Scattered Lapsus$ Hunters: Post-Lapsus Fragmentation and the Russian Connection

A Cyber Intelligence assessment- Robert Maxwell, Observatorio de Ciberdefensa, Universidad Francisco de Vitoria

1.    Executive Summary

• Why this matters now. SLH has evolved into a high impact hybrid extortion group during 2023 and 2024, combining social engineering, structured intrusions and aggressive information operations. Its current trajectory makes it a material threat to organisations across Europe and North America. Claims of its demise are premature.

• A three actors convergence. SLH is the product of Scattered Spider’s identity exploitation skills, Lapsus$’s high visibility extortion model and ShinyHunters’ commercial discipline. It did not emerge from a single group but from the coming together of complementary capabilities.

• A clear Russian imprint. SLH’s tradecraft, infrastructure and behavioural patterns align with known Russian speaking cyber-criminal ecosystems, particularly the post-Conti diaspora. The timing and nature of its capability uplift strongly reinforce the assessment that existing Russian expertise has shaped SLH’s evolution.

• The teenage narrative does not hold. The operations attributed to Lapsus$ and SLH required insider handling, multi-stage intrusion, operational security and negotiation on criminal markets. These are functions that demand maturity and experience, indicating the presence of concealed adult coordinators directing younger front-end actors.

• Psychological pressure as a method. SLH uses timed leaks, staged disclosures and targeted public messaging to destabilise victim organisations. This is a structured extortion methodology rather than impulsive publicity seeking, and it significantly shortens corporate decision-making cycles.

• A costly dilemma exposed. The recent Jaguar Land Rover attack shows how a ransom worth millions can trigger operational losses measured in billions, revealing the structural leverage SLH now holds over tightly coupled industrial supply chains.

• Intelligence gaps remain. Key uncertainties persist around SLH’s internal leadership, recruitment pathways, infrastructure supply chain and financial intermediaries. Progress on attribution will depend on accessing internal leaks, observing operational misconfigurations or tracing financial flows linked to known Russian broker networks. 

2. Origins and Evolution

2.1 Component Lineages

2.1.1 Scattered Spider

Scattered Spider is a loosely defined intrusion group that emerged around 2022 with a focus on high quality social engineering, identity providers and telecoms infrastructure. The group has demonstrated consistent success in compromising outsourced support desks, identity systems and single sign on flows by exploiting human rather than technical vulnerabilities. Although often portrayed as a youthful collective, Scattered Spider has conducted multi-stage intrusions, handled privileged corporate systems and engaged with access brokers in ways that suggest support from more experienced operators.

2.1.2 Lapsus$

Lapsus$ gained international visibility in late 2021 through a series of extortion-based breaches against major technology, telecommunications and identity service providers. The group distinguished itself by using stolen credentials, insider recruitment and public pressure through Telegram rather than relying on encryption. The group’s internal structure was unpredictable, but its access to criminal markets and insider networks was inconsistent with the idea of a purely adolescent team. Following arrests in 2022, the group fractured into smaller clusters that attempted to continue the Lapsus model with varying levels of success.

2.1.3 ShinyHunters

ShinyHunters, active since approximately 2020, is a data breach and credential theft group known for large scale compromises of online platforms and the subsequent sale of databases on underground markets. Unlike Lapsus$, ShinyHunters operates with commercial discipline and long-term positioning within illicit data markets. Its principal contributions to SLH include an understanding of data brokerage, established relationships with marketplace operators and experience in monetising large data sets.

2.2 Convergence into Scatter Lapsus Hunters

SLH represents the functional convergence of the three lineages described above. From Scattered Spider, SLH inherits advanced social engineering and a focus on identity systems. From Lapsus$, it draws the high visibility extortion model and the use of public pressure through Telegram. From ShinyHunters, it gains commercial discipline and access to data brokerage networks.

This convergence does not indicate a formal merger but rather reflects the way in which modern cyber-criminal ecosystems evolve when multiple groups operate within overlapping markets, share access to infrastructure and, in some cases, exchange personnel. SLH should therefore be understood as a composite actor rather than a direct successor to any one group.

2.3 The Implausibility of the Teenager Narrative

The public narrative that Lapsus$ and its successor entities were driven solely by teenagers has always been analytically weak. While some younger operatives were clearly involved, the campaigns attributed to Lapsus$ required insider acquisition, operational security, multi vector intrusion capability and negotiation with criminal marketplaces. These activities typically demand maturity, experience and established relationships within the underground economy. The arrests in 2022 removed visible individuals but did not address the structural enablers who provided direction, infrastructure and commercial coherence. SLH exhibits the same pattern of apparent youth front ends and concealed adult leadership, which is consistent with historic precedents in groups such as Wizard Spider, FIN7 and the wider TrickBot and Conti ecosystems.

2.4 ContiLeaks and the Fracture of the Russian Ransomware Landscape

The single most significant structural shift in the global cyber-criminal ecosystem occurred in March 2022 following Russia’s invasion of Ukraine. The publication of the ContiLeaks exposed the internal communications, hierarchy and operational processes of the Conti ransomware syndicate. Contrary to initial interpretations, Conti did not disappear. It fractured. Developers, negotiators, access brokers and infrastructure specialists dispersed into the wider underground economy and reappeared under multiple new identities. This diaspora exported Conti’s mature tradecraft into the market and enabled an uplift in capability among emerging or hybrid groups.

SLH’s emergence coincides with this period of fragmentation. The group’s technical evolution, particularly its rapid progression from opportunistic to structured intrusions, is consistent with the presence of former Conti linked operators offering freelance expertise or training.

2.5 Positioning of SLH in the Post Lapsus and Post Conti Landscape

SLH occupies a unique position created by the near simultaneous collapse of Lapsus$ and the fragmentation of Conti. The disappearance of the visible Lapsus figures created a strategic vacuum in the high-visibility extortion space, while the Conti diaspora introduced a large pool of highly skilled Russian speaking operators into the broader market. SLH should therefore be viewed as a hybrid outcome of these two collapses, combining the public facing aggression of Lapsus with the operational discipline that characterises Russian cyber-criminal groups.

The attack on Jaguar Land Rover highlights the core dilemma facing modern enterprises. Paying a ransom of a few million pounds is unacceptable, yet refusing to pay has already generated losses in the billions through cascading supply chain disruption. This imbalance is the exact leverage SLH has learned to exploit.

Jaguar Land Rover now faces the dilemma that defines modern extortion operations. On the one hand, paying a ransom of a few million pounds would be politically toxic, reputationally damaging and potentially unlawful depending on the beneficiaries. On the other hand, refusing to pay has already resulted in billions in losses through production disruption, stalled supply chains and long-term operational instability. This is the structural asymmetry exploited by SLH. The financial leverage of these groups does not lie in the ransom sum itself, which is trivial when compared to the turnover of a global automotive manufacturer, but in the disproportionate economic shock caused by interrupting tightly coupled industrial systems. In practical terms, the question is no longer whether an organisation can afford to pay a ransom, but whether it can afford the consequences of not paying.

3. Tactics, Techniques and Procedures (TTPs)

3.1 Social Engineering Core

SLH relies heavily on the social engineering techniques characteristic of both Lapsus$ and Scattered Spider. These include SIM swapping, targeted vishing, and the manipulation of helpdesk authentication procedures to bypass multi factor authentication. The group focuses on identity systems and human decision making as primary attack vectors.

3.2 Use of Legitimate Tools

Consistent with Lapsus$ and Russian groups such as Wizard Spider, SLH employs living off the land techniques in order to blend intrusion activity with legitimate administrative actions. The use of remote administration tools, cloud management consoles and internal corporate telephony systems has become central to the group’s operational model.

3.3 Public Bragging as Operational Pressure

SLH mirrors Lapsus$ in its enthusiasm for public communication during intrusions. Telegram channels are used to pressure victims, announce breaches and undermine corporate crisis management. This behaviour creates the appearance of immaturity, although the structured timing of these announcements indicates a deliberate psychological pressure strategy rather than simple boastfulness.

3.4 Indicators of External Mentorship

SLH exhibits a noticeable uplift in technical capability compared to early Lapsus activity. This includes improved lateral movement, better privilege escalation, and more sophisticated infrastructure management. Several campaigns show tooling overlap with Russian speaking markets, particularly in the areas of obfuscation, payload deployment and access brokerage. The cumulative evidence suggests that SLH benefits from mentorship or assistance from operators with significant experience.

4. The Russian Nexus: Tradecraft, Tooling and Influence

4.1 Convergence of Tradecraft

SLH displays behavioural traits that align with Russian cyber-criminal groups. These include systematic reconnaissance, structured lateral movement, careful privilege escalation and the integration of access broker services. Groups such as Wizard Spider, FIN7, TrickBot and the early Ryuk operators used similar methods.

  4.2 Tooling Correlation

SLH campaigns have demonstrated access to tooling, crypters and underground services commonly traded on Russian language forums. Some of the group’s infrastructure has been linked to bulletproof hosting services historically associated with Russian criminal operators. While none of these indicators are conclusive on their own, the combined pattern is consistent with Russian influence or participation.

4.3 Post Conti Diaspora Effects

After the ContiLeaks, a large number of experienced operators became freelancers. Many provided access, training and technical support to emerging groups. SLH’s rapid development is consistent with the involvement of one or more post Conti specialists offering services or acting as coordinators.

5. Information Operations and Psychological Pressure

SLH has adopted and refined the public communication strategies first popularised by Lapsus$, treating information operations as an integral component of the intrusion lifecycle rather than a post compromise embellishment. The group routinely engages in rapid publication of victim data, staged leak previews and timed announcements intended to complicate or overwhelm internal crisis management processes. These disclosures are often accompanied by high visibility taunting of targets on Telegram, which creates reputational shock and forces senior leadership into reactive rather than strategic decision making.

Although the tone of these communications frequently appears juvenile, the sequencing is deliberate. Messaging is often released at points calculated to maximise operational disruption, such as immediately after initial detection or during the early phases of containment. This pattern reflects a coherent psychological pressure methodology that is closer to the structured extortion playbooks used by Russian ransomware groups than to the impulsive style often associated with youth led collectives. By combining reputational threat, operational pressure and escalating public disclosure, SLH increases panic within victim organisations and compresses the timeline in which senior leadership must decide whether to negotiate. This blend of visibility and calculated timing gives SLH a disproportionate impact relative to its size and reinforces its role as a hybrid extortion group that exploits both technical access and information dominance.

6. Attribution and Analytic Judgement

Attribution in the context of SLH remains a complex and evolving analytical problem. The group presents a hybrid signature that draws from multiple operational cultures, geographical spheres and criminal ecosystems. This section offers an expanded assessment of the three principal hypotheses, along with associated confidence levels and intelligence gaps that constrain definitive attribution.

6.1 Russian Influence or Mentorship (High Confidence)

The strongest analytic position is that SLH incorporates direct influence from Russian speaking cyber-criminal ecosystems. This does not necessarily imply full organisational alignment with any single Russian group, but the behavioural and technical overlap is difficult to dismiss. SLH exhibits tradecraft familiar from the TrickBot, Wizard Spider and Conti lineages, including structured lateral movement, careful privilege escalation, and the disciplined management of persistence mechanisms. These are hallmarks of mature operators who have undergone sustained exposure to Russian style methodologies.

SLH demonstrates the hallmark techniques of TrickBot, Wizard Spider and Conti, from structured lateral movement to disciplined persistence. These patterns point to operators shaped by mature Russian tradecraft.

Infrastructure patterns strengthen this view. Several SLH linked intrusion clusters have used bulletproof hosting providers historically associated with Russian criminal actors. The group has also employed crypters, infostealers and obfuscation frameworks that are typically traded in Russian language underground markets rather than global ones. The presence of these tools does not prove nationality, but it indicates access to vendors and service providers with a distinctly Russian operational profile.

The post Conti diaspora is particularly relevant. After the March 2022 leak event, numerous experienced Conti operators became freelance specialists. Many turned to contract work, providing support to emerging or hybrid groups. SLH’s rapid uplift in capability after mid-2022, especially in areas that require technical maturity, is consistent with the presence of one or more Conti-trained individuals offering direct mentorship or infrastructure support. This does not point to a full Russian command relationship, but it does support the assessment that Russian influence is embedded within SLH’s operational development.

The overall evidence points towards Russian expertise as the primary shaping force behind SLH’s evolution, even if the group itself includes members of mixed nationalities.

6.2 Hybrid Composition with Adopted Russian Methods (Moderate Confidence)

A second hypothesis is that SLH is a hybrid group that consists of operators from multiple geographical regions who have adopted Russian style TTPs through exposure to underground markets rather than through direct collaboration. This hypothesis acknowledges the globalisation of cyber-criminal tradecraft. Russian ransomware groups have shaped the modern intrusion landscape to such an extent that many operational practices that were once unique to them have become widely imitated.

Through criminal forums, Telegram channels, cracked tooling repositories and access broker markets, less experienced actors can learn Russian style intrusion sequencing without ever interacting with Russian operators directly. The same logic applies to infrastructure. Bulletproof hosting services can be rented anonymously and without vetting, making it possible for non-Russian actors to deploy infrastructure that resembles Russian clusters.

This hypothesis fits with the fact that SLH draws on multiple lineages. The Lapsus$ model was culturally distinct from Russian organised cybercrime, yet SLH blends both. The group’s mid campaign reorganisation patterns, as well as its reliance on youthful front-end operators for public interaction, suggest that SLH may incorporate non-Russian members who have simply adopted the most effective methods available.

The limitation of this hypothesis is that it does not adequately explain the consistency and depth of SLH’s technical evolution. Russian tradecraft is not merely a matter of using similar tools. It is a matter of sequencing, prioritisation and operational discipline, which typically requires significant mentorship. For SLH to reproduce the more mature aspects of Russian style methodology through observation alone would be unusual, though not impossible. Hence the moderate confidence level.

6.3 Mimicry or False Flag Elements (Low Confidence)

The possibility that SLH deliberately imitates Russian style tradecraft to mislead analysts remains a low confidence hypothesis. False flag activity does occur within cyber operations, particularly where state operators seek to disguise national origin. However, SLH presents as a criminally motivated group rather than a nation state proxy, and deliberate mimicry is uncommon in purely criminal contexts because it adds unnecessary complexity.

Furthermore, the mimicry hypothesis struggles to explain the coherence of SLH’s technical profile. False flag operations usually leave inconsistencies or mismatches in tradecraft, such as the use of Russian style tools without corresponding sequencing or behavioural alignment. SLH, by contrast, exhibits both. Its tooling, infrastructure and operational behaviour are aligned in a way that suggests learned or inherited methods rather than superficial imitation.

SLH also retains elements of Lapsus$ and Scattered Spider behaviour that would undermine a false flag attempt. Public bragging, chaotic victim communication and the involvement of very young operatives are not typical in structured false flag activities. These behavioural traits suggest that SLH is not attempting to obscure a national identity but is instead integrating Russian influenced techniques into an otherwise hybrid organisational culture.

For these reasons, mimicry remains the least convincing hypothesis and is held at low confidence.

Although the Russian influence hypothesis is strong, several intelligence gaps prevent definitive attribution. There is limited visibility into SLH’s internal communications, recruitment pathways and the identities of its senior coordinators. Forensic insight into the supply chains supporting its infrastructure remains incomplete, and the ownership structure of its Telegram channels and leak sites is still unclear. Greater confidence would require observables such as operator time zone leakage, credential reuse linked to known post Conti individuals, financial tracing intersecting with Russian broker networks or the emergence of internal chat leaks similar to the ContiLeaks. Until such evidence becomes available, attribution must remain probabilistic rather than conclusive.

7. Future Outlook

SLH is likely to continue evolving into a more capable hybrid extortion group. Expected developments include:

• Closer alignment with access broker markets

• Increasing sophistication in identity exploitation

• Continued reliance on psychological pressure operations

• Targeting of telecoms, identity providers, financial services and retail sectors

The group is structurally positioned to become a significant actor in the 2025 to 2027 threat landscape.

8. Conclusions

SLH represents a new hybrid model in cyber extortion. It is shaped by the collapse of Lapsus$, the fragmentation of Conti and the convergence of tradecraft from Scattered Spider and ShinyHunters. The group blends the visible aggression of youth-led intrusion with the operational discipline of Russian criminal ecosystems. Its emergence reflects a broader trend in which high visibility extortion, identity exploitation and inherited Russian tradecraft combine to create highly disruptive adversaries.

Organisations should treat SLH style intrusion as a mainstream threat and prepare accordingly through layered identity controls, improved internal authentication processes and enhanced incident response planning.