Cybercrime Group Scattered LAPSUS$ Hunters Faces Internal Disruption as Key Figure Identified

The escalating threat posed by the cybercriminal collective known as Scattered LAPSUS$ Hunters (SLSH) has taken an unexpected turn with the unmasking of a central figure, known online as “Rey.” The group, responsible for a string of high-profile data breaches and extortion attempts targeting major corporations, is now facing internal disruption as law enforcement agencies and cybersecurity firms close in. This development underscores the growing challenges businesses face in protecting sensitive data and the increasing sophistication – and surprisingly young age – of those behind these attacks.

From Corporate Extortion to Ransomware-as-a-Service

Scattered LAPSUS$ Hunters emerged this year as a particularly aggressive and prolific threat actor, gaining notoriety for stealing data from and publicly extorting dozens of companies. The group is believed to be a fusion of three previously known hacking groups – Scattered Spider, LAPSUS$, and ShinyHunters – operating within a largely English-speaking cybercriminal ecosystem on platforms like Telegram and Discord. Their tactics have evolved from simple data theft to sophisticated social engineering attacks, including voice phishing campaigns designed to compromise Salesforce portals, as demonstrated in a May 2025 campaign impacting companies like Toyota, FedEx, Disney/Hulu, and UPS.

More recently, SLSH has begun actively soliciting “insiders” – disgruntled employees with access to internal networks – offering a share of ransom payments in exchange for facilitating breaches. This shift highlights a growing trend in cybercrime: the increasing reliance on internal threats. According to a recent report by the IBM 2024 Cost of a Data Breach Report, insider threats were involved in 39% of all data breaches, resulting in an average cost of $4.84 million per incident. This underscores the critical need for robust internal security protocols and employee monitoring.

The group’s ambitions have further expanded with the launch of their own ransomware-as-a-service (RaaS) operation, ShinySp1d3r, signaling a move towards greater autonomy and control within the cybercrime landscape. Previously, SLSH members had leveraged existing ransomware tools from affiliate programs like ALPHV/BlackCat and Qilin.

The Unmasking of “Rey” and the Role of Operational Security Failures

The identification of “Rey,” the technical operator and public face of SLSH, represents a significant breakthrough for cybersecurity investigators. KrebsOnSecurity’s investigation revealed Rey’s real identity, Saif Al-Din Khader, through a series of operational security (OpSec) failures. These included posting a screenshot of a scam email to a Telegram group, inadvertently revealing his password and ProtonMail address. Further investigation linked this email address to a BreachForums user, “o5tdev,” who had previously engaged in website defacements and hacktivist activities linked to the Cyb3r Drag0nz Team, a group involved in data leaks targeting Israeli citizens.

The investigation further uncovered that Rey’s father, Zaid Khader, is a pilot for Royal Jordanian Airlines, and that the family computer was a shared device located in Amman, Jordan. Rey, who is reportedly 15 years old and will turn 16 next month, reportedly contacted Europol and claimed to be cooperating with law enforcement, seeking to distance himself from the group. He stated he released the source code for the Hellcat ransomware, and is attempting to “clean up” his association with SLSH.

Implications for Businesses and the Cybersecurity Industry

The case of Scattered LAPSUS$ Hunters and the identification of Rey highlight several critical issues for businesses and the cybersecurity industry. First, the group’s success demonstrates the effectiveness of combining social engineering with technical exploits. Companies must invest in comprehensive security awareness training for employees, focusing on identifying and responding to phishing attempts and other social engineering tactics. Second, the reliance on insider threats underscores the importance of robust access controls, data loss prevention (DLP) systems, and continuous monitoring of employee activity.

The emergence of ShinySp1d3r as a RaaS operation also poses a significant threat. RaaS models lower the barrier to entry for cybercriminals, allowing less technically skilled individuals to launch ransomware attacks. This proliferation of ransomware is driving up the overall cost of cybercrime. The global cost of ransomware damage is projected to reach $265 billion annually by 2031, according to Statista, demonstrating the escalating financial impact of these attacks.

Finally, the age of the perpetrator, Saif Al-Din Khader, raises questions about the demographics of cybercrime and the need for early intervention programs to steer young people away from illicit activities. The FBI’s ongoing Operation Endgame, targeting cybercrime services and vendors, represents a proactive effort to disrupt these criminal networks and hold perpetrators accountable. However, the case of Rey demonstrates that identifying and apprehending these individuals is often a complex and challenging undertaking.

The unraveling of Scattered LAPSUS$ Hunters serves as a stark reminder that cybersecurity is an ongoing battle, requiring constant vigilance, adaptation, and investment in both technology and human capital.