A newly formed hacking collective calling itself “Scattered LapSus Hunters” has issued a bold ultimatum to Google: dismiss two senior members of its Threat Intelligence team or face a damaging data leak. The group claims to hold access to Google databases, though it has yet to provide concrete evidence. The threat arrives just weeks after Google disclosed a third-party security breach involving Salesforce, adding to mounting security concerns.
Hacking Collective Issues Ultimatum to Google Leadership
On its Telegram channel, Scattered LapSus Hunters demanded the dismissal of Google Threat Intelligence Group employees Austin Larsen and Charles Carmakal, alongside a call to suspend Google’s network investigations. The group positioned itself as a hybrid alliance, claiming members from three infamous cybercriminal ecosystems: Scattered Spider, Lapsus$, and ShinyHunters.
These groups have built reputations for major breaches targeting global corporations and government agencies. Despite the threat, Google has not reported any confirmed intrusion into its internal systems, and the hackers have offered no verifiable evidence of data theft.
Collective’s Composition and Cybercriminal History
Scattered LapSus Hunters claims it is pooling expertise from several prominent hacking circles:
- ShinyHunters: Active since 2020, known for database breaches of Snowflake, Ticketmaster, and AT&T. Some of its members have faced arrests in the United States and Paris.
- Scattered Spider: Associated with SIM-swapping and ransomware operations, most notably the 2024 Las Vegas casino breaches. The group has also acted as an initial access broker within larger syndicates.
- Lapsus$: Notorious for the 2021–2022 spree against major enterprises including BT, Nvidia, and Microsoft, often leveraging phone-based social engineering, SIM swapping, and insider recruitment.
Brandon Tirado, Director of Threat Research at ReliaQuest, told The Register that Scattered Spider appears to serve as an access broker for ShinyHunters within a larger criminal network referred to as “The Com.”
Recent Salesforce Breach Adds to Concerns
Google has not verified any breach of its own systems, but the company recently confirmed a separate third-party incident involving Salesforce. According to disclosures, ShinyHunters impersonated Salesforce support staff, successfully tricking employees into granting access to business contact databases.
While sensitive Gmail passwords or private user credentials were not exposed, the breach did reveal client names and business contacts. Cybercriminals have since repurposed this information for phishing and vishing attacks, tailoring fraudulent campaigns to appear credible.
In response, Google issued a global security alert urging its 2.5 billion Gmail users to update their passwords. The company stressed that accounts were not directly compromised but warned that phishing-driven hijacking attempts have increased dramatically, with 37% now tied to the stolen Salesforce data.
Telegram Channel Amplifies the Threat
The Scattered LapSus Hunters Telegram channel, which surfaced on August 8, 2025, has been actively posting alleged proof of breaches. The channel showcased samples of data, vendor lists, and bold claims of intrusions into high-profile companies such as Victoria’s Secret, Gucci, and Neiman Marcus.
Beyond corporate targets, the channel claimed to have breached government agencies in the United States, the United Kingdom, France, Brazil, and India. Such claims have not been independently verified.
The group has also advertised a ransomware-as-a-service (RaaS) product branded “ShinySpider” or “ShinySp1d3r.” It is positioned as a faster and more adaptive alternative to existing ransomware families such as LockBit and DragonForce.
Google’s Response to Escalating Pressure
As of now, Google has not issued any public comment regarding the demand to dismiss Larsen and Carmakal. Instead, the company continues to stress vigilance, urging users and enterprises to remain cautious of advanced fraud campaigns.
The incident underscores the challenges facing major technology firms. Even when their own systems remain uncompromised, the exploitation of trusted third-party providers—such as Salesforce—creates ripple effects that attackers can weaponize.
MITRE ATT&CK Mapping of Techniques Likely Involved
| Tactic (MITRE) | Technique Likely Used | ID | Description |
|---|---|---|---|
| Initial Access | Phishing (Spearphishing Link/Attachment) | T1566 | Attackers impersonated Salesforce staff to gain unauthorized access. |
| Initial Access | Valid Accounts | T1078 | Compromised Salesforce support credentials used for entry. |
| Persistence | Web Service Abuse | T1505.003 | Use of third-party SaaS accounts for continued access. |
| Credential Access | OS Credential Dumping | T1003 | Possible credential harvesting from Salesforce systems. |
| Collection | Data from Information Repositories | T1213 | Extraction of business contact data from Salesforce databases. |
| Exfiltration | Exfiltration Over Web Services | T1567.002 | Stolen contact data exfiltrated via cloud or SaaS APIs. |
| Impact | Data Manipulation / Extortion | T1565 | Threatening to leak Google databases unless demands are met. |
Executive Briefing for Stakeholders
Summary:
A new collective known as Scattered LapSus Hunters has issued threats against Google, demanding the firing of two Threat Intelligence staff members while claiming possession of internal data. No proof has yet been provided.
Key Points:
- Group is an alliance of Scattered Spider, ShinyHunters, and Lapsus$, with a history of high-profile breaches.
- Google itself reports no confirmed internal compromise but recently acknowledged a Salesforce-related breach exploited via impersonation.
- Breach exposed business contacts, fueling phishing and vishing campaigns targeting Gmail users and enterprises.
- Group is actively promoting a ransomware-as-a-service model while boasting of further breaches across corporate and government targets.
- Risk for enterprises: heightened phishing exposure and supply chain vulnerabilities from trusted providers.
Stakeholders should note that while Google has not confirmed any direct compromise, attackers are exploiting the Salesforce incident to amplify credibility and fuel fraud campaigns.
