A group of cybercriminals going by the name of Scattered LAPSU$ Hunters have threatened to leak Google data unless they fire two named threat researchers.
In a post made on Telegram, group members demanded Google sack Charles Carmakal, CTO at Google Mandiant, and Austin Larsen, Google’s Principal Threat Analyst.
On X, malware researcher @vxunderground said the group had also posted the names of FBI Special Agents who they believe are tracking their case.
The hackers did not supply any evidence they had actually compromised any Google data. However as Newsweek reports, ShinyHunters had been linked to a breach of Google’s Salesforce after a voice phishing scam in August.
Google has not publicly commented on the demand.
Why This Matters
While this may just be bluster from young hackers looking for attention, the incident highlights an important point: data exfiltration and ransom demands are serious, real-world risks for even the most security-savvy tech companies.
Attacks targeting trusted third-party software, like Salesforce, demonstrate that vulnerabilities outside a company’s core systems can still be exploited for financial gain, reputational harm, or leverage over key personnel.
Who are Scattered LAPSU$ Hunters?
Scattered LAPSU$ Hunters is a collection of hackers that claim to be an alliance of Scattered Spider, LapSus$, and ShinyHunters, three of the most notorious cybercrime groups of recent years. They have also called themselves, “The Community,” or “The Com”.
The gang are known for attention seeking stunts, like paying people up to $1,000 USD to get their group logo tattooed on their body.
In August, we reported on the details of a Telegram channel hosted by the group, which bragged about data breaches, extortion attempts, and new ransomware capabilities.
Details included breached vendor lists, partial breach samples, and boasts of successful hacks against brands like Victoria’s Secret, Gucci, and Neiman Marcus. The group has also claimed intrusions into US, UK, French, Brazilian, and Indian government agencies.
Analysts suggest the collective blends capabilities of its constituent groups:
- Scattered Spider – SIM-swapping and ransomware, linked to the 2024 Las Vegas casino heists.
- ShinyHunters – database breaches since 2020, including Snowflake, Ticketmaster, and AT&T.
- Lapsus$ – 2021-22 spree of social engineering and insider recruitment at BT, Nvidia, and Microsoft.
Earlier this year the UK’s National Crime Agency linked Scattered Spider to a wave of ransomware attacks on major high street retailers. The gang was mostly made up of teenagers and young adults.
In July, UK police arrested two men aged 19, a boy aged 17, and a woman aged 20 allegedly linked to Scattered Spider, on suspicion of “Computer Misuse Act offences, blackmail, money laundering and participating in the activities of an organised crime group.”
Just last week, US authorities sentenced one Scattered Spider gang affiliate to ten years in prison, and ordered him to pay $13 million in restitution the victims of ransomware attacks.
How to stay secure
Scattered Spider typically steal data and force companies to pay them in order to have the data recovered—an increasingly common evolution of the typical ransomware playbook.
They are known for their use of “DragonForce” ransomware and for using social engineering and voice phishing to trick organizations into giving them access to Salesforce CRM software instances.
The best way to defend against these attacks is to implement robust endpoint detection and response, multi-factor authentication, and security awareness training.
To stay protected, we’d recommend a multi-layered approach.
- Robust Endpoint Detection and Response (EDR) – to detect anomalous activity before attackers can escalate privileges or exfiltrate data.
- Multi-Factor Authentication (MFA) – to protect accounts even if credentials are compromised via phishing or social engineering.
- Security Awareness Training – regular exercises for staff to recognize phishing, vishing, and insider threat tactics.
- Third-party software audits – regularly review vendor access, permissions, and integration security.
- Incident response planning and testing – simulate ransomware or exfiltration scenarios to ensure the organization can respond quickly and effectively.
- Threat intelligence monitoring – track emerging groups like Scattered LapSus Hunters, ShinyHunters, and Scattered Spider to stay ahead of evolving tactics.
Even if much of the group’s recent messaging is bluster, the risk remains that highly coordinated cybercriminal alliances can quickly escalate from social media posturing to financially and operationally damaging attacks.
Read more
