Alliances between hacker groups are nothing new, but when two of the most active and dangerous decide to join forces, the impact can be devastating. That’s exactly what’s happening now with ShinyHunters and Scattered Spider, who have begun coordinating extortion and data theft attacks, mainly targeting Salesforce customers, with their sights set on sectors such as finance and technology.
According to a report from ReliaQuest, ShinyHunters is moving away from its usual strategy of credential theft and database exploitation to adopt more aggressive and sophisticated methods, very similar to those of Scattered Spider. These include:
Active since 2020, ShinyHunters is known for leaking corporate data from major companies on cybercrime forums such as RaidForums and BreachForums, where they even acted as administrators. After several forum closures and reopenings, the group has focused its activity on attacking Salesforce instances worldwide.
Learn more: Google Hit by Data Breach Following Salesforce Attacks
Active since 2020, involved in massive leaks from multinational companies, selling stolen data on forums like RaidForums and BreachForums, where they once served as admins.
Known for their infiltration skills via social engineering and attacks on authentication systems, as well as ties to groups like LAPSUS$ and The Com.
In recent months, the activity of both groups has overlapped noticeably in attacks on sectors such as retail, insurance, and aviation, with a recent 12% increase in domain registrations targeting banking and financial services.
The connection between these groups is no coincidence. Scattered Spider and LAPSUS$ are part of a larger collective known as The Com, a network of seasoned cybercriminals who combine online attacks with physical crimes, including SIM swapping and direct extortion.
On August 8, a Telegram channel called scattered lapsu$ hunters appeared, linking ShinyHunters, Scattered Spider, and LAPSUS$. They even claimed to be working on a ransomware-as-a-service project called ShinySp1d3r, aiming to compete with groups like LockBit. However, the channel disappeared three days later.
ReliaQuest has detected a clear pattern: themed phishing pages and domains designed to steal Salesforce credentials, aimed at large companies in retail, insurance, and aviation. More than 700 domains matching Scattered Spider’s attack style have been registered in 2025, with a 12% increase in interest in financial firms since July, while the focus on tech companies has dropped by 5%.
The overlap in victim types, infrastructure used, and even forum aliases supports the theory that this collaboration has been in the works for over a year. They are believed to be preparing new campaigns against high-profile companies, particularly in critical sectors. If this long-term cooperation is confirmed, we could see a coordinated offensive combining Scattered Spider’s social engineering expertise with ShinyHunters’ data exfiltration and monetization capabilities.
Learn more about: Salesforce Data Breach Hits Google, Adidas, Chanel, and More
The union of ShinyHunters and Scattered Spider is no ordinary threat—it’s a clear sign that cybercrime groups are joining forces to become more effective and dangerous. Strengthening access verification, tightening policies on connected apps to critical platforms like Salesforce, and training teams to detect social engineering attempts—especially via phone calls or fake applications—is no longer optional, it’s essential.
At TecnetOne, as cybersecurity specialists, we can help you implement protection strategies that include phishing simulations, access monitoring, and proactive measures to ensure your business isn’t the next headline.