A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat.

The new extortion website tied to ShinyHunters (UNC6040), which threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom.
In May 2025, a prolific and amorphous English-speaking cybercrime group known as ShinyHunters launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization’s Salesforce portal.
The first real details about the incident came in early June, when the Google Threat Intelligence Group (GTIG) warned that ShinyHunters — tracked by Google as UNC6040 — was extorting victims over their stolen Salesforce data, and that the group was poised to launch a data leak site to publicly shame victim companies into paying a ransom to keep their records private. A month later, Google acknowledged that one of its own corporate Salesforce instances was impacted in the voice phishing campaign.
Last week, a new victim shaming blog dubbed “Scattered LAPSUS$ Hunters” began publishing the names of companies that had customer Salesforce data stolen as a result of the May voice phishing campaign.
“Contact us to negotiate this ransom or all your customers data will be leaked,” the website stated in a message to Salesforce. “If we come to a resolution all individual extortions against your customers will be withdrawn from. Nobody else will have to pay us, if you pay, Salesforce, Inc.”
Below that message were more than three dozen entries for companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS. The entries for each company specified the volume of stolen data available, as well as the date that the information was retrieved (the stated breach dates range between May and September 2025).

Image: Mandiant.
On October 5, the Scattered LAPSUS$ Hunters victim shaming and extortion blog announced that the group was responsible for a breach in September involving a GitLab server used by Red Hat that contained more than 28,000 Git code repositories, including more than 5,000 Customer Engagement Reports (CERs).
“Alot of folders have their client’s secrets such as artifactory access tokens, git tokens, azure, docker (redhat docker, azure containers, dockerhub), their client’s infrastructure details in the CERs like the audits that were done for them, and a whole LOT more, etc.,” the hackers claimed.
Their claims came several days after a previously unknown hacker group calling itself the Crimson Collective took credit for the Red Hat intrusion on Telegram.
Red Hat disclosed on October 2 that attackers had compromised a company GitLab server, and said it was in the process of notifying affected customers.
“The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, internal communications about consulting services, and limited forms of business contact information,” Red Hat wrote.
Separately, Discord has started emailing users affected by another breach claimed by ShinyHunters. Discord said an incident on September 20 at a “third-party customer service provider” impacted a “limited number of users” who communicated with Discord customer support or Trust & Safety teams. The information included Discord usernames, emails, IP address, the last four digits of any stored payment cards, and government ID images submitted during age verification appeals.
The Scattered Lapsus$ Hunters claim they will publish data stolen from Salesforce and its customers if ransom demands aren’t paid by October 10. The group also claims it will soon begin extorting hundreds more organizations that lost data in August after a cybercrime group stole vast amounts of authentication tokens from Salesloft, whose AI chatbot is used by many corporate websites to convert customer interaction into Salesforce leads.
In a communication sent to customers today, Salesforce emphasized that the theft of any third-party Salesloft data allegedly stolen by ShinyHunters did not originate from a vulnerability within the core Salesforce platform. The company also stressed that it has no plans to meet any extortion demands.
“Salesforce will not engage, negotiate with, or pay any extortion demand,” the message to customers read. “Our focus is, and remains, on defending our environment, conducting thorough forensic analysis, supporting our customers, and working with law enforcement and regulatory authorities.”
The GTIG tracked the group behind the Salesloft data thefts as UNC6395, and says the group has been observed harvesting the data for authentication tokens tied to a range of cloud services like Snowflake and Amazon’s AWS.
Google catalogs Scattered Lapsus$ Hunters by so many UNC names (throw in UNC6240 for good measure) because it is thought to be an amalgamation of three hacking groups — Scattered Spider, Lapsus$ and ShinyHunters. The members of these groups hail from many of the same chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.
The Scattered Lapsus$ Hunters darknet blog is currently offline. The outage appears to have coincided with the disappearance of the group’s new clearnet blog — breachforums[.]hn — which vanished after shifting its Domain Name Service (DNS) servers from DDoS-Guard to Cloudflare.
But before it died, the websites disclosed that hackers were exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite software. Oracle has since confirmed that a security flaw tracked as CVE-2025-61882 allows attackers to perform unauthenticated remote code execution, and is urging customers to apply an emergency update to address the weakness.
Mandiant’s Charles Carmakal shared on LinkedIn that CVE-2025-61882 was initially exploited in August 2025 by the Clop ransomware gang to steal data from Oracle E-Business Suite servers. Bleeping Computer writes that news of the Oracle zero-day first surfaced on the Scattered Lapsus$ Hunters blog, which published a pair of scripts that were used to exploit vulnerable Oracle E-Business Suite instances.
On Monday evening, KrebsOnSecurity received a malware-laced message from a reader that threatened physical violence unless their unstated demands were met. The missive, titled “Shiny hunters,” contained the hashtag $LAPSU$$SCATEREDHUNTER, and urged me to visit a page on limewire[.]com to view their demands.

A screenshot of the phishing message linking to a malicious trojan disguised as a Windows screensaver file.
KrebsOnSecurity did not visit this link, but instead forwarded it to Mandiant, which confirmed that similar menacing missives were sent to employees at Mandiant and other security firms around the same time.
The link in the message fetches a malicious trojan disguised as a Windows screensaver file (Virustotal’s analysis on this malware is here). Simply viewing the booby-trapped screensaver on a Windows PC is enough to cause the bundled trojan to launch in the background.
Mandiant’s Austin Larsen said the trojan is a commercially available backdoor known as ASYNCRAT, a .NET-based backdoor that communicates using a custom binary protocol over TCP, and can execute shell commands and download plugins to extend its features.

A scan of the malicious screensaver file at Virustotal.com shows it is detected as bad by nearly a dozen security and antivirus tools.
“Downloaded plugins may be executed directly in memory or stored in the registry,” Larsen wrote in an analysis shared via email. “Capabilities added via plugins include screenshot capture, file transfer, keylogging, video capture, and cryptocurrency mining. ASYNCRAT also supports a plugin that targets credentials stored by Firefox and Chromium-based web browsers.”
Malware-laced targeted emails are not out of character for certain members of the Scattered Lapsus$ Hunters, who have previously harassed and threatened security researchers and even law enforcement officials who are investigating and warning about the extent of their attacks.
With so many big data breaches and ransom attacks now coming from cybercrime groups operating on the Com, law enforcement agencies on both sides of the pond are under increasing pressure to apprehend the criminal hackers involved. In late September, prosecutors in the U.K. charged two alleged Scattered Spider members aged 18 and 19 with extorting at least $115 million in ransom payments from companies victimized by data theft.
U.S. prosecutors heaped their own charges on the 19 year-old in that duo — U.K. resident Thalha Jubair — who is alleged to have been involved in data ransom attacks against Marks & Spencer and Harrods, the British food retailer Co-op Group, and the 2023 intrusions at MGM Resorts and Caesars Entertainment. Jubair also was allegedly a key member of LAPSUS$, a cybercrime group that broke into dozens of technology companies beginning in late 2021.

A Mastodon post by Kevin Beaumont, lamenting the prevalence of major companies paying millions to extortionist teen hackers, refers derisively to Thalha Jubair as a part of an APT threat known as “Advanced Persistent Teenagers.”
In August, convicted Scattered Spider member and 20-year-old Florida man Noah Michael Urban was sentenced to 10 years in federal prison and ordered to pay roughly $13 million in restitution to victims.
In April 2025, a 23-year-old Scottish man thought to be an early Scattered Spider member was extradited from Spain to the U.S., where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims.
Update, Oct. 8, 8:59 a.m. ET: A previous version of this story incorrectly referred to the malware sent by the reader as a Windows screenshot file. Rather, it is a Windows screensaver file.
It’s insulting to my intelligence that they thought they could hack you with a .scr file lmao
So like most Americans I have multiple ‘free ID theft’ services ‘protecting me’ from miscreants doing me financial harm…
All due to the never ending stream of data breaches happening daily, so while teenagers with $100s Millions isn’t the ideal scenario, at least they’re more apt to screw up and get caught then the seasoned pros with years of exp doing the breaches…
That said, isn’t the REAL ISSUE the fact that all these companies are lax on security to start with AND the fact clearly the products being hacked must be sub-par to start with?!?!
For example: Microsoft’s ongoing Patch Tuesday – been going on for how many YEARS now?!?!?
Billion $$ companies that can’t build safe, solid software for the life of them – sheesh what a joke.
And yeah, I’ve also been a victim of medical group breach so in addition to the potential financial harm all my med history is out there somewhere…thanks a lot corporate USA
AFAIK the only reason Microsoft instantiated ‘Patch Tuesday’ was to provide a reliable schedule for people in Information Technology departments to schedule their regular maintenance (one of the easiest days of the week in IT to schedule patches, as Mondays tend to be days to reply to email and do meetings, as well as fix any weird hardware glitches that might need tending right away in the beginning of the week, as well as setting up new hire workstations/laptops)… ‘Patch Tuesday’ isn’t only about security patches, anyway.
I am not one to defend Microsoft, but I’m confused — do you think you could write bug-free software, yourself, that’s millions or billions of lines of convoluted stuff that had been written by thousands of people, many of whom no longer even work there, over the course of decades?
There are arguments on both sides of what you’re each saying of course.
that’s nice, but I’m not buying it.
We all decide what we buy. If you stated your reasons that would be even more impressive than stating your position a la carte.
apparently fr00tl00ps (could be you) decided ‘we’ all went and bought two stale bagels.
I didn’t have any bagels and haven’t in a long time (and certainly they were fresh), so wonder what loop you’re on.
RE: Advanced Persistent Teenagers
What does that say about the entire cyber security industry or these billion dollar companies, getting owned by random skids… APT is APT. Makes you guys sound like old mad boomers lol.
Now it is already possible to track any person. The book “Psi Wars:West and East” opens up a bit about such methods.
scr files are actually screenSAVERS (remember those?) not screenshots. The attacker’s disguise worked even on you. They’re standard PE exes with a different extension and treated as one by explorer, can even show a custom icon.
Windows has plenty of these lesser-known legacy features, for example net1.exe
Yeah that’s a typo. .scr is famously screensaver executables weaponized for.. decades now.
Microsoft has a funny way of inflicting new pain requirements while allowing legacy fails.
at least they got rid of Clippy.
Clippy was just a local instance of 2025 AI running on ancient hardware. Time traveling punks.
you sound like a remote instance of someone who read too much about ‘marble cake’ umpteen years ago. which is about the only sort of “time travel” that exists.
The physics says otherwise, my friend. A positron can be considered an electron traveling backwards in time. CPT symmetry says charge and parity don’t change, so…
The physics says nothing of the sort. Better talk to Turok.
The man hunts dinosaurs. Cmon.
When people claim to know the only type of time travel that “exists” I just have to smile and nod.
Of course, you’re right.
mealy, you should check out the week-long ‘Everything is Illuminated’ retreat. do not miss their seminar on ‘spotless mind’; it is a life-changing experience and goes into those sorts of things.
I really should.
You (and all of these articles and other journalists) need to stop referring to these people as members of “The Com”. “The Com” was a group of no more than 70-80 people who started Sim Swapping people for Bitcoin between 2015 and 2020. Most of them stopped after that, either because they got rich or they got arrested. The Com (the founding 3-5 members) invented the concept of using Sim Swapping to steal Bitcoin.
Now, all of these articles are referring to anybody who uses social engineering to hack people for Bitcoin as a member of “The Com”. There’s literally thousands cybercriminals doing that. They’re not members of “The Com”, they’re literally just random cyber-criminals using the most effective way to steal money on the internet which is using social engineering to steal Bitcoin. Absolutely nothing to do with “The Com”.
real
Sounds like something someone from the Com would say. insert “nothing to see here” meme.
“The Com” means nothing. Even seeing so-called cybersecurity/infosecurity professionals talk about it as if it’s a entity or a few telegram channels at talks is facepalm-worthy.
It’s shorthand for community. That’s literally all there is to it. It’d be like calling every dealer on the planet a member of “the dealers”.
Nobody’s making group chats named “the com”, there are no “founding members”, nobody’s making people brick a house to join “the com”, it’s just built around places like OGUsers. Of course not everyone opted to use that forum or got banned, but that didn’t make them any less part of “the com”.
But thankfully because of press glorifing this kind of lifestyle and going on with the concept that there’s centralized telegram channels for this behavior, the younger “criminals” that so so so badly WANTED it to be a thing and WANTED to be a part of “something” after seeing all their friends talk about “the com”, made it a thing!! So now there’s “com”s aplenty.
When Noah Urban says things like ‘I got the most music in the com’… he’s of course not referring to sim swappers or telegram groups, it’s quite literally referring to “the community”. He wrote that message in a unreleased music / “grails” chat, which is… you’ll never guess: a community! hence “com”
It’s like watching that comedy skit of the fake police officer asking teens who the chinese hacker “lmao” is and if he’s working with “lmfao” and eggplant emoji.
Free the good men out of the federal system ✊
true. they belong in rikers where they can teach people how to play Dungeons & Dragons.
I suspect these nice folks spearfished Israel or Hamas into accepting an imaginary deal. I guarantee you there is no deal.
The Com has been along far longer than that lol, the com just refers to the western, mostly juvenile, cybercrime scene. Has roots from different directions but that term in particular gained traction around ~2013 from DOXBIN regular types.
krebs yo forehead so big we can fit the entire salesforce and salesloft databases on yo headdd
You missed an obvious diss there, Daniel: I believe you are referring to what the APTeens call my “fivehead,” which is indeed substantial.
let me know when the calendar catches up with you, fake tigger.
Hey Krebs, If I want to donate money to these nice folks, how would I go about it? I’d like to offer something to their legal fund.
Find a well and throw your wallet in. It makes exactly the same difference.
This is so awesome! I am so grateful AC/DC is still on tour! What’s it been, 9? 10? years? I get the replacement band/churchmembers were getting a bit rough around the edges but clearly you really f’ed up this time with the chorus.
“Those who live by the sword will die by the sword”. As easily as business software can be hacked…so can blogs, chat channels, and servers hosting Telegram and Discord. The odds indicate some of these ShinyHunters are going to get caught and sentenced to “make an example” of them. Enjoy PMITA prison, boys.
These pimply faced, still gong through puberty children have no idea how they fucked up their entire lives (unless a 3 letter agency or private company hires them) and it will follow them forever. In the real world not behind a keyboard, real life is not to funny when bubba and friends want you.
They are all destined to jail where they will be insecure white kids extorted by real n’ggas fr fr.
It’s telling that so many large enterprises still underestimate social engineering. The weakest link is often people, not code.
Hello,
may I ask why you defend the companies getting hacked?
In my humble opinion, while the teens hacking the companies are retarded due to their pathetic opsec mistakes, you must still recognize that hackers are useful to expose privacy law violations.
When a big company gets hacked, it’s the company that we should blame for the data leaks, not the hacking groups.
If dumb companies didn’t always store private customer information then never delete it, then the hackers wouldn’t be able to steal so much private information about people/customers/etc.
VERY OFTEN the dumb companies getting hacked are found to be illegally keeping IDcard picture scans, and keeping unnecessary private information (PII) on customers without consent.
Data breaches help reveal what data the dumb companies keep on their customers.
So, I say that if your company is hacked and we find illegally stored data in the leaks, then your company boss should be jailed too.
Not just the hackers.
Thanks for read
Interesting read — cyber extortion cases like this are becoming more common lately. Thanks for sharing this update.
It’s interesting to see how bold groups like ShinyHunters could be and how they target massive companies like Salesforce and Red Hat. I am curious to learn more about the details about voice phishing and data leaks and how they truly cause that much damage. With all these articles I have been reading lately about cyber attacks and advanced hacking tools it really shows how vulnerable companies could really be even with advanced security teams. I wonder if attackers are just a step ahead of up to date cyber security measures or is if there is not enough resources to truly prevent the uprising risk of cyber attacks. Its important that this changes or companies will face a constant significant risk.