Ransomware, Threat Intelligence, Malware, Exposure management

Scattered Spider, LAPSUS$, and ShinyHunters form extortion alliance

Internet security and personal data theft concept with blue shadows faceless hackers in hoody using laptop and abstract virtual technological symbols

(Adobe Stock)

A “federated alliance” of three major cybercrime groups has formed to conduct extortion-as-a-service (EaaS), aiming to spread fear and force companies into making large payouts.

Security experts called this a sign that cybercrime has moved into a new phase in which criminal elements are looking to collaborate with organizations that have niche criminal expertise.

In a Nov. 4. blog post, Trustwave researchers said the new group consists of Scattered Spider, ShinyHunters, and LAPSUS$.  

The researchers said the first verified channel linked to the group appeared on Telegram Aug. 8, 2025, under the handle: scatteredlapsu$ hunters” — or SLH. SC Media reported on Oct. 14 that this combined group was tied to the recent Salesforce attacks.  

Mayuresh Dani, security research manager, at the Qualys Threat Research Unit called this development a merger of extreme convenience.

“Scattered Spider brings social-engineering expertise that helps the group bypass enterprise MFA implementations, while LAPSUS$ is apt at moving laterally inside networks,” said Dani. “ShinyHunters brings in data extortion and exfiltration capabilities. Combine all three together and enterprises face a threat group who are experts in initial access, lateral movement, and data exfiltration.”

Kevin Surace, chair at Token, called this development extremely significant because these are the same groups that have already crippled Fortune 500 companies by targeting identity rather than infrastructure. Surace said the merger signals the evolution of cybercrime into organized business operations focused on social engineering and legacy MFA exploitation.

“Together, they represent a consolidated threat that knows legacy authentication is the soft spot,” said Surface. “It’s no longer about breaking systems. It’s about logging in. Only phishing-proof biometric FIDO2 authentication can stop this new class of corporate-style cybercrime at the door.”

Lauren Rucker, senior cyber threat intelligence analyst at Deepwatch,, added that future mergers will likely follow this pattern of consolidation into larger umbrella groupings to establish further legitimacy in their reputation, especially as SLH already associates with adjacent clusters CryptoChameleon and Crimson Collective.

“SLH's ambition to deploy a custom ransomware family, Sh1nySp1d3r, demonstrates their intent to rival other major groups like LockBit and DragonForce,” said Rucker. “Additionally, continued collaboration with initial access brokers and exploit developers, like the persona Yuka, ensures specialized technical capabilities drive future integrations.

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

CorruptionDNS SpoofingDarknetData MiningDeauthentication AttackDictionary AttackDumpster DivingGoogle HackingHybrid AttackInformation Warfare

You can skip this ad in 5 seconds