Scattered Spider, ShinyHunters and LAPSUS$ Form Super-Group

According to Infosecurity Magazine, Scattered Spider, ShinyHunters and LAPSUS$ have officially merged into a coordinated alliance called Scattered LAPSUS$ Hunters. Trustwave SpiderLabs confirmed this isn’t just loose collaboration but a deliberate federation blending three high-profile criminal brands under one operational banner. The group has fewer than five core operators managing about 30 different personas, with ShinyHunters-linked identities appearing to lead the structure. Since early August, they’ve cycled through at least 16 public Telegram channels, rebuilding them within hours of each takedown. The alliance’s emergence coincides with the collapse of BreachForums, creating a vacuum they’re attempting to fill by recycling notoriety from their constituent groups.

Sponsored content — provided for informational and promotional purposes.

What This Actually Means

Here’s the thing about criminal rebranding – it’s usually just cosmetic. But this is different. They’re not just changing names or lying low after law enforcement pressure. They’re creating what Trustwave calls “the first cohesive alliance” in The Com’s traditionally fluid network. Basically, they’re merging their reputational capital to create a unified threat identity that’s more than the sum of its parts.

And the timing is strategic. With BreachForums gone, there’s a power vacuum in the underground ecosystem. These groups see an opportunity to become the new center of gravity. They’re formalizing an affiliate-driven extortion model to attract operators who’ve lost their usual hangouts. It’s like three rival gangs deciding to open a combined franchise operation instead of fighting over territory.

Telegram as Permanent Command Center

This is where it gets interesting. Telegram isn’t just a broadcast channel for them anymore – it’s become their permanent command hub and brand engine. The fact they’ve rebuilt 16 channels since August shows incredible resilience. They’re treating takedowns as minor inconveniences rather than existential threats.

Think about what that means for defenders. Traditional disruption tactics become less effective when a group can spin up new command centers in hours. It’s like playing whack-a-mole with a hydra – cut off one head and two more appear instantly. This changes the game for how we think about disrupting criminal operations.

Beyond Bluster – Real Capabilities

Remember when everyone thought SLH might be posturing? Well, Trustwave’s latest analysis suggests otherwise. They’ve identified key personas like “yuka” who’s tied to zero-day brokerage and tooling linked to advanced malware like BlackLotus. That’s a step beyond the unconfirmed ransomware claims we saw back in October.

So we’re not dealing with script kiddies here. These are operators with actual exploit development skills. When they talk about extortion-as-a-service, they might actually have the technical chops to deliver. That should worry every security team out there.

This Isn’t Temporary

The most concerning part? Trustwave assesses this as a long-term play. They’re building structure, not just running quick campaigns. Using brand unification as a force multiplier for extortion, recruitment and audience control. Trustwave warns this “hybrid ecosystem” will likely shape data-extortion activity into 2026.

What does that mean for businesses? Basically, prepare for more sophisticated, persistent threats that blend technical capability with psychological operations. These groups understand that perception matters as much as technical execution. They’re creating a criminal enterprise designed to withstand law enforcement pressure and platform moderation. And honestly, that’s a scary combination.