Blog categories
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.
Latest from the blog
Scattered Spider’s New Telegram Channel: A Rapid Fire of Leaks, Claims and the Return of Cloud-era Data Thefts
Posted on: 13 August 2025 | Author: Foresiet
Summary
In early August 2025 a new Telegram channel emerged presenting itself as an amalgam of three well-known cybercriminal labels Scattered Spider, ShinyHunters and LAPSUS$. Within 24 hours the channel published a steady stream of claims, partial data dumps and screenshots tied to a wide range of incidents, including retail and luxury brands, government entities, and cloud-platform related breaches. The channel’s activity revived public attention on several overlapping trends: identity-focused social-engineering intrusions, the continued fallout from Snowflake and Salesforce-linked compromises, and the messy, sometimes-performative business model of modern extortion-oriented cybercrime. This report compiles what has been posted and publicly confirmed so far, examines linkages and likely motivations, and offers defensive recommendations for organizations that may be affected.
The account of events below is drawn from contemporaneous reporting and achievable public posts; where possible each assertion is tied to an open-source citation.
What appeared on Telegram (what the channel posted)
The channel’s early posts were eclectic: memes and taunts sat alongside screenshots of files, partial database samples, and “HMU” (hit-me-up) solicitations for buyers. Rather than a single, neat leak post announcing a full data dump, the feed read like a marketplace teaser plus a bragging log — partial proofs of access, pieces of litigation paperwork, and screenshots from victim consoles.


Within hours the channel posted material it attributed to a number of high-profile victims and previously reported incidents:
- Court filings and legal documents connected to Qantas and a U.K. Legal Aid Agency injunction, items that appeared intended to support the channel’s claims.
- A sample dataset claimed as Gucci customer records (100 rows of personally identifying fields).
- A screenshot of file listings and a sales post claiming a full Neiman Marcus database for 1 BTC a volume of claims that echoes the Snowflake-era data thefts of 2024. Screenshots and threads indicating Chanel data were being marketed; reporting suggests Chanel first detected the breach on July 25 and linked it to a Salesforce-related compromise.
- Material tied to Coca-Cola Europacific Partners, and a Google notification email previously disclosed by Google on Aug 5; the channel also claimed to hold files tied to other major names (Disney, S&P Global, T-Mobile, Nvidia, Coinbase, Adidas, Cisco) and to several government entities.

At time of writing the channel had paused activity, but the initial flurry was enough to prompt fresh public and vendor responses. Multiple security observers posted screenshots and commentary on telegram.

A closer look at tactics: identity abuse and MFA bypass
Across multiple investigations in 2024–2025, researchers observed a consistent TTP set for these mid- to high-profile intrusions: direct targeting of helpdesk and support staff, abuse of legitimate remote support tools, SIM-swap or MFA-fatigue techniques to defeat multi-factor authentication, and exploitation of cloud misconfigurations or service accounts. Scattered Spider in particular has specialized in identity-centric intrusions convincing a time-pressed helpdesk or a distracted employee to approve access or click a malicious link which produces high yield for low technical investment.
When these routes are combined with bulk cloud stores (Snowflake) or tenant-style systems (Salesforce), the payoff can be immediate: multi-million record exports, sensitive case files, or CRM customer lists. The Telegram channel’s mix of legal documents and console screenshots is consistent with proof-of-access tactics used by extortionists who need to demonstrate possession to command a price.
Monetization and the marketplace dynamics
The channel’s “HMU” and “for sale” posts reflect the multiple lanes of monetization in modern cybercrime:
- Direct extortion — threatening publication or further data release in exchange for ransom or other concessions.
- Wholesale sale — offering full datasets to other criminals or marketplaces (the Neiman Marcus 1 BTC post is an example).
- Retailing of samples — partial leaks and screenshots function as adverts; they validate claims and grow bidder interest.
- Reputational warfare and performative threat — posting legal filings or court notices amplifies fear and public pressure on victims and regulators.
Operators also exploit information asymmetry: victims and affected users rarely know the full scope of an intrusion until regulators or vendors publish formal notices. Opportunistic channels therefore capture attention and buyer interest rapidly in the early post-compromise window.
How trustworthy are the posted samples?
Not all Telegram channel posts are equally valuable as forensic indicators. Good-quality proofs include full file hashes, verifiable documents (court filings with dates and seals), and data samples that can be validated against known victim disclosures (e.g., overlap with data a company later acknowledges).


A screenshot shared in Scattered Spider’s channel allegedly shows access to a Subaru partner system, displaying internal hostnames, kernel details, and user/group information. Authenticity remains unverified
In the recent channel’s case, some posted items have corroborating signals: Google’s own post, published notices from Neiman Marcus (Snowflake linkbacks), and independent reporting by security outlets aligned with the channel’s timeline. Where corroboration exists, the risk to exposed individuals and organizations is materially higher.
What victims and responders should do now
For organizations and security teams, the immediate priorities are triage, verification, containment and notification. Specific practical steps include:
- Validate claimed artifacts: compare leaked samples/hashes to internal telemetry and backups; identify the data types involved (PII, credentials, internal documents). If the channel posts legal filings or subpoenas, treat those artifacts as authentic until proven otherwise and prioritize affected case lists.
- Identify access vectors: review helpdesk session logs, privileged support tool usage, service account activity, and recent MFA challenge logs. Pay particular attention to administrative sessions from unexpected IPs or session tokens used outside normal business hours.
- Contain and rotate: revoke or rotate exposed credentials, terminate suspicious sessions, and enforce immediate password and token rotation for service accounts tied to cloud data stores. Where Snowflake or Salesforce tenants are implicated, work with vendor support to enumerate access and restore tenant-level logging.
- Notify regulators and affected individuals: assess legal notification obligations under applicable data protection regimes (GDPR, local breach laws) and prepare notifications with concrete remediation advice to affected users. Legal counsel should evaluate injunctions or court artifacts posted publicly.
- Public communications: prepare coordinated messaging that avoids speculation but provides clear action steps for affected customers (monitor for phishing, change passwords, enroll in credit monitoring where appropriate). Timely public disclosures reduce the leverage attackers hold.
Detection and longer-term recommendations
On a programmatic level, defenders should assume the adversary will continue to exploit identity, social engineering and misconfigured cloud resources. Practical priorities include:
- Strengthen helpdesk controls: implement step-up authentication for helpdesk actions (not just logins), enforce strict change-control for sensitive support actions, and use “just-in-time” admin access patterns.
- Harden cloud tenant posture: enable tenant-level logging, restrict external integrations that can export bulk data, apply least privilege to service accounts, and deploy continuous configuration monitoring for Snowflake, Salesforce and other high-value SaaS platforms.
- Anti-fraud measures for customer data: implement fraud detection, transaction anomaly detection, and increase verification thresholds for high-risk transactions tied to exposed accounts.
- Crisis playbooks and legal readiness: modern intrusions often create cross-jurisdictional legal issues; organizations must have an incident response legal playbook to quickly coordinate subpoenas, injunctions and communications with law enforcement and affected jurisdictions. The Qantas court action illustrates the novel legal mechanics organizations may need to employ.
Wider implications: the data market and geopolitical flashpoints
The new Telegram channel’s inclusion of government and law-enforcement related claims is the most worrying macro-trend. Unlike purely commercial data that mostly drives fraud and resale, data tied to court systems, police, or national administrations can enable state-level embarrassment, targeted intimidation, and judicial interference. Public disclosure of such datasets raises sensitive questions about how governments secure citizen data and whether current cross-border law-enforcement mechanisms suffice to detain or deter prolific operators.
Finally, the reuse and rebranding of group names signal that attributive claims must be treated cautiously. Even if the channel later proves to be operated by unaffiliated actors, the practical harms monetization, phishing, targeted extortion are identical. The cybercrime market is modular; names are a marketing tactic more than an organizational disclosure.
Conclusion
The August 2025 Telegram channel that folded together the labels Scattered Spider, ShinyHunters and LAPSUS$ is less a tidy organizational announcement than a reminder of the present cybercrime economy: rapid publicization, hybrid monetization (sale plus extortion), and a continued ability to exploit identity and cloud platform weaknesses. Open-source evidence suggests a mix of new, previously disclosed, and corroborated items were presented — enough to make the claims operationally meaningful for victims and dangerous for exposed individuals.
For defenders, the lessons are familiar but urgent: harden identity flows and helpdesk procedures, lock down cloud tenant access, and prepare legal and communications playbooks for the inevitability that data will surface in public forums. For the public and regulators, the episode underlines the need for rapid, coordinated disclosure mechanisms and better incentives for vendors and cloud service operators to prevent mass-exfiltration.
About us!
Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.
Latest
From the blog
The latest industry news, interviews, technologies, and resources.
One Response