The New Collaboration
A Telegram channel called “Scattered LAPSUS$ Hunters” appeared on Friday, August 9, 2025, bringing together members from Scattered Spider, ShinyHunters, and Lapsus$. The channel has been described by commenters as “schizo,” “complete chaos,” and “insane” due to its overwhelming mix of content.
Unlike typical leak or sales channels that provide straightforward breach announcements, this channel features a chaotic blend of partial data leaks, sales solicitations using “HMU” (hit me up), memes, commentary, and threats. Within less than 24 hours of its creation, the channel had already revealed numerous breaches, proof of claims, and stolen data.
Recent Claims and Activities
The collaborating groups have made several bold claims through their new channel, including:
- Retail Targets: Attacks on Victoria’s Secret, customer information theft from Gucci, and a potential connection to the 2024 Neiman Marcus customer database theft
- Government Infiltration: Claims of intrusions at the US Department of Homeland Security and government agencies in England, France, Brazil, and India
- Luxury Brands: Screenshots showing negotiations with Chanel
New Ransomware Development
Perhaps most concerning, the groups claim to be developing a ransomware-as-a-service (RaaS) operation called “ShinySpider” or “ShinySp1d3r”. They boast that their encryption malware can achieve speeds of approximately 1 gigabyte per second, with one member stating: “OUR RaaS IS ADAPTIVE BASED ON VICTIM RESOURCES – THE FASTEST WE’VE SEEN IS ~1/GBps”.
Background on the Individual Groups
Scattered Spider
Also known as UNC3944, Muddled Libra, and Octo Tempest, this group consists largely of English-speaking young adults and teenagers from the US and UK. They’re affiliated with a larger underground collective called “The Com,” which has been linked to various crimes including extortion, money laundering, and cryptocurrency theft. The group gained notoriety for high-profile attacks on MGM Resorts and Clorox, with the MGM attack alone costing over $100 million.
ShinyHunters
This hack-and-leak operation formed in 2020 and quickly gained recognition by stealing over 200 million user records from multiple companies within just two weeks of their debut. The group’s name is believed to derive from the Pokémon video game franchise’s “shiny hunting” mechanic. They’ve targeted major companies including AT&T Wireless, Microsoft, Santander, and Ticketmaster.
Lapsus$
Classified by Microsoft as “Strawberry Tempest,” this international extortion-focused group emerged in 2021. The group, which included teenagers among its members, gained notoriety for attacks against Microsoft, Nvidia, Samsung, and other major tech companies. Unlike traditional ransomware groups, Lapsus$ used a pure extortion model without deploying ransomware payloads.
This collaboration represents a potentially dangerous consolidation of expertise and resources among some of the most prolific cybercrime groups active today, combining their specialized skills in social engineering, data theft, and extortion operations.
