Scattered LAPSUS$ Hunters: Anatomy of a federated cybercriminal brand

Trustwave SpiderLabs’ Cyber Threat Intelligence team is tracking the recent emergence of what appears to be the consolidation of three well-known threat groups into a “federated alliance” that offers, among its activities, Extortion-as-a-Service (EaaS).

The collective comprises Scattered Spider, ShinyHunters, and LAPSUS$. The group heavily uses a public encryption communication service as its primary operating base and allows its EaaS affiliates to use the member’s very well-known names to create fear, which it claims will generate a higher financial return.

Emerging in early August 2025, this federated alliance first appeared on Telegram, presenting itself as a hybrid entity blending reputational and operational traits from three of the most recognized The Com-linked collectives of recent years – The Com being an informal cybercriminal milieu known for fluid collaboration and brand-sharing – Scattered Spider, ShinyHunters, and LAPSUS$. Over time, its associations expanded, displaying affiliations with other The Com-adjacent clusters such as CryptoChameleon and Crimson Collective, suggesting a deliberate attempt to merge established names into a new, unified narrative.

Read more at Trustwave