Hackers Threaten Google with Data Leak Unless it Fires Threat Intelligence Employees

Hackers calling themselves Scattered LapSus Hunters threatened to leak Google databases unless two employees are dismissed, linking their demand to recent Salesforce-driven phishing attacks.
Hackers Threaten Google with Data Leak Unless it Fires Threat Intelligence Employees
Table of Contents
    Add a header to begin generating the table of contents

    A newly formed hacking collective calling itself “Scattered LapSus Hunters” has issued a bold ultimatum to Google: dismiss two senior members of its Threat Intelligence team or face a damaging data leak. The group claims to hold access to Google databases, though it has yet to provide concrete evidence. The threat arrives just weeks after Google disclosed a third-party security breach involving Salesforce, adding to mounting security concerns.

    Hacking Collective Issues Ultimatum to Google Leadership

    On its Telegram channel, Scattered LapSus Hunters demanded the dismissal of Google Threat Intelligence Group employees Austin Larsen and Charles Carmakal, alongside a call to suspend Google’s network investigations. The group positioned itself as a hybrid alliance, claiming members from three infamous cybercriminal ecosystems: Scattered Spider, Lapsus$, and ShinyHunters.

    These groups have built reputations for major breaches targeting global corporations and government agencies. Despite the threat, Google has not reported any confirmed intrusion into its internal systems, and the hackers have offered no verifiable evidence of data theft.

    Collective’s Composition and Cybercriminal History

    Scattered LapSus Hunters claims it is pooling expertise from several prominent hacking circles:

    • ShinyHunters: Active since 2020, known for database breaches of Snowflake, Ticketmaster, and AT&T. Some of its members have faced arrests in the United States and Paris.
    • Scattered Spider: Associated with SIM-swapping and ransomware operations, most notably the 2024 Las Vegas casino breaches. The group has also acted as an initial access broker within larger syndicates.
    • Lapsus$: Notorious for the 2021–2022 spree against major enterprises including BT, Nvidia, and Microsoft, often leveraging phone-based social engineering, SIM swapping, and insider recruitment.

    Brandon Tirado, Director of Threat Research at ReliaQuest, told The Register that Scattered Spider appears to serve as an access broker for ShinyHunters within a larger criminal network referred to as “The Com.”

    Recent Salesforce Breach Adds to Concerns

    Google has not verified any breach of its own systems, but the company recently confirmed a separate third-party incident involving Salesforce. According to disclosures, ShinyHunters impersonated Salesforce support staff, successfully tricking employees into granting access to business contact databases.

    While sensitive Gmail passwords or private user credentials were not exposed, the breach did reveal client names and business contacts. Cybercriminals have since repurposed this information for phishing and vishing attacks, tailoring fraudulent campaigns to appear credible.

    In response, Google issued a global security alert urging its 2.5 billion Gmail users to update their passwords. The company stressed that accounts were not directly compromised but warned that phishing-driven hijacking attempts have increased dramatically, with 37% now tied to the stolen Salesforce data.

    Telegram Channel Amplifies the Threat

    The Scattered LapSus Hunters Telegram channel, which surfaced on August 8, 2025, has been actively posting alleged proof of breaches. The channel showcased samples of data, vendor lists, and bold claims of intrusions into high-profile companies such as Victoria’s Secret, Gucci, and Neiman Marcus.

    Beyond corporate targets, the channel claimed to have breached government agencies in the United States, the United Kingdom, France, Brazil, and India. Such claims have not been independently verified.

    The group has also advertised a ransomware-as-a-service (RaaS) product branded “ShinySpider” or “ShinySp1d3r.” It is positioned as a faster and more adaptive alternative to existing ransomware families such as LockBit and DragonForce.

    Google’s Response to Escalating Pressure

    As of now, Google has not issued any public comment regarding the demand to dismiss Larsen and Carmakal. Instead, the company continues to stress vigilance, urging users and enterprises to remain cautious of advanced fraud campaigns.

    The incident underscores the challenges facing major technology firms. Even when their own systems remain uncompromised, the exploitation of trusted third-party providers—such as Salesforce—creates ripple effects that attackers can weaponize.

    MITRE ATT&CK Mapping of Techniques Likely Involved

    Tactic (MITRE)Technique Likely UsedIDDescription
    Initial AccessPhishing (Spearphishing Link/Attachment)T1566Attackers impersonated Salesforce staff to gain unauthorized access.
    Initial AccessValid AccountsT1078Compromised Salesforce support credentials used for entry.
    PersistenceWeb Service AbuseT1505.003Use of third-party SaaS accounts for continued access.
    Credential AccessOS Credential DumpingT1003Possible credential harvesting from Salesforce systems.
    CollectionData from Information RepositoriesT1213Extraction of business contact data from Salesforce databases.
    ExfiltrationExfiltration Over Web ServicesT1567.002Stolen contact data exfiltrated via cloud or SaaS APIs.
    ImpactData Manipulation / ExtortionT1565Threatening to leak Google databases unless demands are met.

    Executive Briefing for Stakeholders

    Summary:
    A new collective known as Scattered LapSus Hunters has issued threats against Google, demanding the firing of two Threat Intelligence staff members while claiming possession of internal data. No proof has yet been provided.

    Key Points:

    • Group is an alliance of Scattered Spider, ShinyHunters, and Lapsus$, with a history of high-profile breaches.
    • Google itself reports no confirmed internal compromise but recently acknowledged a Salesforce-related breach exploited via impersonation.
    • Breach exposed business contacts, fueling phishing and vishing campaigns targeting Gmail users and enterprises.
    • Group is actively promoting a ransomware-as-a-service model while boasting of further breaches across corporate and government targets.
    • Risk for enterprises: heightened phishing exposure and supply chain vulnerabilities from trusted providers.

    Stakeholders should note that while Google has not confirmed any direct compromise, attackers are exploiting the Salesforce incident to amplify credibility and fuel fraud campaigns.

    Related Posts