Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Red Hat Targeted in Massive Data Leak After Scattered LAPSUS$ Hunters Joins Forces with Crimson Collective
Posted on: 07 October 2025 | Author: Foresiet
Introduction
Researchers at Foresiet are actively investigating a major data leak targeting Red Hat, following claims made by Scattered LAPSUS$ Hunters, who have reportedly joined forces with the Crimson Collective, following claims made by the Scattered LAPSUS$ Hunters, who have reportedly teamed up with the Crimson Collective.
The newly formed alliance has officially listed Red Hat on their ransom website, signaling what appears to be a coordinated campaign combining tactics, tools, and resources of both threat groups.

Preliminary findings suggest that the data exposed in this incident includes highly confidential Red Hat project deliverables, client engagement reports, internal repositories, and installation frameworks associated with global enterprises and government organizations.
The breach represents one of the most comprehensive disclosures of internal Red Hat ecosystem artifacts ever observed in the cyber underground.
Leaked Threat Actor Message
“This message serves as the formal notification that Red Hat, Inc. was breached and faced a major information security and intellectual property security breach.
Over 28,000 git repositories were compromised and exfiltrated…
It also includes the following: clients’ CERs, consulting files made by Red Hat’s consultants, a lot of folders have their client’s secrets such as artifactory access tokens, git tokens, Azure, Docker, infrastructure details, and much more.”
The statement goes on to allege that thousands of Confidentiality Declarations (CONFIDENTIALITY.md) were found across affected repositories — over 5,700 directories explicitly marked as confidential, referencing major enterprises and financial institutions such as Citigroup, JPMorgan Chase, HSBC, Siemens, Bosch, Verizon, Telefónica, Telstra, and even U.S. Senate-related references.
The Emergence of the Scattered LAPSUS$ x Crimson Collective Alliance
Both Scattered LAPSUS$ Hunters and Crimson Collective have been active actors in the ransomware and data extortion landscape. The former is known for opportunistic data thefts and public leaks to gain notoriety, while the latter focuses on sustained campaigns, data indexing, and underground resale operations.
The merger of these two groups marks a potential shift toward more structured and multi-vector extortion operations, leveraging both brand visibility and intelligence-backed targeting.
According to dark web chatter and leak site indicators, Red Hat was added to the “Shiny Hunters portal,” suggesting data has been exfiltrated and staged for public release. This aligns with the growing trend of data auctions and sample-sharing between ransomware affiliates.
What Was Leaked
Upon analyzing multiple files believed to originate from the leak, Foresiet researchers identified a collection of Confidential Engagement Reports (CERs), internal documentation trees, and repository metadata consistent with Red Hat customer engagements.
These files — spanning from 2020 to 2025 — include documentation for enterprise and defense-sector clients such as:
- HSBC, Walmart,
- Atos Group,
- AMEX GBT,
- SFR,
- Bank of China, and others
- Department of Defense–related implementation templates and OpenShift deployment materials
- Internal architecture references, Ansible automation playbooks, and certification deliverables

Each document contained markers of authenticity: project references, internal Confluence/GitHub URLs, and named Red Hat engineers, confirming the material’s legitimacy.
Key Findings from the Leak
Foresiet’s investigation identified multiple categories of sensitive information embedded within the leaked archives and documentation sets:
- Internal Operational Data
- Configuration files, agent manifests, and install-config.yaml entries containing internal domain names, IP addressing schemes, and load-balancer VIPs.
- Network topology details and VLAN configurations from production and pre-production OpenShift clusters.
- Credential and Access Artifacts
- Exposed pull secrets, registry authentication tokens, and certificate bundles (PEM files).
- SSH public keys and deployment automation snippets referencing root or service accounts.
- Evidence of API integrations and internal registry FQDNs (e.g., vel1-nfv12-repo01.nfv.private.com).
- Personally Identifiable Information (PII)
- Names, corporate emails, and contact details of Red Hat staff, partner engineers, and client project managers (e.g., HSBC, AMEX GBT).
- These can be leveraged in spear-phishing or social-engineering campaigns aimed at enterprise targets.
- Enterprise and Government Engagement Data
- Detailed project outlines, deployment diagrams, and scope summaries from corporate and government engagements.
- References to defense-sector deployments (notably DoD-linked materials within the AIR3503 tree).
Collectively, the evidence indicates a high-impact data exposure affecting multiple high-profile clients and Red Hat internal operations.
Investigative Observations
The leaked structure — comprising over 370,000 directories and 3.4 million files indexed in redhatcertree.txt — appears to originate from an internal documentation or certification repository used for client delivery and QA processes.
Foresiet’s team confirmed that many of these files were stored in structured .adoc formats consistent with Red Hat’s documentation standards, lending further credibility to the material’s authenticity.
Many subfolders contain structured AsciiDoc (.adoc) documentation, legal approvals, and training modules, implying the breach affected not only operational systems but also intellectual property and proprietary educational content.

Initial directory mapping points to multiple project trees (e.g., 38919-Bell-Hank-Luo) containing:
- Technical architecture write-ups (130_architecture.adoc)
- Implementation guides (140_implementation.adoc)
- Post-install configurations and training content (do447-advanced-automation-ansible-best-practices.adoc, rh362-red-hat-security-identity-management.adoc)
This variety of material demonstrates that the attackers likely gained access to a broad internal repository rather than isolated engagement folders, implying either a compromised Git repository, shared documentation server, or internal content management system.
Potential Impact
If authentic, the leaked material could have far-reaching consequences:
- Intellectual Property Exposure: Internal training, documentation, and proprietary frameworks used for client delivery are now potentially public.
- Supply-Chain Risk: Clients whose infrastructure details appear in these files may face downstream exploitation.
- Credential Leakage: Tokens and pull-secrets could permit unauthorized access to Red Hat container registries or client cloud environments.
- Reputational Damage: The exposure undermines trust in Red Hat’s secure delivery chain, especially within regulated sectors.
Current Status and Ongoing Investigation
Foresiet’s research team is continuing to analyze the broader 300 MB dataset to assess the full scope of exposed information.
Due to the scale — encompassing millions of files — automated secret-scanning and IOC extraction are underway to identify:
- Any remaining private keys or credentials in plaintext.
- Cross-referenced hostnames, IPs, and domains that could link the breach to client production environments.
- Overlaps between Red Hat internal repositories and public-facing systems.
The team is also monitoring dark-web channels for re-uploads, sample-sharing, or auction attempts related to this dataset. As of this writing, the investigation remains active.
Conclusion
The Red Hat incident underscores the escalating sophistication of data-extortion groups who now merge technical proficiency with collective branding power.
The collaboration between Scattered LAPSUS$ Hunters and Crimson Collective illustrates a growing trend: threat actors consolidating expertise to enhance operational scale, visibility, and monetization.
While the full extent of this breach is still under investigation, preliminary evidence confirms the leak contains highly sensitive operational and customer information from Red Hat’s internal documentation ecosystem.
Foresiet continues to work alongside trusted partners and industry peers to verify additional samples, map exposure paths, and ensure any potentially affected organizations are informed promptly.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.