Scattered LAPSUS$ Hunters Vow “Revenge” After FBI Seizure, Confirming Data Leaks from Qantas, Gap, and Vietnam Airlines
In the night of October 12, the cybercriminal collective Scattered Lapsus$ Hunters (SLSH) — notorious for its high-profile data breaches and aggressive tactics — announced that it would cease operations until 2026, following the FBI’s seizure of its primary website. The declaration of “self-dissolution” appeared on the group’s Telegram channel, accompanied by a torrent of profanity and threats directed at the U.S. agency. The members vowed “revenge” against the Bureau, calling their retreat a “temporary descent into oblivion.” The post concluded with a menacing promise that upon their return, the “FBI would feel their wrath”, and included a demand for the dismissal of Brett Leatherman, head of the FBI’s cyber division.
However, such proclamations are hardly new for SLSH. Merely a month earlier, the group had already “retreated into the shadows,” only to resurface three days later. In its short existence, the collective has become one of the most talked-about cybercriminal factions on the internet, distinguished by the scale of its attacks and the unusual composition of its members — nearly all hailing from Western countries and native English speakers. Formed earlier this year, SLSH includes former operatives of Scattered Spider, Lapsus$, and Shiny Hunters, attracting law enforcement attention from its inception. In recent weeks, several suspected participants have already been taken into custody.
British authorities recently announced the arrest of two teenagers accused of attacking the London Transport Authority, believed to be affiliated with Scattered Spider. In July, police detained four additional suspects linked to breaches of major U.K. retailers — Co-op, M&S, and Harrods. Although no formal confirmation of their connection to SLSH followed, investigators did not dismiss the possibility.
In the days preceding their “departure,” SLSH once again drew widespread attention after leaking data belonging to Qantas, Vietnam Airlines, Gap, and Fujifilm. Links to archives hosted on Limewire were swiftly taken down, though independent analysts managed to verify portions of the leaks. Qantas, whose data exposure first surfaced over the summer, updated its website to confirm that approximately six million customers had been affected. The airline emphasized that an Australian High Court ruling prohibits access to the stolen files and advised users to remain vigilant against potential fraud attempts.
The breach database Have I Been Pwned verified that Vietnam Airlines’ dataset contained personal information on 7.3 million passengers. Meanwhile, Atlas Privacy reported that the stolen Gap data included over 250,000 unique email addresses, 150,000 phone numbers, and approximately 146,000 postal addresses. Structural analysis revealed that the data aligned with Salesforce PersonAccount exports, complete with customer records and metadata. According to the attackers, the information was obtained through an assault on Salesloft Drift, a Salesforce plugin. Salesforce itself, however, stated that its own infrastructure remained uncompromised.
On Telegram, SLSH claimed that “everything meant to be leaked has already been released”, asserting that other victims had paid ransoms. Analysts urge skepticism toward such statements — the group has repeatedly exaggerated its exploits. Recently, SLSH boasted of breaching Telstra, claiming access to 19 million customer records. The Australian telecom swiftly refuted the claims, clarifying that the so-called breach involved publicly available information devoid of passwords, financial data, or identification documents.
According to ThreatAware, SLSH’s latest publications should be viewed as acts of extortion, designed to intimidate organizations that refused to meet ransom demands. The firm warned that affected customers should prepare for phishing and highly personalized attacks aimed at stealing financial or identity information. Analysts added that the group frequently relies on social engineering tactics, voice phishing calls, and modified data loaders, underscoring the need for stricter password reset verification and enhanced cybersecurity hygiene within corporate environments.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
