Confirmed: 15-Year-Old Jordanian is The Leader of Scattered LAPSUS$ Hunters
The hacker collective known as Scattered LAPSUS$ Hunters — which has spent this year extorting dozens of corporations and selling stolen data — has proven to be built, in no small part, around a 15-year-old teenager from Jordan. Operating under the alias Rey, he served as the group’s technical lead and public face. Now, following an investigation by KrebsOnSecurity and a conversation with the boy’s father, his real identity appears all but confirmed — and the teenager himself claims he is cooperating with law enforcement.
Scattered LAPSUS$ Hunters (SLSH) is regarded as a fusion of three notorious crews: Scattered Spider, LAPSUS$, and ShinyHunters. Their members mingle across English-language cybercrime channels on Telegram and Discord. In May 2025, SLSH launched a sweeping social-engineering campaign: attackers called corporate employees and persuaded them to connect a malicious application to their companies’ Salesforce portals. The group later unveiled its own data-leak portal and threatened to publish internal information from roughly thirty organizations whose Salesforce data had allegedly been stolen. The list of victims reportedly included Toyota, FedEx, Disney/Hulu, and UPS.
A separate extortion site linked to ShinyHunters has since threatened to dump the stolen data unless Salesforce or affected companies pay a ransom. Last week, the SLSH Telegram channel issued a renewed call for “insiders” — employees willing to provide internal access in exchange for a share of ransom proceeds. The appeal spread across social media in the wake of news that CrowdStrike had fired an employee for leaking screenshots of internal systems to SLSH. CrowdStrike insists that its infrastructure was never compromised and that the matter has been referred to law enforcement.
Until recently, SLSH relied largely on third-party ransomware supplied through partner programs like ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. But the group has now announced its own ransomware-as-a-service platform, ShinySp1d3r, presented by one of its principal members — the administrator of the Telegram channel known as Rey. Previously, he administered Hellcat, a data-leak site created in late 2024 and linked to attacks on Schneider Electric, Telefónica, and Orange Romania.
In 2024, Rey also spearheaded yet another incarnation of the infamous BreachForums — a major English-language marketplace for stolen databases and hacking tools. Repeatedly dismantled by the FBI and international law-enforcement coalitions, BreachForums lost its domains again in April 2025. On 5 October 2025, the FBI announced another coordinated seizure, calling the site a major criminal marketplace used by ShinyHunters and others to traffic stolen data and extort victims. According to the Bureau, shutting down the platform “removes a vital node” where criminals monetized breaches, recruited accomplices, and selected targets.
Yet despite his expertise, Rey made grave operational-security mistakes that allowed analysts and journalists to trace breadcrumbs back to his real name and address. According to Intel 471, Rey had been active under various BreachForums revivals from February 2024 to July 2025, posting more than 200 messages. Earlier, he appeared under the alias Hikki-Chan, whose first post referenced allegedly stolen data from the U.S. Centers for Disease Control and Prevention (CDC).
In that February 2024 message, Hikki-Chan listed the Telegram handle @wristmug. In May 2024, this account posted a screenshot in the Telegram chat “Pantifan,” showing a sextortion email claiming that his computer had been hacked, that his webcam had recorded him viewing adult sites, and that the footage would be shared unless a Bitcoin ransom was paid. Such spam typically includes a real password previously used by the victim. The teenager replied jokingly — “Noooooo, I must be done guys” — but obscured only the username of his email account, leaving visible the @proton.me domain and his old password.
The unique 15-character password in the screenshot matched only one account in SpyCloud’s breach database — cybero5tdev@proton.me — whose credentials had been stolen twice in early 2024 after the user’s device was infected with an info-stealer that harvested all stored logins, passwords, and cookies. Intel 471 links this email to a BreachForums user named o5tdev. A Google search for this alias reveals archived website defacements in which o5tdev posted pro-Palestinian messages signed by the Cyb3r Drag0nz Team.
SentinelOne previously described Cyb3r Drag0nz Team as a hacktivist outfit responsible for DDoS attacks, website defacements, and publishing personal-data leaks. The group claimed to have leaked information on “more than one million Israeli citizens,” releasing massive archives with personal details. Flashpoint analysts also identified a Telegram account, @05tdev, active in 2023–early 2024 across Arabic-language anti-Israeli channels such as Ghost of Palestine.
Flashpoint further notes that Rey’s Telegram account (ID7047194296) was active in the criminally-oriented channel Jacuzzi, where he shared personal details: that his father was an airline pilot, that he was 15 years old, and that the family had Irish roots. In one message he posted a map showing the distribution of the surname Ginty, effectively linking himself to the name.
SpyCloud, analyzing the stolen credentials, concluded that Rey’s computer was the family’s shared Windows PC in Amman, Jordan. The leaked autofill data reveal multiple users with the surname Khader at the same Amman address. Among them is a profile for 46-year-old Zaid Khader, whose mother’s maiden name is listed as Ginty. The same data show frequent visits to internal portals for employees of Royal Jordanian Airlines — consistent with Zaid’s profile as an airline pilot.
Piecing these fragments together, researchers concluded that Rey is Saif Al-Din Khader. Unable to reach him directly, KrebsOnSecurity emailed his father Zaid, explaining that his son appeared deeply involved in a major cybercriminal enterprise. Less than two hours later, the journalist received a message on Signal from Saif himself: according to him, his father assumed the email was another scam and simply forwarded it to his son.
Saif said he would soon turn 16 and that European law-enforcement agencies were already aware of him. He claimed he was attempting to leave Scattered LAPSUS$ Hunters but “could not simply disappear,” and was instead focused on “cleaning up everything he had been involved with and moving on.” When asked why he had overseen the launch of the new ShinySp1d3r ransomware, he replied that it was essentially a modified version of the pre-existing Hellcat encryptor, augmented with AI tools: “I basically handed out the Hellcat source.”
According to Saif, he had recently contacted a Telegram account associated with Operation Endgame — a major international crackdown on cybercrime services and their customers. He insisted he had been cooperating with authorities “since at least June” and claimed he had not participated in “any corporate breaches or extortion” since September.
The teenager asked that the story not be published yet, arguing that it could jeopardize his communication with law enforcement and draw “unwanted attention,” particularly if U.S. and European authorities had not yet contacted the Jordanian government. He said police agencies had told him they were coordinating with multiple countries on his case, but that “a whole week” had passed without further updates. Saif shared a screenshot meant to demonstrate his outreach to Europol late last month, but he could not identify specific officers or formally substantiate his claims, and journalists were unable to verify them.
“I don’t care — I just want out of all of this, even if it ends in prison or whatever else,” he said. How the story will end remains uncertain: a teenager who served as administrator of major cybercriminal platforms and the face of one of the year’s most notorious extortion groups is now trying to negotiate with the very authorities pursuing him and his former associates.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
