Bizarre Extortion: Scattered Lapsus$ Hunters Offer Bounty to Spam Victims

by ddos · October 8, 2025

The Scattered Lapsus$ Hunters group has resurfaced — this time with a bizarre and unorthodox extortion tactic. The cybercriminals announced a bounty of $10 in cryptocurrency to anyone willing to take part in a mass email bombardment targeting executives of companies that have fallen victim to their ransomware attacks. The participants’ mission: to pressure top managers into cooperating with the attackers — in other words, to pay the ransom.

Within their Telegram channel, the group shared detailed instructions along with a list of intended recipients — 39 corporate executives whose data, they claim, has been compromised. Special emphasis was placed on the use of personal email accounts, which would yield higher rewards, while particularly persistent efforts could earn participants increased payouts.

The essence of the scheme lies in outsourcing extortion to a loyal audience, amplifying pressure on the affected organizations while distributing the workload. The organizers insist that if participants receive instructions to cease their actions, these “volunteers” must immediately stop all activity. The group justified the tactic by citing the sheer volume of leaked data, which they claimed was too large to manage manually.

Meanwhile, the attackers assert that the data was obtained through the compromise of the Salesforce platform, threatening that if payment is not received by October 10, they will begin targeting individual clients directly. Participants are advised not to rely on the protection of the SaaS provider and instead to contact the cybercriminals directly.

Salesforce, however, denied any breach, citing internal investigations and the absence of evidence indicating unauthorized access. Company representatives suggested that the data published online was likely connected to previous unrelated incidents or unverified sources.

Google, on the other hand, confirmed that the intrusion occurred, tracing it to a Salesloft Drift integration with Salesforce, where compromised OAuth tokens had provided attackers with access to clients’ CRM environments. Companies potentially affected by the breach were reportedly notified before the leak site went live.

Thus, despite the shutdown of the Scattered Lapsus$ Hunters’ Telegram channels and the arrests of suspected members in the UK and the US, the group’s operations remain active, demonstrating both persistence and evolving sophistication in its extortion tactics.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal