{ "id": "cacf99e6-b50d-489a-b366-709057dc6ace", "created_at": "2026-04-09T02:22:31.639235Z", "updated_at": "2026-04-10T03:34:59.519368Z", "deleted_at": null, "sha1_hash": "eb92b70d9c02f7d9c21a630036cf7699371c4e7b", "title": "Scattered Spider has a new Telegram channel to list its attacks - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 80320, "plain_text": "Scattered Spider has a new Telegram channel to list its attacks -\r\nDataBreaches.Net\r\nPublished: 2025-08-09 · Archived: 2026-04-09 02:22:00 UTC\r\nCommenters on reading the new Telegram channel call it “schizo,” “complete chaos,” and “insane.”\r\nDataBreaches would just call it “overwhelming.” \r\nA new Telegram channel appeared on Friday afternoon with a name conflating three groups: Shiny Hunters,\r\nScattered Spider, and Lapsus$.  How long it will last before it gets banned remains to be seen, but in less than 24\r\nhours, it has already revealed numerous breaches, proof of claims, and data.\r\nUnlike some leak/sales channels that provide a quick statement about a breach and then leak the data or post a\r\nsales link, initial posts on the channel were a mix of partial leaks, posts saying “HMU” (“hit me up”) if people\r\nwere interested in buying the data, memes, commentary, and threats.\r\nSamples and Screenshots\r\nIn a matter of hours, the group leaked a number of files, including the court filings related to the Qantas and Legal\r\nAid Agency injunctions sent to ShinyHunters. Other legal documents that they leaked included the cover page of a\r\nsubpoena served on Google, a request for mutual assistance that France sent to Moldova (and DataBreaches has\r\nno idea what that was about), and ShinyHunters’ replies to the Qantas injunction, previously reported on\r\nDataBreaches.net.\r\nMany of their posts revealed data about previously disclosed incidents. The following is not a complete list by any\r\nmeans:\r\nAlthough the Victoria’s Secret breach in May had been disclosed, it was not previously definitively linked\r\nto Scattered Spider. In yesterday’s posts, Scattered Spider posted a screenshot taken from the retailer’s\r\nconsole, and a note saying the data were up for sale.\r\nA sample of data from Gucci consisted of 100 entries with customer data including name, age range,\r\nbirthdate (DDMM), email address, mobile phone, and other fields. Gucci is one of Kering‘s brands, with\r\nYves St. Laurent, Alexander McQueen and other high-end brands. DataBreaches does not recall ever\r\nseeing any Gucci data leaked before.\r\nA screenshot with a listing of .csv files and a note that they were selling a full Neiman Marcus database\r\nfor 1 BTC. This appears to be the 2024 data breach from the Snowflake campaign. There were also other\r\nposts that went back to Lapsus$ attacks and the Snowflake campaign last year.\r\nA sample from Chanel with screenshots of negotiations, and a note that they are selling the data. Chanel\r\nonly first found out about the breach on July 25 and sources had told both DataBreaches and Bleeping\r\nComputer that the breach was related to the Salesforce campaign.\r\nOther  screenshots or posts included references to “Disney,”  “AirFrance,” archive.org,  S\u0026P Global, T-Mobile, Nvidia, Otelier, Coinbase, Burger King Brazil, Adidas, and CISCO. Some of these incidents had\r\nhttps://databreaches.net/2025/08/09/scattered-spider-has-a-new-telegram-channel-to-list-its-attacks/\r\nPage 1 of 3\n\nalready been linked to ShinyHunters or Scattered Spiders and the Salesforce and Snowflake campaigns.  At\r\none point, they leaked Google‘s notification email to people affected by the attack on Google that Google\r\ndisclosed on August 5. And before they took a break, they leaked Coca Cola Europacific Partners database.\r\nPosts with claims or proof of claims about government entities included posts about the governments of\r\nEngland, France, Brazil, and India, as well as posts about hacks involving the Brazilian police and courts\r\nand notably, the U.S. Department of Homeland Security. Scattered Spider seemed particularly angry of the\r\n4 recent U.K. arrests and threatened the U.K. Ministry of Justice.\r\nFREE MY HOMIE JARED ANTWON AND ALL THE FALLEN SOLIDERS OF LAPSUS$ IF\r\nTHE MINISTRY OF JUSTICE OF THE UNITED KINGDOM DOES NOT RELEASE JARED\r\nANTWON BY MONDAY AUGUST 11 2025 6AM WE WILL LEAK ALL THE GITHUB\r\nREPOSITORIES AND THE LEGAL AID AGENCY MINISTRY OF JUSTICE DATABASE. Just\r\nlike the Department of (Justice) CORRUPTION, DONT BE WRONGED! THE UNITED\r\nKINGDOM IS THE SAME! MINISTRY OF CORRUPTION AND DISGRACE TO MY\r\nBELOVED KINGDOM! come get me NCA uwu meow \u003e.\u003ew\u003c.\u003c\r\nScattered Spider threatens to leak all of the data from the Legal Aid Agency (MOJ) if Jared Antwon\r\nis not released. The attached files are the MOJ’s legal filings to secure an injunction against\r\nShinyHunters. Image: DataBreaches.net.\r\nThe U.S. Department of Homeland Security (DHS) has also been targeted:\r\nDhs redacted\r\nScattered Spider posted some proof of claims concerning the U.S. Department of Homeland\r\nSecurity. Image and redaction by DataBreaches.net\r\nDhs2b\r\n“@chinahunterz just popped the DHS again.” Image and additional redaction: DataBreaches.net.\r\nIn addition to mentioning exploits and source code that they would be willing to sell, Scattered Spider also used\r\nthe platform to tease the ransomware that they are reportedly developing:\r\nare CISA ready for whats coming 🥺\r\nn—– not ready for the first kernel level esxi locker\r\nDRAGONFORCE AND LOCKBIT IS NOTHING COMPARED TO SHINYSP1D3R UPCOMING\r\nRAAS!!!!!!!!!!!!!\r\nSnowflake 3.0?\r\nIn a recent chat with ShinyHunters, Shiny said:\r\nIf trillionaires like Google can’t stop us then billionaires are nothing. Law enforcement doesn’t have\r\nsuch funding or massive budgets either. They will forget about us in a month or two once we’re done.\r\nThen we’ll come back and launch another several months to year long sophisticated campaign,\r\nSnowflake 3.0. Next time it’s going to be much much worse.\r\nhttps://databreaches.net/2025/08/09/scattered-spider-has-a-new-telegram-channel-to-list-its-attacks/\r\nPage 2 of 3\n\nIs Snowflake 3.0 closer on the horizon? Scattered Spider wrote:\r\nHello, if you work for a Fortune 500 company in retail, insurance, aviation, credit bureaus, finance or\r\nbanking, travel agencies, car companies or motor related, investment companies, gasoline companies,\r\nfastfood/restraunts, hotels, etc\r\nPlease contact @UNC5537\r\nUNC 5537 is the tracking number Google used for the Snowflake Campaign, although it has a double meaning in\r\nthe post as @UNC5537 refers to one of the members of Scattered Spider.\r\nA Direct Message to Salesforce’s CEO\r\nIn addition to posts addressing Mandiant, the U.K. Ministry of Justice, and other entities, Scattered Spider directly\r\naddressed Salesforce’s CEO at one point:\r\nDear, Mr. Marc Benioff\r\nPlease pay us 20 bitcoins or else we will leak the data of exactly 91 organizations, multinational\r\nconglomerates, and governments.\r\nBenioff has a net worth of more than $8 billion according to Bloomberg and Forbes, and 20 BTC would not make\r\na dent in his wealth, but DataBreaches would be very, very, very surprised if he paid them.\r\nWhat’s Next?\r\nPlease do NOT use the Comments section to point out all the listings I did not include in this post. I know this is\r\nnot a complete listing. And if Telegram doesn’t ban the channel, there will be a lot more.\r\nThe overall impression the posters created was generally one of kids telling off  governments and big businesses,\r\ndemanding the release of Jared Antwon and others, and generally bragging about their unstoppability.\r\nBut there is one impression DataBreaches did come away with apart from thinking that they are angry kids who\r\nwere somewhat impulsively revealing things last night instead of having and adhering to an organized plan. All\r\nthat said, they really do come across as unstoppable at this point.\r\nSource: https://databreaches.net/2025/08/09/scattered-spider-has-a-new-telegram-channel-to-list-its-attacks/\r\nhttps://databreaches.net/2025/08/09/scattered-spider-has-a-new-telegram-channel-to-list-its-attacks/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://databreaches.net/2025/08/09/scattered-spider-has-a-new-telegram-channel-to-list-its-attacks/" ], "report_names": [ "scattered-spider-has-a-new-telegram-channel-to-list-its-attacks" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "358432a9-d927-43c7-9201-b7aa7d184c26", "created_at": "2024-06-20T02:02:10.317536Z", "updated_at": "2026-04-10T02:00:05.043265Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "ETDA:UNC5537", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "c3c24777-7c0f-4772-b273-2163ac5a6b67", "created_at": "2024-06-19T02:00:04.373472Z", "updated_at": "2026-04-10T02:00:03.651748Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "MISPGALAXY:UNC5537", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701351, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eb92b70d9c02f7d9c21a630036cf7699371c4e7b.pdf", "text": "https://archive.orkl.eu/eb92b70d9c02f7d9c21a630036cf7699371c4e7b.txt", "img": "https://archive.orkl.eu/eb92b70d9c02f7d9c21a630036cf7699371c4e7b.jpg" } }