The Alliance of Chaos: How ShinyHunters and Scattered Spider Merged to Target Salesforce

The hacker groups ShinyHunters and Scattered Spider, once operating independently, now appear to have joined forces in a coordinated campaign to extort data from Salesforce’s corporate clients. As noted by ReliaQuest, ShinyHunters has undergone a sharp tactical shift—from their traditional credential theft and database breaches to more sophisticated social engineering, including targeted vishing and the distribution of malicious applications disguised as legitimate tools.

A key element of these attacks involves counterfeit Okta login pages, crafted to mirror the genuine interface, which are used to lure victims into entering their credentials under the pretext of resolving a “technical issue” during a phone call. The attackers also make extensive use of VPNs to obfuscate their exfiltration channels.

Operating since 2020, ShinyHunters has built a reputation for high-profile breaches and active participation on underground forums such as RaidForums and BreachForums. The name has been linked not only to one of the largest data sellers on these platforms but also to their administration—most notably during the launches of BreachForums v2 (June 2023) and v4 (June 2025). The mysterious disappearance of v3 in April 2025 remains unexplained.

Following a brief return, BreachForums went permanently offline around June 9, 2025. Meanwhile, global attacks on Salesforce instances—tracked by Google under the codename UNC6240—have emerged, sharing common extortion indicators.

Almost concurrently with the forum’s disappearance, French authorities arrested four individuals suspected of managing BreachForums, allegedly including ShinyHunters. However, in a statement to DataBreaches.net, the actor claimed that “France rushed the arrests,” suggesting that only an associate may have been apprehended.

Shortly thereafter, on August 8, a new Telegram channel called scattered lapsu$ hunters appeared, prominently featuring the names ShinyHunters, Scattered Spider, and LAPSUS$. Members announced plans for their own ransomware-as-a-service (RaaS) offering—dubbed ShinySp1d3r—which they claimed could rival LockBit and DragonForce. Yet, within three days, Telegram administrators had blocked and removed the channel.

Both Scattered Spider and LAPSUS$ are tied to a broader cybercriminal network known as The Com—an English-speaking collective infamous for SIM-swapping, extortion, and even real-world crimes. According to FalconFeeds, the rebranding under Scattered LAPSUS$ Hunters marks a transition into a new phase of digital racketeering, where influence and notoriety matter as much as financial gain.

ReliaQuest also identified a series of ticket-themed phishing domains deploying counterfeit Salesforce login pages—signs of an impending new wave of attacks on major corporations. These domains are typically hosted on phishing-kit infrastructure that mimics SSO platforms, particularly Okta—a favored method of Scattered Spider.

An analysis of more than 700 domains registered in 2025 that match Scattered Spider’s attack patterns revealed an increased focus on the financial sector: phishing infrastructure targeting banks and insurers rose by 12% since July, while interest in tech companies fell by 5%.

The investigation highlights shared targets (retail, insurance, aviation) and overlaps in infrastructure—notably in domain templates. Investigators also discovered a BreachForums user named Sp1d3rHunters, previously linked to a ShinyHunters breach. The account, created in May 2024, suggests the groups may have been collaborating for at least a year.

In a recent announcement, ShinyHunters declared that BreachForums is now fully under the control of international law enforcement. The actor claimed, “The platform is now operated by French police BL2C in coordination with the U.S. Department of Justice and the FBI,” and warned that the accounts “Hollow” and “ShinyHunters” have been compromised, while the “N/A” profile is controlled by an agent.

In closing, they cautioned that if BreachForums ever comes back online, it should be regarded as a honeypot run by global intelligence agencies—and avoided at all costs.