A new Telegram channel has appeared, quickly making waves in the cybersecurity community for its chaotic and overwhelming content. The channel, which combines the names of three prominent hacking groups—Shiny Hunters, Scattered Spider, and Lapsus$—has become a platform for a torrent of data leaks, sales, and threats. While other leak channels often follow a more structured format of posting a breach and then the data, this new channel is a jumble of partial leaks, calls to buy data, memes, and threats, reflecting a level of disorganization that has led commenters to label it “insane” and “complete chaos.”
The channel’s prolific activity began on a recent Friday afternoon, and in under 24 hours, it had already revealed a significant number of data breaches and shared proof of claims related to various incidents. The sheer volume and disorganized nature of the posts make it difficult to follow, but it’s clear the group is using the platform to both publicize their activities and monetize stolen data. Its existence and the rapid-fire nature of its posts raise questions about its longevity, as it’s likely to be a prime target for a ban.
One of the channel’s primary functions is to leak legal documents and corporate data. Among the notable leaks were court filings related to injunctions against ShinyHunters from Qantas and the Legal Aid Agency, a subpoena served on Google, and other legal documents exchanged between governments. The channel also revealed data from incidents that had been previously disclosed, but without a definitive link to the groups. For instance, the Victoria’s Secret breach, which was previously known, was definitively tied to Scattered Spider with a screenshot from the retailer’s console. The group also posted a sample of customer data from Gucci and offered to sell a full database from Neiman Marcus for 1 Bitcoin (BTC).
They also leaked screenshots from negotiations with Chanel and a note that the data was for sale, with sources linking the breach to the Salesforce campaign.
In addition to these high-profile leaks, the channel included references to many other companies, including Disney, AirFrance, S&P Global, T-Mobile, Nvidia, Coinbase, and Adidas. Some of these incidents were already known and linked to the Snowflake and Salesforce campaigns, which are associated with the groups behind the channel. They even leaked a notification email from Google that was sent to people affected by a recent attack, and a database from Coca-Cola Europacific Partners before a temporary break in their activity.
The channel’s activity isn’t limited to private companies; it also includes claims and proof of claims about various government entities. These posts have targeted the governments of England, France, Brazil, and India, as well as the Brazilian police and courts. Most notably, the group posted claims concerning the U.S. Department of Homeland Security (DHS) and specifically targeted the U.K. Ministry of Justice with threats. Scattered Spider, in what appears to be a direct response to recent arrests in the U.K., threatened to leak all data from the Legal Aid Agency unless an individual named Jared Antwon is released.
Beyond leaking data and making threats, the group used the channel to tease a new ransomware they are reportedly developing.
They claimed that their upcoming ransomware-as-a-service (RaaS), dubbed “SHINYSP1D3R,” would be far more formidable than existing groups like Dragonforce and Lockbit. They also boasted about their ability to breach even large, well-funded companies like Google, and warned that law enforcement wouldn’t be able to stop them. They ominously promised that a new campaign, “Snowflake 3.0,” would be “much, much worse” than their previous efforts and even provided a contact for employees of Fortune 500 companies to reach out to them.
In a direct message on the channel, they also addressed Salesforce CEO Marc Benioff, demanding a payment of 20 Bitcoin to prevent the leak of data from 91 organizations. While the demand is significant, it’s highly unlikely that the CEO would comply. The combination of leaks, threats, and bold proclamations from this new channel paints a picture of a highly aggressive and confident group aiming to cause maximum disruption and profit from their illicit activities.
Reference:
