Imagine a cybercrime supergroup, a fusion of notorious names like Scattered Spider, LAPSUS$, and ShinyHunters, joining forces to create a digital nightmare. This is exactly what’s happening, and it’s more organized and ambitious than you might think. Since August 8, 2025, this newly formed collective has established no fewer than 16 Telegram channels, each a reincarnation of the last, as they play a relentless game of cat and mouse with platform moderators. But here’s where it gets controversial: despite repeated takedowns, their determination to maintain a public presence highlights a chilling resilience—and a new era of cybercrime collaboration.
According to a report by Trustwave SpiderLabs, a LevelBlue company, these channels have been repeatedly removed and recreated under slight variations of their original name. This cycle underscores not only the challenges of platform moderation but also the group’s unwavering commitment to staying visible. Dubbed Scattered LAPSUS$ Hunters (SLH), this collective emerged in early August, quickly making waves with data extortion attacks targeting organizations, including those using Salesforce. Their most notable offering? An extortion-as-a-service (EaaS) model, allowing affiliates to leverage the group’s infamous brand and demand payments from victims.
But this isn’t just a random alliance. All three groups are part of a larger, loosely connected cybercriminal network known as The Com, characterized by fluid collaboration and shared branding. They’ve even aligned with other threat clusters like CryptoChameleon and Crimson Collective, expanding their reach and capabilities. Telegram serves as their central hub, not just for coordination but also as a megaphone to amplify their messaging and market their services—a tactic reminiscent of hacktivist groups. And this is the part most people miss: their administrative posts now include signatures like 'SLH/SLSH Operations Centre,' a deliberate move to project an image of legitimacy and organization, even in the chaotic world of cybercrime.
Their activities go beyond extortion. Members have used Telegram to accuse Chinese state actors of exploiting vulnerabilities while simultaneously targeting U.S. and U.K. law enforcement agencies. They’ve also recruited channel subscribers to participate in pressure campaigns, offering $100 in exchange for bombarding C-suite executives with emails. The group’s structure is a cohesive alliance of semi-autonomous clusters, each bringing unique technical skills to the table. Notable members include Shinycorp (aka sp1d3rhunters), who manages brand perception, and individuals like Rey and SLSHsupport, who keep the community engaged. Then there’s yuka (aka Yukari or Cvsp), an initial access broker with a history of developing exploits.
What’s truly alarming is their evolution. While data theft and extortion remain their bread and butter, SLH has hinted at developing a custom ransomware family named Sh1nySp1d3r, potentially rivaling giants like LockBit and DragonForce. Trustwave describes them as occupying a unique space between financially motivated cybercrime and attention-driven hacktivism, blending monetary gain with social validation. Their mastery of branding, identity management, and narrative warfare sets them apart, resembling established underground actors more than opportunistic newcomers.
This cartelization of cybercrime takes a darker turn when you consider the recent activities of DragonForce. After launching a ransomware cartel earlier this year, they’ve partnered with Qilin and LockBit to share techniques, resources, and infrastructure. Acronis researchers note that this lowers the barrier for entry, allowing both established and new actors to operate without building their own ecosystems. DragonForce’s alignment with Scattered Spider is particularly concerning, as the latter uses sophisticated social engineering techniques to breach targets before deploying DragonForce ransomware.
DragonForce’s origins are equally intriguing. Built on the leaked Conti source code, it retains much of the original functionality while adding an encrypted configuration to eliminate command-line arguments. This blend of innovation and adaptation underscores the evolving sophistication of these groups.
But here’s the question: As cybercrime groups become more organized and collaborative, are traditional cybersecurity measures enough to combat them? Or are we witnessing the rise of a new, unstoppable breed of digital criminals? Let us know your thoughts in the comments below. And if you found this as fascinating as we did, follow us on Google News, Twitter, and LinkedIn for more exclusive insights into the ever-evolving world of cybersecurity.
