You may have heard that hacker groups like LAPSUS$, ShinyHunters, or Scattered Spider had gone quiet. The reality is very different. According to a recent report from cybersecurity firm Resecurity, these groups are not only still active but have joined forces in what they call the “Trinity of Chaos.” Their target: leading companies in technology, finance, retail, aviation, and automotive sectors.
At TecnetOne, we want to explain how this alliance operates, which attacks have already been recorded, and—most importantly—what you can do to protect your organization against an increasingly sophisticated enemy.
The “Trinity of Chaos” isn’t a movie title, though it sounds like one. It’s the union of three of the most notorious cybercriminal groups of recent years:
LAPSUS$, known for high-impact social engineering and data leaks
ShinyHunters, specialists in selling stolen databases on underground forums
Scattered Spider, a relatively young collective already infamous for attacks on large companies, including Las Vegas casinos and tech providers
Working together multiplies their reach and resources—meaning the risk to companies like yours rises exponentially.
The Resecurity report highlights a troubling reality: there are more attacks than the public ever hears about. Many companies, faced with blackmail and leak threats, negotiate privately with attackers to keep details under wraps.
This means the incidents you read about in the press—such as those affecting Qantas, Jaguar Land Rover (JLR), AT&T, or Salesforce—are just the tip of the iceberg. Behind them lies an unknown number of companies quietly grappling with the aftermath of attacks.
The report also warns of a surge in private extortion, underscoring that the true impact of these groups is much larger than it appears.
Read more: Lethal Hacker Alliance: ShinyHunters and Scattered Spider Strike
One recent example was the attack on Jaguar Land Rover (JLR). The incident was so severe that the UK government announced a £1.5 billion loan to help the company recover.
Interestingly, JLR had outsourced its cybersecurity and IT services to Tata Consultancy Services (TCS). The same company also works with Marks & Spencer and Co-op, which—according to the report—have also been in Scattered Spider’s sights.
This reflects a reality we can’t ignore: cybercriminals no longer target just one company—they attack entire supply chains. If a service provider is compromised, every client relying on it becomes exposed.
The Trinity of Chaos combines various techniques, leveraging each group’s strengths. Common tactics include:
Advanced social engineering—tricking employees or vendors into handing over access without realizing it
Exploitation of known (unpatched) vulnerabilities—especially in widely used critical apps
Private extortion—stealing sensitive data and threatening to leak it unless paid
Supply chain attacks—compromising a provider to hit multiple customers simultaneously
Their speed after gaining access is another critical factor. They often move inside a network and prepare data exfiltration within hours.
The UK’s Cyber Monitoring Centre (CMC) has classified some of these attacks as “Category 2 Events”, with estimated losses between £270 million and £440 million.
But beyond the money, consider the impact:
Disruption of critical operations
Long-term reputational damage
Loss of customer and partner trust
Legal risk for data protection noncompliance
Most troubling of all: the uncertainty of not knowing whether your systems—or your suppliers’ systems—have already been compromised.
You might think these attacks only hit giants like AT&T or Salesforce, but SMEs are also on the radar. Cybercriminals know smaller businesses lack the same cybersecurity resources and are easier to breach.
And if your company serves as a vendor to a larger client, you could be the weak link that opens the door to an attack.
Also of interest: Scattered Spider: The Arrest of a Suspect
At TecnetOne, we believe prevention is always cheaper—and more effective—than reaction. Against threats like the “Trinity of Chaos,” these steps are key:
Strengthen authentication
Implement robust MFA, but go further: use physical tokens or secure apps, as SMS can be intercepted.
Disciplined vulnerability management
Audit frequently and patch promptly. Many intrusions start with known flaws left unaddressed.
Proactive monitoring
Don’t wait for an attack to leave traces. Deploy Threat Hunting and 24/7 monitoring to detect abnormal behavior.
Secure your supply chain
Review your vendors and demand security assurances. A third-party failure can be very costly.
Have an incident response plan
Know exactly what to do if something happens—who to call, how to contain it, and how to communicate to minimize impact.
Technical tools are essential, but remember the human factor remains the biggest risk. Train your team to spot suspicious emails, malicious links, and unusual requests.
It takes only one wrong click to open the door to a massive attack.
The “Trinity of Chaos” proves that cybercriminal groups don’t retire—they evolve. By joining forces, LAPSUS$, ShinyHunters, and Scattered Spider have unleashed a wave of attacks whose full scope is only beginning to surface.
You can’t control what these groups do, but you can control how you protect your organization. At TecnetOne, we’re ready to help you fortify your infrastructure, monitor threats in real time, and build a security culture that minimizes risk.
Because in cybersecurity, true strength lies not in fear, but in preparation.