An ongoing data extortion campaign is targeting Salesforce customers, with evidence suggesting that threat groups ShinyHunters and Scattered Spider are collaborating. Their partnership, which shows a shift in tactics from simple data theft to more sophisticated social engineering, may soon set its sights on the financial services and technology sectors.
A significant shift is happening in the world of cybercrime, as two major threat groups, ShinyHunters and Scattered Spider, appear to be working together. This collaboration marks a new phase in cyber extortion, moving beyond the traditional methods of data theft and credential exploitation. According to cybersecurity firm ReliaQuest, the ongoing campaign, which has so far targeted Salesforce customers, shows the adoption of new tactics that closely mirror those used by Scattered Spider. This includes sophisticated social engineering attacks like vishing (voice phishing), which uses fake login pages and applications to trick victims into revealing their credentials.
What makes this partnership so concerning is the blend of each group’s expertise. ShinyHunters is a well-established, financially-motivated group that has been orchestrating data breaches and selling stolen information on underground forums since 2020. In fact, the group has been a key figure in the administration of these forums, most notably BreachForums. Meanwhile, Scattered Spider is a notoriously experienced network of cybercriminals known for a wide range of malicious activities, including SIM swapping and extortion. The apparent teaming up of these two groups suggests a coordinated effort to expand their operations and enhance their attack methods, making them a more formidable and unpredictable threat.
The evidence of this collaboration is multifaceted. Researchers have found that both groups have recently targeted the same industries—retail, insurance, and aviation—at the same time. The emergence of a new Telegram channel called “scattered lapsu$ hunters,” which conflated the identities of ShinyHunters, Scattered Spider, and LAPSUS$, also points to a coalescence of these threat actors. Though the channel was quickly banned, its short-lived presence and the claim of developing a new ransomware-as-a-service solution called ShinySp1d3r show a desire to rebrand and consolidate in response to recent law enforcement pressure.
Security analysts are sounding the alarm about the potential for future attacks. An analysis of domain registrations reveals an increase in registrations targeting financial companies by 12% since July 2025, while targeting of technology firms has decreased by 5%. This trend suggests that financial services providers, banks, and insurance companies could be the next targets of this newly aligned threat. The collaboration between ShinyHunters and Scattered Spider, supported by overlapping domain registration patterns and shared tactics like the use of fake single sign-on (SSO) login pages, is a clear indication that a larger, more sophisticated campaign is on the horizon.
Ultimately, the apparent partnership between ShinyHunters and Scattered Spider represents a significant evolution in the cybercrime landscape. Their combined tactics of social engineering, vishing, and data extortion pose a serious threat to a wide range of industries, with financial services and technology firms appearing to be next in their crosshairs. The recent claims by ShinyHunters that BreachForums has been taken over by law enforcement further complicates the situation, creating a chaotic environment where the lines between legitimate operations and law enforcement traps are blurred. It is a stark reminder that the digital underground is constantly shifting, with threat actors adapting and merging to become more effective and evasive.
Reference:
