The emergence of a potential alliance between cybercrime groups ShinyHunters and Scattered Spider has stirred significant concern among cybersecurity professionals. Evidence from threat intelligence analysts and recent attacks points to an operational collaboration—augmented by their affiliations with the notorious group Lapsu$—which could significantly elevate the threat posed by coordinated extortion campaigns. This convergence of capabilities suggests a disturbing evolution in the cyber threat landscape.
Telegram Channels and Leaked Data Reveal a New Cybercrime Alliance
New Communication Channels Reflect Strategic Messaging and Joint Operations
On August 8, 2025, a new Telegram channel called “scattered lapsu$ hunters – The Com HQ SCATTERED SP1D3R HUNTERS” surfaced, allegedly managed by members of ShinyHunters, Scattered Spider, and Lapsu$. This channel publicly released partially redacted screenshots purporting to link the groups to both known and new victims. The channel’s content pointed to a joint effort under a collective referred to as “The Com,” a likely coalition of financially motivated actors skilled in data theft and social engineering.Activities within the channel included:
- Previews of compromised data sets and partial leaks
- Provocative taunts directed at security companies
- Countdown-style warnings related to planned disclosures
- Direct offers to sell stolen data
- Promotional messaging for a future ransomware-as-a-service (RaaS) platform dubbed “SH1NYSP1D3R”
Although Telegram banned the original channel on August 11, the group swiftly transitioned to a backup channel, indicating an organized and persistent operational style.
Collaborative Tactics Suggest Operational Merging of Extortion Capabilities
Overlapping Targets and Shared Infrastructure Blur Attribution Lines
According to ReliaQuest, an analysis of recent campaigns revealed that ShinyHunters and Scattered Spider are likely coordinating operations. The groups appear to be aligning tactically—targeting the same organizations and even leveraging similar infrastructure. Companies like Google, Allianz, and Louis Vuitton have been pinpointed in overlapping attacks involving social engineering and data breach techniques.
ShinyHunters, renowned since 2020 for their expertise in stealing and selling corporate data on dark web forums, brings large-scale breach experience to the table. Their notable victims include AT&T, Ticketmaster, and Santander. Scattered Spider, also known as UNC3944, has built a reputation since 2022 for conducting advanced social engineering campaigns, including phishing and vishing attacks targeting IT help desks. These have often paved the way for subsequent credential theft, SIM swapping, and ransomware deployment.When combined, these complementary skill sets enable highly effective, multi-stage cyber extortion operations. This has resulted in attacks that integrate Scattered Spider’s human-centric access vector tactics with ShinyHunters’ monetization of stolen data.
“The combination of targeted social engineering with immediate data monetization capabilities creates a high-impact, low-friction attack chain,” noted Brandon Tirado, Director of Threat Research at ReliaQuest.
Sophisticated Attacks Leverage Both Technical and Psychological Tools
Double Extortion and Tailored Malware Intensify Attack Severity
Flashpoint’s threat profile of Scattered Spider reinforces the picture of an increasingly dangerous collaboration. The group, composed predominantly of teenagers and young adults from the U.S. and U.K., has pivoted in 2025 to a double extortion model. This method combines data exfiltration with encryption via ransomware payloads sourced from affiliates such as ALPHV/Blackcat, RansomHub, and DragonForce.In parallel, ShinyHunters has participated in attacks involving Salesforce compromises. Campaigns in June 2025—attributed to this alliance—breached the Salesforce environments of companies including Dior, Chanel, Pandora, and Google. The attacks used impersonation of IT support staff through social engineering to introduce malicious connected apps, which exfiltrated sensitive company data—an attack chain typical of both ShinyHunters and Scattered Spider.Beyond encryption, Scattered Spider has deployed a range of malware including:
- Racoon and Vidar – Info stealers for harvesting credentials and browser session data
- Ave Maria – A remote access Trojan (RAT) for persistent access
- Spectre RAT – A custom toolkit tailored for targeted surveillance and data exfiltration
These toolsets, when executed within a collaboration, create a persistent and flexible attack platform capable of adapting against layered defenses.
Implications for Defense: Attribution Is Harder, Behavior Is Key
Security Teams Must Shift Toward Proactive Behavioral Detection
As individual group tactics converge and infrastructure is increasingly shared, traditional forms of attribution—based on IP addresses, malware signatures, or singular tactics—are becoming less effective. Analysts are now urging security teams to emphasize behavioral analysis and proactive threat detection.
Key defense implications include:
- Behavioral Pattern Monitoring : Detect anomalous sequences of access that mimic legitimate support workflows.
- Multi-Factor Authentication (MFA) Hardening : Implement fewer exceptions and tighter controls for privilege escalation via help desk interactions.
- Threat Attribution Flexibility : Avoid over-reliance on IOCs (Indicators of Compromise); focus instead on campaign architecture and adversary playbooks.
- Segmentation and Least Privilege : Limit internal lateral movement from compromised apps or accounts.
- Incident Readiness for Hybrid Attacks : Prepare for combined data theft and ransomware scenarios in response playbooks.
While many of the affiliations between ShinyHunters and Scattered Spider remain circumstantial, the consistency of target selection, similarity in tactics, and joint platforms used for extortion suggest more coordinated campaigns in the future. The formation of Telegram-based communications, promotion of RaaS tools like SH1NYSP1D3R, and synchronization across breaches are strong indicators of a deepening collaboration.
The Trend Toward Convergence Amplifies the Threat Landscape
The possible merger of operations between ShinyHunters, Scattered Spider, and Lapsu$ represents more than just a pooling of technical resources—it denotes a strategic alliance aimed at maximizing disruption and financial gain. For CISOs and SOC analysts, the rise of collaborative cybercrime groups underscores the need for threat intelligence programs that can adapt to shifting adversary behaviors. As cybercrime collectives evolve into structured coalitions, defending against them will require equally coordinated and dynamic security strategies.
