The Scattered Lapsus $Hunts (sometimes abbreviated SLSH or using related aliases such as “SP1D3R Hunters”) is a relatively new “cybercrime alliance”. They are formed by three prominent hacker groups: Scatter Spider, LAPSUS and ShinyHunters.

1760436308119.png

Prior to the “merger,” each of these groups had operated separately with data theft or blackmail campaigns.

  • Scattered Spider: Emerging around 2022 with attacks primarily using social engineering (such as IT employee impersonations, SIM swap, “weary MFA”)
  • LAPSUS$: Already notorious for source code theft, source code leaks, sensitive content comments, and direct attacks on large companies.
  • ShinyHunters: A group that specializes in the pursuit of data leakage/sale, carrying out a variety of attacks on corporate systems, particularly user data, SaaS, and cloud platforms.

Cyber security experts say the three groups are inherently loosely connected through an underground community called The Com or The Community. In this network, mostly young, English-speaking hackers specialize in sharing tools, experiences and collaboration depending on the campaign. Unlike the rigid structure, this alliance operates very flexibly, in the form of individuals or small teams doing different tasks, cooperating according to the goals.

Around mid-2025, events on Telegram showed the Scatter Lapsus $Shouges group being announced as a public alliance, branded Telegram channels combined, and blackmail messages or data leaks posted under a common name.

& Attack operation & methods

To understand the extent of the danger, it is necessary to see how this group conducts the campaigns:

1. Start with social engineering.

The team does not “lock” Salesforce or cloud systems in a high – tech way, they start by tricking employees through vishing (IT – anonymous phone calls), SIM swap, or coercing users to install malicious applications, accepting API permissions.

2. Authorization via OAuth/third-party integration

A typical case is that the group attacked Salesloft’s GitHub repository, taking authorized OAuth tokens to connect with customers’ Salesforce. Thanks to this token, hackers maintain legitimate access “as integrated users” without easy detection.

They can then create new accounts, customized workflows, and continue horizontal movement between organizations without the need for root access to the main Salesforce platform.

3. Take over & collect data

Once they have access via OAuth or APIs, they continue to collect user data, transactions, contracts, sensitive information from Salesforce and related party systems.

The group then posted the data to the “leak site” on TOR, with the threat to go public unless ransom is paid.

4. Data extortion (EaaS)

Unlike traditional ransomware, the group’s strategy is to steal the data and then blackmail it. While blackmailing, they also publish time limits to force victims to make quick decisions. And if the business doesn’t pay, the data is released publicly.

5. Re-export & change appearance

There were signs that the group was retiring, but experts are skeptical that it was just a cover – up, restructuring to stay afloat.

The “Scattered Lapsus$ Hunters” coalition was publicly announced around mid-2025. Then, on October 3, 2025, the group launched a “data leak site” dedicated to the Salesforce campaign. Prior to this, there had been many concerted or overlapping tactics between the groups (ShinyHunters & Scatter Spider) in major corporate data breaches.

Danger level & potential threat

The Scattered Lapsus $Shougers are not the usual hacker group, they are potentially:

  • Hiding under a valid cover: Since using the official OAuth token, many of their accesses are not warned as unusual.
  • Spread through Supply Chain & Integration: It only takes one third-party service to be hacked (such as Salesloft) from which to attack multiple customers at once.
  • Large – scale Sensitive Data Attack: Large organizations in the fields of high fashion, luxury goods, aviation, banking, technology are targeted.
  • Force the business to pay: With the threat of data disclosure, the company’s credibility could be destroyed, the possibility of litigation, loss of customers, etc.
  • New, untraceable re-export: If the group is temporarily out of action, the group may change its name or new components continue to operate, making long – term identification difficult.

The threat around this name does not stop with Salesforce, as this alliance becomes more powerful, they can extend their attack into other critical SaaS platforms (AWS, other CRM systems, financial data, supply chains).

WhiteHat