Scattered LAPSUS$ Hunters: Emerging Threat Combines Social Engineering, Insider Recruitment, and Large-Scale Data Theft

In 2025, cybersecurity researchers observed the rise of the "Scattered LAPSUS$ Hunters," a collaboration between the cybercriminal groups Scattered Spider, Lapsus$, and ShinyHunters. This alliance represents a significant evolution in cyber threats, combining social engineering, insider recruitment, and large-scale data theft to conduct coordinated extortion campaigns. The collaboration marks a shift from isolated intrusions to more organized and damaging attacks. Notable incidents include intrusions at Salesforce in late 2024, the theft of OAuth tokens from Drift and Salesloft in early 2025, and the launch of an extortionware portal targeting Salesforce customers in October 2025. These incidents demonstrate the group's ability to target high-value data and leverage stolen credentials for further attacks. The technical implications of this collaboration are profound. The theft of OAuth tokens is particularly concerning, as these tokens can be used to bypass traditional authentication mechanisms. Additionally, the group's focus on recruiting insiders highlights the need for robust insider threat detection programs. For cybersecurity professionals, this development underscores the importance of monitoring for unusual access patterns, strengthening defenses against social engineering, and preparing incident response plans for extortion campaigns. Organizations should also review their OAuth token management practices to mitigate the risk of token theft. The emergence of the Scattered LAPSUS$ Hunters alliance signals a new era in cyber threats, where collaboration between cybercriminal groups can lead to more sophisticated and damaging attacks. Cybersecurity professionals must remain vigilant and adapt their defenses to counter these evolving threats.