Scattered LAPSUS$ Hunters is a newly observed criminal group that is a coalition of core members of the LAPSUS$, Scattered Spider and ShinyHunters hacking groups. In 2025, analysts refer to it as a cybercrime supergroup, combining the expertise of each group:
● Scattered Spider brings help‑desk engineering and social‑engineering know‑how.
● LAPSUS$ contributes insider access and code theft skills.
● ShinyHunters adds large-scale data harvesting/extortion capabilities.
The alliance is linked to the global “The Com” hacking community and is known to operate internationally (with members in the US, UK, Australia, etc). In short, this coalition acts as a unified network of formerly separate cybercrime groups (2025), coordinating multi‑phase attacks rather than isolated strikes.
Motives: Financial Extortion and Data Theft
The group’s motives are straightforward: financial gain through extortion. Scattered LAPSUS$ Hunters primarily steals sensitive data and then demands payment for its return or non‑disclosure. LAPSUS$ was itself known to be an “extortion-focused” gang. In practice, the alliance has set up dark‑web leak sites and publicly threatened victims (for example, warning Salesforce that compromised customer records would be auctioned or leaked unless a ransom was paid). Essentially, any valuable data like customer databases, internal code and credentials becomes a bargaining chip to monetize their attacks.
Attack Tactics
One hallmark of their assaults is aggressive social engineering attacks. Scattered LAPSUS$ Hunters operators routinely impersonate company IT or help desk personnel, even using AI‑driven “vishing” (voice‑phishing) calls, to trick employees into granting access or installing malicious software. They also run persistent SIM swapping and MFA‑fatigue schemes to hijack executives’ phone numbers and one-time codes. Once inside a network, they move rapidly via legitimate admin and help desk channels, harvesting sensitive data across cloud platforms. In effect, Scattered LAPSUS$ Hunters behaves much like a modern ransomware gang, except it typically extorts by threatening data leaks rather than encrypting files.
Notable Breaches and Campaigns
The Scattered LAPSUS$ Hunters alliance and its predecessors have been linked to several high-profile breaches:
● Salesforce: In mid-2025 the group struck Salesforce’s cloud infrastructure. They claimed to have stolen on the order of one billion records from dozens of Salesforce customers and demanded ransom. When Salesforce refused to pay, the hackers published millions of records (customer emails, phone numbers, birthdates, etc.) from companies like Qantas, Gap, Fujifilm and Vietnam Airlines.
● Nvidia: In February 2022 LAPSUS$ members infiltrated chipmaker Nvidia’s systems, stealing about one terabyte of internal data. They publicly released roughly 80 gigabytes of it (including GPU driver source code and schematics) on the internet.
● Uber: Also in 2022, the same LAPSUS$ actor (later identified as Arion Kurtaj) breached Uber’s infrastructure. This attack exposed roughly 5,000 customer account credentials and cost Uber about $3 million in damages.
● Qantas: The Australian airline was a prominent victim of the Salesforce attack. Approximately 5 million frequent-flyer records (including email, phone, and birthdate) were stolen in June 2025. When Qantas did not pay the ransom, those records were dumped on dark-web forums.
Conclusion
The rise of Scattered LAPSUS$ Hunters is a significant change in recent cybercrimes. Hackers have now organized extortion networks that combine social engineering, insider access, and data theft instead of working independently. The tricks of this group include deceptive calls, phishing, and breaches in the clouds. It is evidence that the most vulnerable is human error.
Organizations should enhance employee consciousness and harden administrative software and keep a close check on logging in as a safety measure. The future of ransomware protection lies in the responsive protection and the ongoing attention, as the new generation of ransomware gangs, such as Scattered LAPSUS$ Hunters, is becoming increasingly more sophisticated and dangerous.
Sources: Authoritative cybersecurity reports and news theguardian.com, Securityweek.com, picussecurity.com
