Inside the Scattered LAPSUS$ Hunters: How Three Infamous Cyber Gangs Formed a Global Digital Cartel

A New Chapter in Organized Cybercrime

When three of the world’s most notorious hacking collectives, Scattered Spider, LAPSUS$, and ShinyHunters, joined forces, it sent shockwaves across the cybersecurity community. The new alliance, calling itself Scattered LAPSUS$ Hunters (SLH), represents a dramatic escalation in the sophistication and cooperation of modern cybercrime.

As first reported by Ravie Lakshmanan in The Hacker News on November 4, 2025, the group has created at least 16 Telegram channels since its launch in August, each deleted and recreated as part of an ongoing effort to evade moderation. What makes SLH unique is not only its technical skill but also its ability to blend branding, influence, and psychological manipulation to dominate the cyber underground.

A Federation of Cybercrime Powerhouses

The formation of SLH marks a turning point in how hacker groups operate. According to Trustwave SpiderLabs, the new collective has introduced an Extortion-as-a-Service (EaaS) model, inviting affiliates to use its brand to pressure victims into paying ransoms.

Their tactics demonstrate a blend of technical exploitation and social engineering:

• Corporate impersonation: Calling or messaging IT help desks to reset high-value accounts.

• Public leaks: Releasing data samples on Telegram to humiliate targets.

• Crowdsourced harassment: Paying followers to email or intimidate company executives.

This hybrid of hacktivism and extortion is not just about money; it is about visibility. SLH thrives on spectacle, turning cybercrime into a public performance.

The Strength Behind the Alliance

Each founding group contributes its distinct specialty:

1. Scattered Spider (UNC3944): Masters of vishing and social engineering against corporations.

2. LAPSUS$: Known for headline-grabbing breaches of major tech firms.

3. ShinyHunters: A prolific data-trading syndicate operating since 2020.

Together, they form a global cybercrime cartel capable of infiltrating software-as-a-service (SaaS) environments like Salesforce and Snowflake, leveraging custom ransomware families such as Sh1nySp1d3r, and exploiting vulnerable drivers in Bring Your Own Vulnerable Driver (BYOVD) attacks.

These evolving partnerships signal that cybercriminal groups are adopting corporate structures complete with branding, customer service channels, and public relations tactics.

Staying Ahead of the Threat

Organizations cannot afford complacency. Defending against this type of collaborative threat requires layered security and active intelligence sharing. Key steps include:

• Educate employees about phishing and social engineering tactics.

• Implement phishing-resistant MFA and restrict privileged access.

• Monitor SaaS ecosystems for signs of abnormal data access.

• Control remote administration tools like AnyDesk and ScreenConnect.

• Deploy driver-blocking policies to prevent BYOVD exploits.

Cyber resilience is no longer optional; it is foundational to business survival.

The OSRS Perspective

At OGUN Security Research and Strategic Consulting LLC (OSRS), we assist government agencies, businesses, and academic institutions in combating organized digital threats like SLH. Our analysts use AI-driven threat modeling, forensic intelligence, and resilience engineering to help clients anticipate and neutralize emerging risks.

The collaboration between Scattered Spider, LAPSUS$, and ShinyHunters demonstrates that adversaries are evolving. Defenders must evolve faster.

About the Author:

Dr. Oludare Ogunlana is the founder of OGUN Security Research and Strategic Consulting LLC (OSRS), specializing in cybersecurity strategy, digital forensics, and AI governance for global clients.

Enjoyed this article? Stay informed by following us on Google News, Twitter, and LinkedIn for more exclusive cybersecurity insights and expert analyses.