Three Hacking Groups Just Merged Into One Super-Threat

According to Infosecurity Magazine, Scattered Spider, ShinyHunters and LAPSUS$ have officially merged into a unified criminal collective called Scattered LAPSUS$ Hunters. Trustwave SpiderLabs confirmed today that this isn’t just loose collaboration but a coordinated alliance with a shared operational banner. The group has fewer than five core operators behind roughly 30 personas, with ShinyHunters-linked identities appearing to lead the structure. Since early August, they’ve cycled through at least 16 public Telegram channels, rebuilding them within hours of each takedown. This development moves beyond earlier tactical experimentation noted in October by Palo Alto Networks’ Unit 42 and represents a deliberate merger of three high-profile criminal brands.

Sponsored content — provided for informational and promotional purposes.

<h2 id="business-strategy”>This Isn’t Just Rebranding

Here’s the thing about this merger – it’s not just criminals changing their Twitter handles. They’re creating what Trustwave calls a “federated collective” with a centralized narrative, operational marketing model, and even a named “Operations Centre.” Basically, they’re treating cybercrime like a proper business now. And the timing is everything – this alliance emerged right as BreachForums collapsed, creating a vacuum in the underground ecosystem. They’re strategically positioning themselves to scoop up all the displaced operators and affiliates who lost their home base.

Telegram Isn’t Just for Chat Anymore

Remember when Telegram was just another messaging app? Well, SLH has turned it into their permanent command hub and brand engine. We’re not talking about occasional chatter here – Trustwave found they’re using it as their primary operational center. The fact that they’ve rebuilt 16 channels since August shows incredible resilience. They get taken down and pop right back up like digital whack-a-mole. This public presence strategy feels almost like hacktivist theater, but don’t be fooled – Trustwave emphasizes these guys remain strictly financially motivated.

<h2 id="real-threat“>Why This Actually Matters

So is this just cybercriminals playing dress-up? Apparently not. Trustwave mapped key personas including “shinycorp” as the primary coordinator and “yuka” who’s tied to zero-day brokerage and tooling linked to advanced malware like BlackLotus. That zero-day exploit development capability represents a serious step up from the unconfirmed ransomware claims we heard back in October. They’re not just recycling old tricks – they’re building actual technical capabilities. And with fewer than five core operators managing 30 personas, they’re running a tight ship despite the multiple brand names.

The New Normal for Cybercrime

What’s really concerning is that Trustwave sees this as the first cohesive alliance inside The Com’s traditionally fluid network. They’re using brand unification as a force multiplier for extortion, recruitment, and audience control. Think about it – instead of three separate groups competing for attention, they’re pooling their reputational capital. The advisory warns this “hybrid ecosystem” with its “identity fluidity, social amplification, and growing tailored exploitation development capabilities” will likely shape data-extortion activity into 2026. Basically, we’re looking at the future of organized cybercrime, and it’s wearing multiple masks at once.