Fake farewells from Scattered LAPSUS$ hunters: gangs likely plotting new attacks
A short-lived hacker conglomerate uniting LAPSUS$, ShinyHunters, and Scattered Spider, responsible for breaching numerous companies through major platforms like Salesforce, abruptly announced its retirement. Security researchers from Resecurity warn that the farewell is likely a smokescreen: once the hackers regroup after recent arrests, they can launch fresh waves of attacks.
Three of the most notorious English-speaking cybercrime groups with distinct origins, operational histories, and blows from law enforcement, had combined their forces.
This Trinity of Chaos launched one of the largest hacking sprees, breaching hundreds of major companies, including major telecoms, Google, global brands, and even law enforcement agencies. They felt invincible. But not for long.
Abruptly, the conglomerate declared it was retiring and ceasing its activities because it had “achieved its goals of exposing weaknesses in digital security.”
Coincidentally, police in the UK arrested two teens suspected of Scattered Spider cybercrimes, followed by another arrest in Las Vegas.
Despite recent goodbyes, Resecurity has documented several Fortune 100 companies that received extortion emails from the ShinyHunters, one of the three hacking groups.
On September 18th, just days after the trio posted farewells, an account, likely belonging to the ShinyHunters leader, claimed credit for a campaign targeting the financial services sector in the forum chat.
ReliaQuest researchers have also tied a fresh round of cyberattacks targeting financial services to Scattered Spider.
“It is doubtful that threat actors will stop their operations. Such ‘exits’ have occurred before, providing hacker collectives time to regroup and reemerge later under different names. The notorious Russian ransomware gang Conti is a prime example of this exit cover,” Resecurity said in a new report.
The researchers warn that the three groups will continue their malicious activities using different names or reorganize rather than truly disband. The loud phase is over, and the group can now leverage its reputation without immediately engaging the media to amplify ransom threats.
“Our team has become aware of multiple previously undisclosed victims who are currently being extorted privately. The group has likely decided to operate discreetly after establishing substantial credibility and a proven track record of successful hacks and large-scale data breaches.”
Blurring lines between gangs and cybercrime types
The loose collaboration between the three gangs demonstrates a new trend – many security advisories highlight the convergence of tactics and disappearing lines between data theft, extortion, ransomware, and other cybercrimes.
Cybersecurity researchers and law enforcement now view these groups as part of a loosely connected and highly adaptive cybercrime ecosystem. The “Trinity of Chaos” is also linked to “The Com,” another loosely linked youth cybercrime subculture the FBI has been warning about.
“This loosely organized network operates more as a cybercrime youth movement, encompassing a broad and constantly shifting range of actors, mainly teens and 20-somethings,” the Resecurity researchers said.
The three groups share a proclivity for social engineering, overlapping membership, joint public channels, and coordinated attacks on high-profile targets. Other overlaps in tactics include exploitation of multi-factor authentication (MFA) fatigue and SIM swapping, the use of public shaming, leak sites, and direct communication with victims.
“The attack vectors and exploitation techniques used by the actors were not particularly sophisticated,” the researchers noted.
“Instead, they were well-organized and coordinated, exploiting both human weaknesses and technological misconfigurations. These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting them access.”
That was enough to target major organizations, including Qantas, Allianz Life, LVMH, Adidas, Google, and more.
The trio’s branding and shared Telegram channels first surfaced a year ago, but activity significantly escalated in the spring and summer of 2025. In July, Shiny Hunters claimed responsibility for a data breach at Qantas, exposing 6 million customers, and other airlines as part of a Salesforce voice-phishing campaign.
Retailers, including Marks & Spencer, Co-op, Harrods, fashion companies, including Victoria’s Secret, Cartier, and Dior, also suffered significant security incidents.
The threat actors also disrupted operations at Jaguar Land Rover, causing large-scale production shutdowns, and tried to monetize data stolen from major telecoms.
The hacking trio claimed to have breached various law enforcement agencies, including the FBI, and shared many screenshots from agencies around the globe. However, the details remain limited, and the claims might be false.
The most notorious deed was the recent exploitation of OAuth tokens associated with Drift integrations to access Salesforce environments. ShinyHunters claimed to have stolen over 1.5 billion Salesforce records from 760 companies. In one of the latest posts, the threat actor was selling over 160 million records of sensitive financial data stolen from Vietnam’s financial system.
“The groups’ ability to rapidly adapt and escalate their attacks has made them a top concern for both private sector security teams and law enforcement,” the researchers conclude.
The boundaries become increasingly fluid, making attribution harder, and the collaboration magnifies the criminals' power to inflict damage. Resecurity urges organizations to strengthen human-centric defenses, such as training and processes that would help improve employee awareness.
Unlock more exclusive Cybernews content on YouTube.
