I’m thrilled to sit down with Rupert Marais, our in-house security specialist with a wealth of expertise in endpoint and device security, cybersecurity strategies, and network management. Today, we’re diving into the alarming collaboration between notorious cybercrime gangs Scattered Spider, ShinyHunters, and Lapsus$. We’ll explore their recent activities, the emergence of mysterious online channels, their innovative yet dangerous tactics, the impact of their youthful demographics, and the broader implications for cybersecurity. Rupert’s insights will help us understand how these groups operate as a collective and what businesses can do to protect themselves from these evolving threats.
What can you tell us about the recent appearance of the Telegram channel “Scattered LAPSUS$ Hunters” and its sudden disappearance?
Well, this channel popped up out of nowhere last Friday and was gone by Monday. It was a chaotic hub where members posted partial breach samples, vendor lists, and a lot of trolling about supposed data thefts. They were boasting about hitting major brands and even government agencies, which created quite a stir. Its quick disappearance suggests it might have been a deliberate, short-term stunt to generate buzz and chaos, or they pulled it down to avoid unwanted attention from law enforcement. Either way, it achieved its goal of amplifying their notoriety.
What do you make of their claims about attacking high-profile companies like Victoria’s Secret and Gucci? Are these boasts credible?
The claims are certainly bold, and while some might be exaggerated for clout, there’s likely a kernel of truth to them. These groups have a history of targeting big names, and the specifics they shared—like customer info from Gucci or negotiations with other luxury brands—align with their past patterns of data extortion. However, without verified breach data, it’s hard to confirm the full extent. What’s clear is that they’re leveraging these claims to build their brand as much as to intimidate victims.
How do you see the collaboration between Scattered Spider, ShinyHunters, and Lapsus$ playing out, and what evidence supports this alliance?
This teamwork seems to be a strategic alignment. Evidence like overlapping attack timelines, shared infrastructure, and similar domain registration patterns—such as spoofed SSO pages targeting major brands—points to a coordinated effort. There’s also chatter that Scattered Spider acts as an initial access broker for ShinyHunters, while all three may be tied to a broader network known as The Com. This isn’t just a random partnership; it’s a division of labor where each group brings a unique skill set to the table, making their operations more efficient and harder to disrupt.
In what ways does their collaboration increase the threat they pose compared to when they operated independently?
When they were solo, each group had its own niche—Scattered Spider with social engineering, ShinyHunters with database exploitation, and Lapsus$ with chaotic extortion. Together, they combine these strengths into a full-spectrum attack capability. They can breach systems, steal data, and extort victims with greater speed and scale. Plus, their shared resources and knowledge make it tougher for defenders to predict or counter their moves. It’s like facing a single, multifaceted enemy instead of separate threats.
Can you break down their new ransomware-as-a-service operation called “ShinySpider” and what makes it stand out?
“ShinySpider” is their attempt to enter the ransomware-as-a-service game, where they provide malware to other criminals for a cut of the profits. They’re marketing it as adaptive, meaning it adjusts encryption based on the victim’s system resources, and they’ve bragged about speeds up to 1 GB per second. While that speed sounds like hype—real-world factors like hardware and network latency often slow things down—the concept of tailoring ransomware to a target’s environment is a troubling evolution. It shows they’re innovating to maximize damage.
There’s talk that these groups are made up of teens and young adults. How are such young individuals managing to pull off these sophisticated attacks?
Yes, many members are believed to be in their teens or early 20s, which is surprising but not unheard of in cybercrime. They’ve grown up with technology, so hacking tools, social engineering scripts, and online communities are second nature to them. They’re also incredibly resourceful, often using publicly available tools or buying access on dark web markets. Their age can make them reckless, but it also means they’re fearless and quick to adapt. Plus, operating in loose, distributed networks gives them a sense of anonymity and invincibility.
How do arrests of members from these groups, as we’ve seen in the past, affect their overall operations?
Arrests do cause temporary disruptions—think of them as speed bumps. When key members are nabbed, attacks might slow down as the group scrambles to regroup or cover tracks. We saw this with Scattered Spider after some high-profile arrests last year. But these networks are resilient. New members step in, or they shift tactics to avoid detection. Arrests hurt, but they don’t dismantle the operation because the structure is so decentralized, and the allure of quick money keeps drawing in fresh talent.
What’s your take on their heavy reliance on social engineering tactics, and why are these so effective even today?
Social engineering remains their bread and butter because it exploits the human element, which is often the weakest link in any security chain. They impersonate IT staff or use fake helpdesk calls to trick employees into granting access or sharing credentials. It’s effective because no amount of tech can fully protect against human error or trust. Even with awareness training, people are busy or stressed and can fall for a well-crafted ruse. These groups are masters at manipulating that trust, and until behavior changes on a massive scale, this tactic will keep working.
What is your forecast for the future of cybercrime collaborations like this one, and how might they evolve?
I think we’re just seeing the beginning of these alliances. As cybercrime becomes more lucrative, groups will continue to form coalitions to pool skills and resources, much like legitimate businesses merge for efficiency. We might see even larger networks under umbrella collectives like The Com, with specialized roles for hacking, extortion, and even real-world crime. The tech will get smarter—think AI-driven social engineering or faster ransomware—but the core will still be exploiting human vulnerabilities. Businesses need to stay ahead by focusing on training and robust verification processes, because the threat isn’t going away; it’s only going to get more organized.
