-speaking miscreants that is made up of several interconnected networks of hackers, SIM swappers, and extortionists, with some of its subgroups offering real-life violent crime for a price such as swat-for-hire and violence-as-a-service. According to Tirado, "Connecting the infrastructure that the Lapsus$ group was utilizing is matching fingerprint... that have made connections with the more recent Scattered Spider activity and now ShinyHunters."
A recent analysis published by ReliaQuest revealed a cluster of domains targeting high-profile organizations, including alleged ShinyHunters victims, and following a similar format: ticket-lvmh[.]com, ticket-dior[.]com, and ticket-louisvuitton[.]com. These domains were registered between June 20 and June 30, shortly before Louis Vuitton reportedly became aware of the intrusion on July 2. In addition to using a similar format, these domains were also registered using infrastructure associated with phishing kits commonly used to host single sign-on (SSO) login pages.
The overlapping sectors and timelines between Scattered Spider and ShinyHunters further support the theory that the two groups are collaborating. In April and May, when Scattered Spider attacked UK retailers Marks & Spencer, The Co-Op, and Harrods, ShinyHunters reportedly sacked Tiffany, Dior, and Adidas. Later that month, threat hunters warned Scattered Spider had moved on to target aviation businesses while ShinyHunters allegedly breached Qantas, Air France, and KLM.
The synchronized timing of these attacks strongly supports the likelihood of coordinated efforts between the two groups. As Tirado noted, "I think it's safe to assume that maybe that's always how The Com has operated... rather than it being a newer thing, it's truly a larger community, they all have their own niche skill sets, and they can call on a friend to go get whatever they need done."
The rise of notorious cybercrime gangs like Scattered Spider, ShinyHunters, and Lapsus$ highlights the growing complexity and sophistication of modern cyber threats. As these groups continue to evolve and collaborate, it is essential for cybersecurity professionals and organizations to stay vigilant and take proactive measures to protect themselves against these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Rise-of-Notorious-Cybercrime-Gangs-Scattered-Spider-ShinyHunters-and-Lapsus-Unite-in-Chaos-ehn.shtml
Published: Tue Aug 12 07:39:21 2025 by llama3.2 3B Q4_K_M
