Three teen cybercrime gangs, previously decimated by arrests, are now acting as one and again feeling invincible. After claiming responsibility for major breaches tied to Salesforce instances, the group is now demanding that Google and the FBI halt their investigations and fire specific employees.
The hackers threatened to leak the identities of every agent investigating their group, which appears to be a loose coalition of three gangs: ShinyHunters, LAPSUS$, and Scattered Spider.
They’ve since listed 14 agents and their titles, urged the FBI director Kash Patel to fire them, and taunted the agency for its lack of progress.
The same day, they issued an ultimatum to Sundar Pichai, Google’s CEO, to fire two specific employees from the Google Threat Intelligence Group and abandon investigations into them. Otherwise, they would leak Google’s databases, which were stolen during the recent Salesforce instance heists.
“WE WILL DESTROY YOU AND YOUR MEGA CORRUPTION,” reads one of many posts aimed at Google.
The new Telegram channel, filled with juvenile, reckless taunting, excessive profanity, racial slurs, and internet slang, directed other threats toward many other companies and individuals, including George Kurtz, CrowdStrike’s CEO, and even the US President Donald Trump.
The hackers also assert that they have already breached Google multiple times and still have access to the company’s networks, and they are “dumping their products one by one.”
They posted a database called “Gemini.com” on an illicit marketplace, which is a successor to the seized infamous BreachForums. However, Cybernews can’t confirm whether any of the claims or the leaked data are valid. We’ve emailed Google for comment and will include its response.
Stolen tokens for sale: many “still working”
The group claims responsibility for the alleged breach at Salesloft Drift, an AI-powered conversational marketing platform. Stolen Salesloft Drift authentication tokens were abused to compromise customer Salesforce instances. Many companies were targeted, including Google, Victoria's Secret, and Zscaler.
Cybernews has previously reported that credentials were the primary targets for hackers raiding Salesforce instances. They exfiltrated Google Cloud Platform service account keys, Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens.
Now the hackers advertise stolen AWS, Snowflake, and other credentials from the Salesloft campaign for sale, claiming that “some are still working” and that they have too many of them.
Google has previously warned all Salesloft Drift customers to treat any authentication tokens stored on the platform as potentially compromised. The tech giant warned that the hackers managed to access email “from a very small number of Google Workspace accounts.”
Google again confirms that only a very small number of Google Workspace tenants were affected due to the compromised integrations with Salesloft Drift.
“The only accounts that were potentially accessed were those that had been specifically configured to integrate with Salesloft Drift; the actor would not have been able to access any other accounts on a customer's Workspace domain. We have notified all impacted Google Workspace administrators. To be clear, Workspace (including Gmail) itself is not compromised, nor is Alphabet itself,” Google’s spokesperson told Cybernews.
Google Threat Intelligence Group is advising all Salesloft Drift customers to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.
During a campaign of high-profile Salesforce instance cyberattacks, the hacker collective that identifies itself as “scattered LAPSUS$ hunters” (SLH) targeted major global companies.
The same extortion group that demanded Google terminate their Threat Intelligence researchers is now directly calling out FBI Director Kash Patel and name dropping FBI Special Agents who they believe are tracking their case
undefined vx-underground (@vxunderground) September 1, 2025
They're doing an FBI Most Wanted speed run
The hackers leaked data allegedly belonging to the US insurer Allianz Life and claimed breaches at Zscaler, a cybersecurity firm, and ChangeNow, a crypto exchange.
TransUnion informed 4.4 million customers that their personal details may have been exposed. Other likely targets include Farmers Insurance, Air France, KLM, major telecoms, and many other companies.
While the hackers display extreme arrogance towards law enforcement, believing themselves to be “invincible,” they also openly discuss their tactics and failures (i.e., executing LinPEAS on Crowdstrike, seeking access to VPN/Citrix/Anydesk), expose internal disputes, and potential future targets.
Brian Krebs, an American blogger and Information security journalist, notes that while the SLH seeks public attention, it is still unclear which attackers gained access to Salesloft Drift authentication tokens and how they did so.
The three groups comprising SLH are known for many high-profile cyberattacks. However, they were previously subject to major arrests, and LAPSUS$ was taken down in 2022. The alleged leader of Scattered Spider, known as “TylerB,” was arrested in Spain, and another gang member, Michael Urba (King Bob), will spend 10 years in federal US prison. ShinyHunters’ numbers were reduced by authorities arresting key individuals running notorious BreachForums.
The new SLH Telegram channel was launched on August 28th and has over 52 thousand subscribers already. Telegram blocked the previous group’s channel over a week ago.
Updated on September 3rd [06:30 a.m. GMT] with a statement from Google.
Your email address will not be published. Required fields are markedmarked