ScatteredSpider Team Up with LAPSUS$ and ShinyHunters: More Growth, More Bragging?
This edition of the Bitdefender Threat Debrief highlights major ransomware developments, including ScatteredSpider’s activities and collaborations; updates concerning Qilin and Akira; charges involving Ryuk’s former operator, and a new group that activated after Operation Checkmate.
Ransomware is a moving target, and our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) - things like news reports and research – with data we gather by analyzing Data Leak Sites (DLSs), websites where ransomware groups post details about their victims. It is important to remember that we can't independently verify all threat actor claims but are confident in the trends we see over time.
For this month's report, we analyzed data from July 1 to July 31 and recorded a total of 512 claimed ransomware victims.
Featured Story: ScatteredSpider Team Up with LAPSUS$ and ShinyHunters
What Happened?
After the first week of August, reports circulated about a Telegram channel named Scattered Lapsus$ Hunters. This indication of ScatteredSpider’s collaboration with both LAPSUS$ and ShinyHunters was intentional and was followed by an update on their mutual aim to play a greater role in the ransomware economy.
A user in the Scattered Lapsus$ Hunters channel mentioned an upcoming RaaS platform, ShinySp1d3r. The user stated that this platform would be on par with similar offerings by LockBit and DragonForce. The group previously posted images of a red Chevrolet Corvette sports car on their Telegram. The car sported a Kentucky license plate labeled LAPSUS.
Image: A Corvette with a license plate from the U.S. state of Kentucky appears in the Scattered Lapsus$ Hunters channel, briefly, before being deleted.
While the Telegram channel and a secondary channel were taken down just three days later, its existence highlights two important aspects that shape organized crime: collaboration and showing off.
Why Team Up?
ScatteredSpider is known for clever social engineering tactics, leveraging VPN obfuscation to transfer victim data, and flexing their wealth. In their campaigns from early summer 2025, it was revealed that they executed DragonForce ransomware once initial access to a victim was established. This was one indication of a budding partnership between DragonForce and ScatteredSpider. However, that partnership was short-lived. ScatteredSpider has shifted its focus from targeting high-value retail organizations to targeting other industries, including transportation and aviation.
ScatteredSpider is likely teaming up with LAPSUS$ and ShinyHunters to cast a far-reaching net, growing their collective influence and appealing to more potential recruits within their demographic of Western males aged 16 to 25.
The LAPSUS$ Connection
While many of the LAPSUS$ members who received media attention from 2022 to 2023 were teens, and some were even convicted in the years that followed, they should not be underestimated due to their age or past decisions.
LAPSUS$ has conducted high-profile attacks and also leaked data from victim organizations in several industries, including technology and logistics. LAPSUS$ has also evolved to incorporate SIM swapping in their operations. The decision by LAPSUS$ to consider a team-up with ScatteredSpider may have stemmed from shared contacts within a criminal network. LAPSUS$ establishes connections to the Com, a larger criminal syndicate that engages in both extortion and physical crime.
LAPSUS$ would also greatly benefit from the aid that comes with combining forces, after losing many of its members. Moreover, there is a repeated emphasis on teenagers having a common goal: committing crimes and showing off would reach a similar community found in ScatteredSpider’s group of male youth, located throughout the United Kingdom and parts of the United States.
New Pursuits with ShinyHunters
ScatteredSpider’s alliance with ShinyHunters may also boost their standing and influence based on ShinyHunters’ former roles in the underground. Security researchers trace ShinyHunters’ operations back to early 2020. The group is known for their role in maintaining the BreachForums platform in 2021 and launching further iterations of BreachForums and participating in activities on RaidForums.
ShinyHunters’ connection to ScatteredSpider may go back to the spring of 2024. One marker of this collaboration between the two groups is the creation of a Sp1d3rHunters BreachForums account in May 2024. However, the account and others associated with ShinyHunters were compromised. A newer iteration of the BreachForum site was also seized by law enforcement.
ShinyHunter’s TTPs, including their unique use of data exfiltration via known, legitimate cloud services and credential harvesting techniques, paired with ScatteredSpider's social engineering and authentication-type attacks form a far more formidable threat. The combination of tactics used by the two groups has already been observed in campaigns targeting the Salesforce platform that feature malicious lures (SSO pages) used to harvest credentials.
What’s Performative?
Now that ScatteredSpider has shifted gears and formed an alliance with LAPSUS$ and ShinyHunters, the united group faces greater scrutiny from law enforcement agencies and threat intelligence firms seeking insights into their operations.
The alliance likely wants to be perceived as a highly capable and wealthy threat. Performative acts of showing off, such as posting an image of the red Chevrolet Corvette, appear impressive. However, upon closer examination, it becomes clear that the image is cropped to obscure a wider view.
The vehicle’s model is six years old with the Stingray Premium 3LT trim. This trim makes the particular Corvette comparable in cost to a 2025 Honda Pilot, which has a price range of $45,000 to $60,000. Nice, yes, but it doesn’t convey the image of a ransomware group bringing in millions of dollars to purchase imported accessories and luxury sports cars.
And, just like the fleeting nature of the scattered lapsus$ hunters Telegram channel, the promoted collaboration may be a temporary glimpse into a moment that is not followed up with decisive action.
What’s Next?
Whether ScatteredSpider can truly surpass LockBit and rival the ransomware cartel that DragonForce has built remains unknown. No further connections have been drawn between ScatteredSpider and DragonForce. Their partnership, like others, was not sustainable as ScatteredSpider's team up with LAPSUS$ and ShinyHunter's became public. At the time of this post, there is no data leak site that has been linked to the ScatteredSpider-LAPSUS$-ShinyHunters collaboration. No release date for their RaaS has been publicized, and there are no mentions of specific platform features.
Bitdefender has observed a phenomenon year after year: competition in the RaaS space remains fierce and chaotic. The fight against time (until detection), innovation to stand out among competition, and prowess to maneuver away from law enforcement, positions many cybercriminal groups to join other criminal enterprises or fail and cease their operations entirely. Fewer ransomware groups, excluding rebranded entities, are persisting beyond two to three years.
Ransomware Awareness and Defense
Ransomware threats, ranging from small and insular extortion groups to large, interconnected networks, continue to pose significant challenges for organizations seeking to protect their assets and reputation. As the threat landscape undergoes frequent changes, understanding the elements that influence ransomware operations, and a successful or unsuccessful compromise, is vital to implement timely and relevant threat-informed countermeasures.
For a comprehensive analysis of the ransomware playbook, including attack execution paths and defense strategies, please refer to our updated Bitdefender Ransomware Whitepaper.
Other Notable Ransomware News
Now, let’s explore the notable news and findings since the last Threat Debrief release.
- Qilin claims the greatest number of victims again: Qilin continues to place in the top ransomware position. Qilin has now claimed nearly 410 victims in 2025. However, Akira narrowly exceeded Qilin’s total victims, claiming 419 victims in 2025. With the emergence of new ransomware groups and alliances among threat actors like ScatteredSpider, Qiln’s ranking may become more variable over time.
- Akira exploits SonicWall VPN flaw: A pattern of activity in Akira campaigns during July 2025 highlighted the compromise of VPN accounts followed by encryption. It is important to note that Akira did not use a zero-day vulnerability in these attacks and instead leveraged CVE-2024-40766. While this pattern was identified in campaigns last month, a string of similar activity has been ongoing since October 2024. Organizations using SonicWall VPN/ are advised to update the firmware to version 7.3.0 and implement other practices to harden their systems, such as enabling Botnet Protection and enforcing MFA.
- Chaos emerges in the wake of BlackSuit’s fall: Bitdefender assisted in Operation Checkmate, which resulted in the seizure of BlackSuit infrastructure. Chaos, a ransomware group which is not associated with the ransomware builder of the same name, has emerged in their stead. The group uses vishing and impersonation tactics to gain access to target systems. There is speculation surrounding their origin and one theory establishes that Chaos is a rebrand of BlackSuit due to their common encryption parameters and TTPs, including the abuse of authorized programs and RMMs like AnyDesk.
- AiLock ransomware incidents grow: AiLock emerged in March 2025. Notably, the ransomware is equipped to perform encryption, locking the contents of files and metadata, using the ChaCha20 and NTRUEncrypt algorithms alongside a two-thread encryption routine. Its defense evasion properties include string obfuscation, process termination, and Recycle Bin cleaning.
- Ryuk operator indicted on charges of ransomware conspiracy: Karen Serobovich Vardanyan, an Armenian national, faces a sentence of five years for his involvement in Ryuk’s ransomware campaigns, which generated $15 million from March 2019 to fall 2020. Searches for the individuals who collaborated with him, Oleg Nikolayevich Lyulyava and Andrii Leonydovich Prykhodchenko, remain underway. Penalties of $250,000 were also filed by U.S. federal authorities.
- DragonForce seeks out more talent: The ransomware cartel added a post on their data leak site, requesting partnerships with those versed in C++, Rust, and Go, and reverse engineering skillsets. DragonForce announced the expansion of their affiliate force in late spring; few updates were released thereafter.
- FunkSec decryptor is available: FunkSec made a name for itself as a ransomware group that emerged with the help of AI and ambitious script kiddies. The decryptor for the ransomware is publicly available and FunkSec is now considered a dormant group. They could be re-strategizing to start anew. We’ve examined several events involving AI and ransomware in recent months, such as Global’s use of AI to support ransom negotiations. As developments occur, we’ll continue to assess changes in the ways threat groups utilize AI.
Top 10 Ransomware Families
Bitdefender's Threat Debrief analyzes data from ransomware data leak sites, where groups publicize their claimed number of compromised organizations. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers' self-proclaimed success, the information comes directly from criminals and may be unreliable. Additionally, this method only captures the number of victims claimed, not the actual financial impact of these attacks.
Top 10 Countries
Ransomware gangs prioritize targets where they can potentially squeeze the most money out of their victims. This often means focusing on developed countries. Now, let’s see the top 10 countries that took the biggest hit from these attacks.
Ransomware Victims: Top 10 Industries
Ransomware gangs may target organizations in the critical infrastructure ecosystem, select other organizations that offer services tailored to the consumer marketplace, or attack both. Here are the Top 10 industries that have been targeted by ransomware groups.
About Bitdefender Threat Debrief
The Bitdefender Threat Debrief (BDTD) is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next BDTD release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements the telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discovers 400+ new threats each minute and validates 30 billion threat queries daily. This provides us with one of the industry’s most comprehensive real-time views of the evolving threat landscape.
We would like to thank Bitdefenders Vlad Craciun, Mihai Leonte, Gabriel Macovei, Andrei Mogage, and Rares Radu (sorted alphabetically) for their help with putting this report together.
