Trinity of Chaos Ransomware Unveils New Data Leak Site
▼ Summary
– A new ransomware collective called “Trinity of Chaos” has launched a data leak site listing 39 major global companies, including Toyota, FedEx, and Google.
– The group is threatening Salesforce by claiming to possess massive corporate data and leveraging ongoing lawsuits unless paid, an unusual tactic in ransomware extortion.
– Leaked data samples contain significant personally identifiable information obtained via stolen OAuth tokens and vishing attacks, with the FBI issuing alerts for detection.
– The collective claims to hold over 1.5 billion records from 760 companies, with an October 10 deadline for negotiations before further publication.
– Experts warn that releasing this data could lead to large-scale phishing, identity theft, and malicious AI-driven data mining, while the leak site itself has faced DDoS attacks.
A significant new development has emerged in the cybersecurity landscape with the launch of a dedicated data leak site by the ransomware collective known as Trinity of Chaos. This group, which has alleged connections to the notorious Lapsus$, Scattered Spider, and ShinyHunters cybercrime gangs, is now operating a platform on the TOR network. The site currently lists 39 major international corporations, signaling a notable escalation in the group’s operational tactics and global reach according to analysis by the cybersecurity firm Resecurity.
Rather than announcing new cyber intrusions, Trinity of Chaos has taken the approach of publishing previously unreleased data from past security breaches. The list of affected organizations reads like a who’s who of global business, including household names such as Toyota, FedEx, Disney, UPS, Marriott, and Google. In a particularly aggressive move, the collective has issued a direct threat to Salesforce, claiming to have exploited vulnerabilities within its systems to acquire massive volumes of corporate information. Salesforce has publicly refuted these claims, stating that no new security flaws exist within their platform, though the company did acknowledge that previous breaches might have exposed customer data.
The cybersecurity community has taken note of what appears to be the reemergence of ShinyHunters, despite earlier indications the group had disbanded. Brian Soby, Chief Technology Officer and co-founder at AppOmni, observed that “recent reports indicate the group is not only continuing to extort victims but is now directly threatening Salesforce.” The group has made the unusual claim that they will cooperate with plaintiffs in existing lawsuits against Salesforce regarding recent data breaches unless the company pays them directly. This represents a novel approach to ransomware extortion that security professionals haven’t encountered before.
The collective claims to have attempted negotiations with Salesforce and has warned that if ignored, they will report the breach to regulatory authorities, potentially triggering criminal negligence charges. This strategy of leveraging regulatory pressure, particularly under frameworks like the EU’s General Data Protection Regulation (GDPR), mirrors tactics employed by other ransomware operators seeking to intensify pressure on their targets. Soby noted the uniqueness of this approach, stating that “to our knowledge, it is the first time an attacker has threatened to participate in or leverage existing litigation against the vendor of a compromised platform.”
Analysis of the leaked data samples by Resecurity confirms they contain substantial amounts of personally identifiable information but relatively few passwords. This pattern suggests the information was likely obtained from Salesforce instances through stolen OAuth tokens and vishing attacks connected to Salesloft’s Drift AI integration. The Federal Bureau of Investigation has responded by issuing a flash alert to help organizations identify and defend against similar breach methods.
Soby further explained that “ShinyHunters gained access through phishing and stole customer user credentials,” emphasizing that “under the Shared Responsibility model, preventing and detecting such activity falls squarely within the customer’s domain.” The data leak site enumerates numerous recent victims, including Stellantis, which reported a North American data breach in September, and Aeroméxico, which suffered a July attack compromising 39 million records. Other affected entities include major international carriers Air France, KLM, Qantas, and Vietnam Airlines, with the latter reportedly compromised for nearly three years.
The scope of the exposed data extends to files associated with Google AdWords and Cisco systems. For Google, the compromised records appear connected to corporate Salesforce environments, potentially impacting digital advertisers and media partners worldwide. Cisco’s exposed data reportedly includes sensitive information about employees and customers from various government agencies, including the FBI, Department of Homeland Security, NASA, and India’s Ministry of Defense.
Soby highlighted the fundamental issue these incidents reveal, noting that “many SaaS customers have yet to adopt the tools and practices necessary to effectively meet their Shared Responsibility obligations.” The group claims to possess an astonishing 1.5 billion records across 760 companies, comprising approximately 254 million accounts, 579 million contacts, and 172 million business opportunities.
With an October 10 deadline set for negotiations before further data publication, the situation remains fluid. Resecurity has noted that the leak site itself has been targeted by distributed denial-of-service attacks, possibly launched by victims attempting to prevent additional data exposure. Security experts warn that if this vast trove of information is released, it could enable widespread phishing campaigns, identity theft operations, and malicious AI-driven data mining on an unprecedented scale.
(Source: Info Security)
