Three Hacking Groups Just Merged Into One Super-Threat

According to Infosecurity Magazine, Scattered Spider, ShinyHunters and LAPSUS$ have officially merged into a coordinated alliance called Scattered LAPSUS$ Hunters. Trustwave SpiderLabs confirmed this isn’t just loose collaboration but a deliberate federation under a shared operational banner. The group has fewer than five core operators managing about 30 personas, with ShinyHunters-linked identities apparently leading the structure. Since early August, they’ve cycled through at least 16 public Telegram channels, rebuilding them within hours of each takedown. The alliance is positioning itself with a centralized narrative, operational marketing model and named “Operations Centre,” moving beyond earlier tactical experimentation observed in October by Palo Alto Networks’ Unit 42.

Sponsored content — provided for informational and promotional purposes.

Why This Changes Everything

Here’s the thing – this isn’t just rebranding. They’re actually merging their reputational capital from three high-profile criminal operations into one unified threat identity. Basically, they’re creating a super-brand that combines Scattered Spider’s corporate intrusion skills, ShinyHunters’ data theft expertise, and LAPSUS$’s flair for dramatic public exposure.

And the timing isn’t accidental. This alliance emerged right as BreachForums collapsed, creating a vacuum in the underground ecosystem. They’re strategically filling that void by recycling notoriety from all three groups and formalizing an affiliate-driven extortion model. It’s a smart play to attract operators who got displaced when their usual hangouts got shut down.

Telegram as Command Center

What’s really interesting is how they’re using Telegram. It’s not just a broadcast channel anymore – it’s become their permanent command hub and brand engine. The fact they can rebuild channels within hours of takedowns shows serious operational resilience. They’re treating their public presence like a business, complete with theatrical tactics that feel more like hacktivism than traditional cybercrime.

But don’t get it twisted – Trustwave emphasizes these guys remain financially motivated. The performance art is just part of their intimidation strategy. They want you to see how quickly they can bounce back, how organized they are, how untouchable they seem.

What Comes Next

This verification of skilled exploit development represents a major step up from earlier unconfirmed ransomware claims. We’re talking about personas like “yuka” who are tied to zero-day brokerage and tooling linked to advanced malware like BlackLotus. That’s not script kiddie stuff – that’s serious capability.

Trustwave warns this hybrid ecosystem could shape data-extortion activity into 2026. They’re using identity fluidity, social amplification, and adaptive collaboration in ways we haven’t seen before. The big question is whether this becomes the new model for cybercrime collectives or if it collapses under its own complexity.

Either way, security teams need to understand that the rules just changed. This isn’t about tracking individual groups anymore – it’s about understanding how performance, persistence, and perception work together in this new threat landscape. And honestly, that’s a much harder problem to solve.