Redazione RHC : 8 October 2025 10:29
Renewing their strategy, the Scattered Lapsus$ Hunters group has returned to the forefront with a new and surprising tactic to put pressure on victims.
Cybercriminals have promised a $10 cryptocurrency reward to anyone willing to participate in a mass email bombardment targeting company executives who were victims of a ransomware attack.
The aim of the individuals involved was to persuade the managers to collaborate with the extortionists, that is, to pay the demanded ransom.
On its Telegram channel, the group distributed detailed instructions with a list of recipients, including executives from 39 companies whose data had allegedly been compromised . They emphasized that emails sent from personal email accounts would be more valuable, with higher fines for particularly diligent attempts.
The essence of the plan is to delegate extortion to a loyal audience, while simultaneously increasing pressure on the targeted companies. The organizers themselves assure that, once they receive the order to cease the attacks, the “volunteers” must stop immediately . This approach is explained by the scale of the leak: the list of victims proved too long for the group to manage manually.
The hackers claim the data was obtained through a compromise of the Salesforce platform, and if payment isn’t received by October 10th, they will begin applying targeted pressure on each customer individually . Participants are advised not to rely on the SaaS provider’s protection and to contact the cybercriminals directly.
Google confirmed that the attack did indeed occur and that it was carried out via Salesloft Drift, a Salesforce integration in which OAuth tokens were compromised. This flaw allowed attackers to access customers’ CRM environments. Potentially affected companies were notified of the potential breach before the data publication website was launched.
Therefore, despite the closure of the Scattered Lapsus$ Hunters Telegram channels and the arrest of alleged members in the UK and US, the group remains active.
Redazione