Hacker Groups Unite: Scattered Spider, ShinyHunters, LAPSUS$ Form Alliance

A significant new alliance has emerged in the cybercrime world, uniting three notorious hacking collectives under a single banner. Scattered LAPSUS$ Hunters (SLH) is now confirmed to be a coordinated alliance that deliberately merges the reputational capital of Scattered Spider, ShinyHunters, and LAPSUS$. This development, detailed in a new advisory from Trustwave SpiderLabs, moves beyond earlier observations of tactical experimentation. The group is presenting itself as a federated collective with a centralized narrative, an operational marketing model, and a named “Operations Centre,” signaling a long-term strategic consolidation rather than a temporary rebranding.

Trustwave’s analysis indicates that fewer than five core operators are managing approximately thirty different online personas. Identities historically linked to the ShinyHunters group appear to be leading the operational structure. This effort is assessed as the first cohesive alliance within The Com’s traditionally fluid network, using brand unification as a force multiplier for extortion, recruitment, and controlling their audience.

The Telegram messaging platform serves as the group’s permanent command hub and brand engine, not merely a broadcast channel. Since early August, the alliance has demonstrated remarkable resilience, cycling through at least sixteen public channels and rebuilding them within hours of each takedown. This persistence underscores a strategy deeply rooted in public presence and intimidation, employing theatrical tactics reminiscent of hacktivist behavior, though the group’s primary motivation remains financial.

The alliance’s emergence coincides with the collapse of the BreachForums platform, which created a significant vacuum in the underground ecosystem. SLH is attempting to fill this void by recycling the notoriety of its constituent groups and formalizing an affiliate-driven extortion model. This approach is designed to attract operators who have been displaced by recent forum disruptions.

Trustwave’s profile maps key personas that are shaping the enterprise. The persona “shinycorp” is viewed as the primary coordinator, while “yuka” is tied to zero-day brokerage and tooling historically linked to advanced malware like BlackLotus. This verification of skilled exploit development represents a step beyond the unconfirmed ransomware claims that were highlighted by other researchers in October. Other notable personas include “alg0d,” who acts as a data broker and negotiator, various UNC-style personas that amplify the group’s claims, and “SLSHsupport,” which maintains channel continuity.

In contrast to earlier speculation that SLH might be posturing or lying low, the group is demonstrably building a long-term structure. Trustwave warns that as this hybrid ecosystem evolves, its use of identity fluidity, social amplification, growing tailored exploitation capabilities, and adaptive collaboration will likely shape the next phase of data-extortion activity well into 2026. Understanding the interplay between performance, persistence, and perception will be essential for anticipating how such threat collectives sustain their momentum in an increasingly moderated and intelligence-aware underground landscape.

(Source: Info Security)