techcrunch.com - Lorenzo Franceschi-Bicchierai
Zack Whittaker
6:17 AM PDT · October 3, 2025
The hacking group claims to have stolen about a billion records from companies, including FedEx, Qantas, and TransUnion, who store their customer and company data in Salesforce.
A notorious predominantly English-speaking hacking group has launched a website to extort its victims, threatening to release about a billion records stolen from companies who store their customers’ data in cloud databases hosted by Salesforce.
The loosely organized group, which has been known as Lapsus$, Scattered Spider, and ShinyHunters, has published a dedicated data leak site on the dark web, called Scattered LAPSUS$ Hunters.
The website, first spotted by threat intelligence researchers on Friday and seen by TechCrunch, aims to pressure victims into paying the hackers to avoid having their stolen data published online.
“Contact us to regain control on data governance and prevent public disclosure of your data,” reads the site. “Do not be the next headline. All communications demand strict verification and will be handled with discretion.”
Over the last few weeks, the ShinyHunters gang allegedly hacked dozens of high-profile companies by breaking into their cloud-based databases hosted by Salesforce.
Insurance giant Allianz Life, Google, fashion conglomerate Kering, the airline Qantas, carmaking giant Stellantis, credit bureau TransUnion, and the employee management platform Workday, among several others, have confirmed their data was stolen in these mass hacks.
The hackers’ leak site lists several alleged victims, including FedEx, Hulu (owned by Disney), and Toyota Motors, none of which responded to a request for comment on Friday.
It’s not clear if the companies known to have been hacked but not listed on the hacking group’s leak site have paid a ransom to the hackers to prevent their data from being published. When reached by TechCrunch, a representative from ShinyHunters said, “there are numerous other companies that have not been listed,” but declined to say why.
At the top of the site, the hackers mention Salesforce and demand that the company negotiate a ransom, threatening that otherwise “all your customers [sic] data will be leaked.” The tone of the message suggests that Salesforce has not yet engaged with the hackers.
Salesforce spokesperson Nicole Aranda provided a link to the company’s statement, which notes that the company is “aware of recent extortion attempts by threat actors.”
“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” the statement reads. “At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”
Aranda declined to comment further.
For weeks, security researchers have speculated that the group, which has historically eschewed a public presence online, was planning to publish a data leak website to extort its victims.
Historically, such websites have been associated with foreign, often Russian-speaking, ransomware gangs. In the last few years, these organized cybercrime groups have evolved from stealing, encrypting their victim’s data, and then privately asking for a ransom, to simply threatening to publish the stolen data online unless they get paid.
| The Record from Recorded Future News Alexander Martin
September 18th, 2025
Two suspected members of the Scattered Spider cybercrime collective have been arrested and charged in the United Kingdom following an investigation into the hack of Transport for London (TfL) last year.
The National Crime Agency (NCA) announced on Thursday that Thalha Jubair, 19, from East London, and Owen Flowers, 18, from Walsall, had been arrested at their homes at lunchtime on Tuesday.
The Crown Prosecution Service authorized charges against both men on Wednesday night under the Computer Misuse Act, alleging they conspired to commit unauthorized acts against TfL, which was hacked in August 2024. Flowers had initially been arrested over the the transit agency attack in September 2024, but released on bail.
The NCA said its officers also discovered additional potential evidence that Flowers had been involved in attacks against U.S. healthcare companies following his arrest. Flowers faces two additional charges of conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and attempting to do the same to Sutter Health.
Jubair faces an additional charge for refusing to provide investigators with passcodes to access devices seized from him. The U.S. Department of Justice also unsealed a complaint against Jubair on Thursday, accusing him of computer crimes.
The men are set to appear at Westminster Magistrates’ Court at 2 p.m. on Thursday. In England and Wales, criminal cases begin with a first hearing in a magistrates’ court where it is decided whether the case will proceed to a Crown Court for a jury trial — required for all cases where the sentence could exceed 12 months.
The specific charges against both men are “conspiracy to commit an unauthorised act in relation to a computer causing / creating risk of serious damage to human welfare/national security,” the maximum sentence for which is life imprisonment.
Magistrates’ courts also decide whether a defendant can be released on bail. Prosecutors are seeking to have both men remanded in custody until they can face trial.
Paul Foster, the head of the NCA’s National Cyber Crime Unit, said: “Today’s charges are a key step in what has been a lengthy and complex investigation. This attack caused significant disruption and millions in losses to TfL, part of the UK’s critical national infrastructure.”
It follows the NCA warning of an increasing threat from English-speaking cybercriminal groups, including the loose collective tracked as Scattered Spider, which has been associated with a range of attacks in both Britain and the United States.
“The NCA, UK policing and our international partners, including the FBI, are collectively committed to identifying offenders within these networks and ensuring they face justice,” said Foster.
Hannah Von Dadelszen, the CPS’ chief prosecutor for the Crown Prosecution Service, said: “Our prosecutors have worked to establish that there is sufficient evidence to bring the case to trial and that it is in the public interest to pursue criminal proceedings.”
The charges come as the NCA’s cybercrime unit is understood to be busier than ever in investigating a range of cases. These include the hack against TfL, the Legal Aid Agency, two incidents impacting the National Health Service, and attacks on three retailers — Marks & Spencer, the Co-op, and the London-based luxury store Harrods.
Contempt of court laws prohibit prejudicing a jury trial by suggesting suspects' guilt or innocence, publishing details regarding their past convictions, or speculating about the character of the defendants.
| The Record from Recorded Future News Jonathan Greig
September 15th, 2025
Hackers connected to the Scattered Spider and ShinyHunters cybercriminal operations are extorting organizations for exorbitant ransoms after stealing data from Salesforce, the FBI warned.
The agency released a flash notice on Friday with information about an ongoing data theft campaign that has impacted hundreds of businesses this year. The FBI refers to the hackers as both UNC6040 and UNC6395 and by their colloquial names of ShinyHunters and Scattered Spider, respectively.
After months spent breaching some of the largest companies in the world, the hackers are now attempting to extort victim organizations — threatening to leak troves of customer data, business documents and more.
The FBI did not say how many victims have received extortion emails demanding payment in cryptocurrency but they noted that the monetary demands have varied widely and are made at seemingly random times. Some extortion incidents were initiated days after data exfiltration while others took place months later.
The FBI said the campaign began in October 2024 when members of the group gained access to organizations through social engineering attacks that involved contacting call centers and posing as IT employees.
That scheme typically gave the cybercriminals access to employee credentials that were then leveraged to access Salesforce instances holding customer data. In other cases, the hackers used phishing emails or texts to take over employees’ phones or computers.
The hackers evolved their tactics throughout the summer, switching to exploiting third-party applications that organizations linked to their Salesforce instances.
“UNC6040 threat actors have deceived victims into authorizing malicious connected apps to their organization's Salesforce portal,” the FBI said.
“This grants UNC6040 threat actors significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.”
By August, the hackers began targeting the Salesloft Drift application, an AI chatbot that can be integrated with Salesforce.
The tactic allowed them to bypass traditional defenses like multifactor authentication, login monitoring and password resets, the FBI explained. In some cases, the FBI has found that the hackers created malicious applications within Salesforce trial accounts that allowed them to register connected apps without using a legitimate corporate account.
On Monday, Reuters and the BBC confirmed that Kering — the French conglomerate that owns Gucci, Balenciaga and Alexander McQueen — was attacked by the same ShinyHunters cybercriminals.
ShinyHunters told the BBC that it stole information connected to 7.4 million unique email addresses. The hackers told another news outlet that they stole the information in late 2024 but only began negotiating a ransom in June 2025.
Last week, a critical government agency in Vietnam confirmed that millions of financial records were stolen in an attack claimed by ShinyHunters. The cybercriminals previously took credit for devastating campaigns targeting giants in the insurance, retail and aviation industries.
The FBI provided indicators of compromise that potential victims can use to see whether they have been affected by the hacking campaigns and urged companies to train call center employees on the tactics used.
The agency also said companies should limit the privileges of almost every employee account, enforce IP-based access restrictions, monitor API usage and more.
Experts said the information provided by the FBI showed how sophisticated the actors are at abusing legitimate tools for nefarious purposes, like Azure cloud infrastructure, virtual servers, Tor exit nodes and proxy services to obfuscate their origin.
Scattered retirement?
The FBI notice came shortly after the group made several posts on Telegram claiming to be retiring. The group blamed a recent string of arrests, law enforcement activity and criminal convictions against members as their reason for ceasing the current operation.
Cybersecurity experts were dubious about the disbanding claims, noting that cybercriminal operations often make similar claims before reconstituting under different names. Some theorized the hackers are likely going to enjoy the spoils of their recent extortion campaigns before returning to cybercriminal activity.
Sam Rubin, a senior official with Palo Alto Networks’ Unit 42, said recent arrests may have prompted the group to lay low, but history says such activity is often temporary.
“Groups like this splinter, rebrand, and resurface — much like ShinyHunters. Even if public operations pause, the risks remain: stolen data can resurface, undetected backdoors may persist, and actors may re-emerge under new names,” he said.
“Silence from a threat group does not equal safety.”
UNC3944, which overlaps with public reporting on Scattered Spider, is a financially-motivated threat actor characterized by its persistent use of social engineering and brazen communications with victims. In early operations, UNC3944 largely targeted telecommunications-related organizations to support SIM swap operations. However, after shifting to ransomware and data theft extortion in early 2023, they impacted organizations in a broader range of industries. Since then, we have regularly observed UNC3944 conduct waves of targeting against a specific sector, such as financial services organizations in late 2023 and food services in May 2024. Notably, UNC3944 has also previously targeted prominent brands, possibly in an attempt to gain prestige and increased attention by news media.
Google Threat Intelligence Group (GTIG) observed a decline in UNC3944 activity after 2024 law enforcement actions against individuals allegedly associated with the group. Threat actors will often temporarily halt or significantly curtail operations after an arrest, possibly to reduce law enforcement attention, rebuild capabilities and/or partnerships, or shift to new tooling to evade detection. UNC3944’s existing ties to a broader community of threat actors could potentially help them recover from law enforcement actions more quickly.
Recent public reporting has suggested that threat actors used tactics consistent with Scattered Spider to target a UK retail organization and deploy DragonForce ransomware. Subsequent reporting by BBC News indicates that actors associated with DragonForce claimed responsibility for attempted attacks at multiple UK retailers. Notably, the operators of DragonForce ransomware recently claimed control of RansomHub, a ransomware-as-a-service (RaaS) that seemingly ceased operations in March of this year. UNC3944 was a RansomHub affiliate in 2024, after the ALPHV (aka Blackcat) RaaS shut down. While GTIG has not independently confirmed the involvement of UNC3944 or the DragonForce RaaS, over the past few years, retail organizations have been increasingly posted on tracked data leak sites (DLS) used by extortion actors to pressure victims and/or leak stolen victim data. Retail organizations accounted for 11 percent of DLS victims in 2025 thus far, up from about 8.5 percent in 2024 and 6 percent in 2022 and 2023. It is plausible that threat actors including UNC3944 view retail organizations as attractive targets, given that they typically possess large quantities of personally identifiable information (PII) and financial data. Further, these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions.
Quatre Américains et un Britannique sont désormais poursuivis pour leur implication dans ce groupe, accusé notamment d’avoir piraté les casinos MGM Resorts. Spécialisé dans l’hameçonnage, ce collectif pourrait être l’émanation d’une vaste communauté de pirates anglophones.
