Cybercrime supergroup: Scattered Spider, LAPSUS$, and ShinyHunters form consolidated alliance

High-stakes cyber extortion has entered a new and more dangerous era with the confirmed alliance of three of the world's most notorious English-speaking hacking crews: Scattered Spider, LAPSUS$, and ShinyHunters.

Operating under the unified banner of "Scattered LAPSUS$ Hunters (SLH)," the alliance is pooling its distinctive tactics and brand notoriety to launch more powerful, coordinated, and psychologically damaging attacks against global enterprises. Cybersecurity researchers are calling the merger a "federated collective" and a significant paradigm shift in cybercrime.

A merger of criminal expertise

The SLH alliance is not merely a collaboration but a strategic merger of capabilities, creating an end-to-end extortion machine:

• Scattered Spider: Contributes its elite expertise in social engineering, particularly "vishing" (voice phishing) and help-desk impersonation, which allows them to bypass Multi-Factor Authentication (MFA) and gain initial network access. They were key to the initial access in high-profile breaches like the MGM Resorts attack.

  
  

• LAPSUS$: Brings its trademark for psychological warfare, public shaming, and source code theft. Despite earlier arrests, the group's infamous brand and flair for publicizing leaks (often using polls on Telegram to decide the next victim) are now weaponized for maximum pressure.

  
  

• ShinyHunters: Provides the refined capability for large-scale data exfiltration from cloud platforms and expertise in monetizing massive databases.

Targeting identity, not infrastructure

The group's combined focus centers on exploiting human weakness and identity management systems rather than complex software vulnerabilities. Their primary attack chain often involves:

• Vishing attacks: Impersonating IT staff to call employees and trick them into approving a malicious MFA prompt or installing a remote-management tool.

• SaaS platform abuse: Once inside, they target high-value data aggregation points like Salesforce and other CRM or cloud service providers, relying on stolen credentials and OAuth abuse rather than platform exploits.

• Extortion-as-a-Service (EaaS): SLH has formally introduced an EaaS model, allowing smaller affiliates to buy into the consolidated brand power and infrastructure, aiming for higher returns due to the group's combined infamy.

The future threat

The alliance has been actively operating through a network of Telegram channels, where it posts taunts, proofs of compromise, and threats. So far, Telegram has removed over 16 channels with the group recreating new ones under varying iterations of the original name.

SLH has also teased the development of their own custom ransomware family, "Sh1nySp1d3r," demonstrating their ambition to rival established ransomware cartels.

Security experts warn that the formation of SLH is a direct signal that organizations must urgently implement phishing-resistant MFA (like FIDO2 hardware keys) and dramatically enhance employee training, as the cybercrime threat has consolidated its focus squarely on identity and human trust.