According to Infosecurity Magazine, Scattered Spider, ShinyHunters and LAPSUS$ have officially merged into a coordinated criminal alliance called Scattered LAPSUS$ Hunters (SLH). Trustwave SpiderLabs confirmed in a new advisory that this isn’t just loose collaboration but a deliberate unification under a shared operational banner. The group has fewer than five core operators managing about 30 personas, with ShinyHunters-linked identities apparently leading the structure. Since early August, they’ve cycled through at least 16 public Telegram channels, rebuilding them within hours of each takedown. This development moves beyond earlier tactical experimentation noted by Palo Alto Networks’ Unit 42 back in October and represents a formal alliance positioning itself as a federated collective with a named “Operations Centre.”
Sponsored content — provided for informational and promotional purposes.
This Is a Brand Power Play
Here’s what’s really interesting about this merger – it’s not just about combining technical skills. They’re deliberately merging the reputational capital of three high-profile criminal brands. Basically, they’re creating a supervillain team-up where the whole becomes greater than the sum of its parts. And they’re doing this at a perfect time – right as BreachForums collapsed, creating a vacuum in the underground ecosystem. So they’re positioning themselves to fill that void while recycling notoriety from their constituent groups.
The theatrical tactics remind me of hacktivist behavior, but Trustwave emphasizes these guys remain financially motivated. They’re using that public intimidation factor as part of their operational marketing model. It’s cybercrime meets performance art, and it’s working because they’ve shown incredible resilience with their Telegram channels.
Don’t Underestimate Their Capabilities
This isn’t just some rebranding exercise by washed-up hackers. Trustwave’s analysis identified personas like “yuka” who’s tied to zero-day brokerage and tooling historically linked to advanced malware like BlackLotus. That verification of skilled exploit development represents a step beyond the unconfirmed ransomware claims we saw back in October. So we’re looking at a group that actually has the technical chops to back up their big talk.
And think about this – fewer than five core operators managing 30 personas? That’s some serious operational security and discipline. They’re not just a loose collective of script kiddies; they’re running this like a business with centralized narrative control and what appears to be an affiliate-driven extortion model.
Where This Is Headed
Trustwave’s warning is pretty stark – they think this hybrid ecosystem will likely shape data-extortion activity into 2026. That’s not just next quarter or next year, we’re talking about a threat that’s building for the long haul. The combination of identity fluidity, social amplification, and growing exploitation capabilities creates a pretty scary picture.
What makes this different from previous criminal collaborations? Trustwave calls it the first cohesive alliance inside The Com’s traditionally fluid network. They’re using brand unification as a force multiplier for extortion, recruitment and audience control. And with Telegram serving as a permanent command hub rather than just a broadcast channel, they’ve built an infrastructure that’s remarkably resilient to takedown attempts.
So what does this mean for cybersecurity teams? We’re probably looking at more sophisticated, more persistent extortion campaigns from a group that understands both technology and psychology. They’ve studied what works – both technically and theatrically – and they’re building an organization designed to withstand law enforcement pressure. Basically, the game just got more serious.
Continue Reading: Related Articles
Technology
Software
Cybersecurity
Software
Software
