Retirement appears to not have suited the three most active cybercrime gangs, at least going by the appearance of a new brand calling itself Scattered LAPSUS$ Hunters (SLH). But a report from security firm Trustwave finds that the new “supergroup” may not be seeing active participation from many of the old members of the component groups, and in some cases may be other would-be threat actors co-opting the names.
Use of new brand name for former cybercrime gangs appeared in August
Scattered Spider, ShinyHunters, and LAPSUS$ are the three groups involved, and have collectively been the most active of the major cybercrime gangs over roughly the past year. The groups all had prior ties via “The Com,” a broader collection of cyber criminals that loosely affiliate and come together for singular projects in a fluid way. Scattered Spider and ShinyHunters were also revealed to have been working together on their at first seemingly separate crime sprees over the past summer.
The new SLH branding first appeared in August, with the group announcing its arrival via a Telegram channel. The initial announcement demanded that other threat actors stop using any of the associated brand names, claimed that the new amalgamation was “parently owned by ShinyHunters,” and began actively reaching out to other The Com members in a seeming effort to create a new unified hacking brand.
However, the report assesses that the new brand is not an operational-level merger of the individual members of each of the cybercrime gangs. It may well be that many of those hackers did enter retirement, or at least an extended dormant period during which they are regrouping. Instead, Trustwave finds that it is more of an attempt to replace the now-shuttered BreachForums as a brand and to offer an extortion-as-a-service package in a more decentralized manner that is still able to leverage the notorious reputations of the prior groups. The group has also teased a forthcoming “Sh1nySp1d3r” ransomware strain, but this does not appear to have gone active as of yet.
Unclear how many members of former cybercrime gangs are participating
The Trustwave analysis also finds that the group presents as if it has about 30 active members, but the researchers believe it is closer to 5 in total managing multiple personas. At least one of these, a skilled threat actor going by “Yuka” and “Yukari,” is believed to be a legitimate former member of ShinyHunters. The rest are entirely up in the air, with possibly one or two having previously worked with Scattered Spider. However, the group’s overall messaging history indicates experience and technical competence. An interesting side note is that the group has also claimed in some messages to be actively targeted by Chinese state-backed hackers, and to have had zero-days that they developed stolen away from them by these threat actors.
The group has definitely had trouble with Telegram, which has banned its channel at least 15 times now since it first emerged in August (though it continues to re-emerge under the same brand name). The messaging app is key to its marketing, and it sometimes postures as a “hacktivist” collective in a seeming bid to deflect attention from its criminal enterprises.
The Scattered Spider-aligned DragonForce ransomware group has also recently entered into a merger with fellow cybercrime gangs Qilin and LockBit that is similar but is more clearly an operational coordination involving original active members. Scattered Spider has deployed DragonForce ransomware at times during its 2025 campaign against assorted US and UK targets, but it also regularly makes use of a variety of other ransomware types (with BlackCat a seeming favorite).
Recent messages on the SLH Telegram include claimed cyber break-ins at the US Department of Homeland Security as well as assorted government offices in a number of other countries. The channel has also included chatter about raids on a variety of fashion brands such as Chanel, Victoria’s Secret, Gucci and Neiman Marcus. However, the Trustwave report notes that the cybercrime gangs have been aggressively using empty boasting and taunts as a reputation-building strategy.
Both Scattered Spider and ShinyHunters experienced arrest waves during their 2025 campaigns, but these were thought to have largely captured low-level “mules” and only a limited amount of key members at best. Lapsus$ and Scattered Spider have long been known for their social engineering prowess, while ShinyHunters is thought to have partnered up with the other cybercrime gangs to primarily conduct after-entry lateral movement and file extraction.
Mayuresh Dani, Security Research Manager, at Qualys’ Threat Research Unit, believes that the possibility of all three cybercrime gangs returning to active duty cannot be ruled out given how potentially dangerous they could be working in tandem: “This is a merger of extreme convenience. Scattered Spider brings social engineering expertise that helps the group bypass enterprise MFA implementations, while LAPSUS$ is apt at moving laterally inside networks. ShinyHunters brings in data extortion and exfiltration capabilities. Combine all three together and enterprises face a threat group who are experts in initial access, lateral movement and data exfiltration. From what we can see, they colluded at BreachForums. However, since its takedown the group has moved operations to Telegram, a P2P-based resilient network, which really got the groups together. Based on the recent Red Hat heist, the prime candidate for the next merger in my opinion will be the threat actor group named Crimson Collective. They bring in a focus on cloud-native infrastructure attacks that Scattered Spider, LAPSUS$, and Shiny Hunters are lacking.”
Lauren Rucker, Senior Cyber Threat Intelligence Analyst at Deepwatch, believes The Com’s broader collaborative structure is the future of most cybercrime gangs: “The actors behind Scattered LAPSUS$ Hunters using “SLH/SLSH Operations Centre” highlights the ongoing maturity of cybercriminal operations, using a self-applied label projects an organized command structure, and gives legitimacy to fragmented groups. Bringing together three groups affiliated with the loose-knit The Com enterprise the merger markets an Extortion-as-a-Service (EaaS) model with Scattered Spider contributing expertise in advanced social engineering, ShinyHunters handling large-scale data theft, and LAPSUS$ supplying reputational capital. Future mergers will likely follow this pattern of consolidation into larger umbrella groupings to establish further legitimacy in their reputation, especially as SLH already associates with adjacent clusters CryptoChameleon and Crimson Collective. SLH’s ambition to deploy a custom ransomware family, Sh1nySp1d3r, demonstrates their intent to rival other major groups like LockBit and DragonForce. Additionally, continued collaboration with initial access brokers and exploit developers, like the persona Yuka, ensures specialized technical capabilities drive future integrations.”
Andy Bennett, Chief Information Security Officer at Apollo Information Systems, thinks that whoever is behind this new tandem they should be expected to return to prior victims: “Organizations hit by this collective’s ransomware attacks (and others) are more likely to be targeted again. Paying a ransom drastically increases that likelihood. Victims’ data, both the data used to originally compromise them and the data stolen during the ransomware attack, can be repacked and sold on the dark web for other attackers to use. Unfortunately, until we find ways to limit attackers’ ability to monetize cyber-crime, the incentive will remain for attackers to keep up the pressure. We shouldn’t stop pursuing them, and we should be ramping up arrests and prosecutions, but there is a lot of work to be done and a lot more arrests to be made before we see an appreciable impact in lowering cyber-criminal activity.”
Agnidipta Sarkar, Chief Evangelist at ColorTokens, provides some in-depth defense insight: “The Trinity of Chaos, as many call them, consistently manages to breach organizations through a third-party platform first, then uses that beachhead to pivot inward. As if their motto is to “log-in, not hack-in → start in someone else’s cloud → end at the target.” In almost every major breach that we can reconstruct, be it Salesforce, Snowflake, Okta-managed tenants, SAP SaaS, or even ESXi hypervisor environments, the initial access was a credential misuse of a valid account and that did not happen on the victim’s corporate LAN or VPN, but inside a SaaS or PaaS console that the victim’s business units already trusted. In my view companies must immediately microsegment critical digital systems and move to cryptographic passwordless credential management. If your SaaS admins can download a CSV, you are in scope. Considering microsegmentation can be implemented quickly, even affected companies can gain an advantage even if they deploy microsegmentation within hours of being attacked.”
