Researchers Reveal Links Among LAPSUS$, Scattered Spider, and ShinyHunters

Cybersecurity firm Resecurity has uncovered extensive evidence of collaboration and operational convergence among three of the most notorious English-speaking cybercrime groups: LAPSUS$, Scattered Spider, and ShinyHunters.

The research reveals these groups now function as part of a “loosely connected and highly adaptive cybercrime ecosystem” that has targeted Fortune 100 corporations and government agencies throughout 2023-2025.

Joint Operations Signal Cybercrime Supergroup Formation

In August 2025, the groups explicitly combined their brands through a shared Telegram channel used to coordinate threats and market a new Ransomware-as-a-Service offering dubbed “shinysp1d3r.” Security researchers described the channel as “chaotic” before Telegram banned it.

ShinyHunters confirmed that Scattered Spider provided initial access to targets while handling data exfiltration operations, with LAPSUS$ members actively participating in coordinated campaigns targeting Salesforce and Snowflake environments.

All three groups are linked to “The Com,” a predominantly English-speaking cybercriminal ecosystem that operates as a youth movement, encompassing teens and twenty-somethings.

The FBI issued warnings about risks associated with joining such movements, noting their shared ideology and operational coordination capabilities.

The convergence extends beyond mere collaboration. Recent attacks have demonstrated identical tactics, techniques, and procedures (TTPs) across all three groups, including advanced social engineering capabilities such as voice phishing (vishing) and help desk impersonation.

LAPSUS$ pioneered SIM swapping and MFA bombing techniques now widely adopted by Scattered Spider and ShinyHunters to bypass multi-factor authentication systems.

High-profile victims include major airlines such as Qantas, WestJet, and Hawaiian Airlines, with attacks resulting in operational disruptions and flight cancellations.

In July 2025, ShinyHunters claimed responsibility for breaching Qantas customer data, affecting nearly 6 million individuals through sophisticated voice-phishing campaigns targeting Salesforce users.

The groups have also targeted retail giants, including Victoria’s Secret, which suffered a $10 million impact from a May 2025 attack, as well as luxury brands Cartier, Dior, and Adidas.

Telecommunications companies remain frequent targets, with AT&T paying approximately $370,000 in Bitcoin ransom following a Snowflake-related breach exposing call metadata for 110 million customers.

Most concerning are recent claims of breaching law enforcement systems, including the FBI’s National Instant Criminal Background Check System (NICS) and the UK’s National Crime Agency portals.

While verification remains ongoing, Resecurity’s analysis suggests these represent escalatory responses to law enforcement actions against group members.

Despite announcing their “retirement” in September 2025, claiming they had “achieved their goals of exposing weaknesses in digital security,” Resecurity maintains skepticism about the sincerity of this announcement.

The firm has identified multiple previously undisclosed victims currently being extorted privately, suggesting the groups have shifted to discrete operations rather than ceasing activities entirely.

The fluid boundaries between these groups represent an advanced persistent threat requiring enhanced defensive measures and improved employee awareness of evolving social engineering tactics.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Researchers Reveal Links Among LAPSUS$, Scattered Spider, and ShinyHunters appeared first on Cyber Security News.