Imagine a cybercrime supergroup, a digital Voltron assembled from the most notorious villains on the internet. That's precisely what's happening as Scattered Spider, LAPSUS$, and ShinyHunters, three infamous cybercrime gangs, are increasingly showing signs of working together. The implications are terrifying.
Since August 2025, this unholy alliance, tentatively dubbed Scattered LAPSUS$ Hunters (SLH), has been flexing its muscles, leaving a trail of digital destruction in its wake. Security researchers at Trustwave SpiderLabs, a LevelBlue company, uncovered that the group has been creating and recreating Telegram channels – at least 16 times! – constantly battling platform moderation while tenaciously maintaining its public presence. You can find Trustwave's original report here: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scattered-lapsuss-hunters-anatomy-of-a-federated-cybercriminal-brand/.
But here's where it gets controversial... some experts believe this isn't a formal merger but rather a federation of independently operating groups who are sharing resources and notoriety. Think of it like a franchise model for cybercrime.
SLH burst onto the scene with a splash, launching data extortion attacks against various organizations. One of their specialties? Targeting companies using Salesforce. Their primary offering is an extortion-as-a-service (EaaS) model. This means other cybercriminals can pay to leverage the SLH brand and reputation to amplify their own extortion demands. Essentially, they're selling cybercrime credibility.
And this is the part most people miss... These groups aren't operating in a vacuum. They're believed to be part of a larger, loosely connected cybercriminal ecosystem called "The Com." This network is characterized by its fluid collaboration and brand-sharing. SLH has also been linked to other threat clusters like CryptoChameleon and Crimson Collective. You can read more about these groups here: https://thehackernews.com/2024/03/new-phishing-kit-leverages-sms-voice.html and https://thehackernews.com/2025/10/threatsday-bulletin-ms-teams-hack-mfa.html#crimson-collective-targets-aws-environments.
Telegram plays a crucial role in their operations. They use it to coordinate, publicize their activities, and market their services, adopting a style reminiscent of hacktivist groups. It's a megaphone for spreading their message and attracting new affiliates. It's a centralized hub for communication and recruitment.
Trustwave observed that administrative posts within these Telegram channels often included signatures referencing the "SLH/SLSH Operations Centre." This self-applied label, though potentially just for show, creates the image of an organized command structure, lending a sense of bureaucratic legitimacy to their otherwise fragmented communications. It's all about crafting a powerful brand.
Intriguingly, members of the group have even used Telegram to accuse Chinese state actors of exploiting vulnerabilities they were allegedly targeting. They've also openly criticized U.S. and U.K. law enforcement agencies. Furthermore, they've been known to solicit help from their Telegram subscribers, inviting them to participate in pressure campaigns by finding the email addresses of C-suite executives and relentlessly emailing them. The reward? A minimum payment of $100. This highlights the democratization of cybercrime, where even low-level actors can participate in sophisticated attacks.
The core members of this alliance include:
- Shinycorp (aka sp1d3rhunters): The coordinator and brand manager. They're the ones ensuring a consistent image and messaging.
- UNC5537: Linked to the infamous Snowflake extortion campaign. More details can be found here: https://thehackernews.com/2024/06/snowflake-breach-exposes-165-customers.html.
- UNC3944: Closely associated with Scattered Spider. Google has issued warnings about this group: https://thehackernews.com/2025/06/google-warns-of-scattered-spider.html.
- UNC6040: Tied to recent Salesforce vishing campaigns. Google also exposed this group: https://thehackernews.com/2025/06/google-exposes-vishing-group-unc6040.html.
Other key players include identities like Rey and SLSHsupport, who focus on maintaining engagement within the group, and yuka (aka Yukari or Cvsp), who specializes in developing exploits and acts as an initial access broker (IAB).
While data theft and extortion remain their bread and butter, Scattered LAPSUS$ Hunters have also hinted at a custom ransomware family called Sh1nySp1d3r (aka ShinySp1d3r), designed to compete with established players like LockBit and DragonForce. This suggests a potential expansion into full-blown ransomware operations. You can learn more about DragonForce here: https://thehackernews.com/2024/09/microsoft-identifies-storm-0501-as.html.
Trustwave characterizes SLH as existing somewhere between financially motivated cybercrime and attention-driven hacktivism, blending monetary incentives with the desire for social validation. It's a potent combination that fuels their activities.
"Through theatrical branding, reputational recycling, cross-platform amplification, and layered identity management, the actors behind SLH have shown a mature grasp of how perception and legitimacy can be weaponized within the cybercriminal ecosystem," Trustwave noted. "Taken together, these behaviors illustrate an operational structure that combines social engineering, exploit development, and narrative warfare – a blend more characteristic of established underground actors than opportunistic newcomers."
This cartelization trend extends beyond SLH. Acronis recently revealed that DragonForce is using a new malware variant that exploits vulnerable drivers to disable security software. This is part of a "bring your own vulnerable driver" (BYOVD) attack. DragonForce, which launched its own ransomware cartel earlier this year, has also partnered with Qilin and LockBit to share techniques, resources, and infrastructure. More on BYOVD attacks here: https://www.crowdstrike.com/en-us/blog/falcon-prevents-vulnerable-driver-attacks-real-world-intrusion/.
"Affiliates can deploy their own malware while using DragonForce's infrastructure and operating under their own brand," Acronis researchers explained. "This lowers the technical barrier and allows both established groups and new actors to run operations without building a full ransomware ecosystem."
DragonForce is closely aligned with Scattered Spider, with the latter acting as an affiliate to breach targets using sophisticated social engineering techniques, followed by deploying remote access tools for reconnaissance before unleashing DragonForce.
DragonForce even used leaked Conti source code to develop its own version of ransomware, adding an encrypted configuration to enhance security.
So, what does all this mean for you? It means the cyber threat landscape is becoming increasingly complex and dangerous. These groups are becoming more organized, more sophisticated, and more collaborative. They're sharing resources, techniques, and infrastructure, making them harder to track and defend against.
What are your thoughts on this cybercrime merger? Do you think these groups will be more effective working together, or will internal conflicts eventually lead to their downfall? Are law enforcement agencies doing enough to combat these threats? Share your opinions in the comments below!
