The Crimson Collective: Inside the Alliance That Created Cybercrime's Most Dangerous Supergroup

Breached Company

23 Nov 2025 — 10 min read

Executive Summary

The emergence of Crimson Collective and its subsequent merger into the Scattered Lapsus$ Hunters alliance represents a watershed moment in cybercrime evolution. What began as disparate groups of teenage hackers has transformed into a sophisticated criminal enterprise that has compromised over 1,000 organizations, stolen billions of records, and caused an estimated $10+ billion in damages globally. This analysis examines how three notorious cybercrime groups—Scattered Spider, Lapsus$, and ShinyHunters—joined forces with the newly emerged Crimson Collective to create what security experts now call the most dangerous English-speaking cybercrime syndicate in operation.

The Birth of Crimson Collective

Timeline of Emergence

Crimson Collective burst onto the cybercrime scene in September 2025 with a series of calculated, high-profile attacks designed to establish credibility within the underground community:

September 24, 2025: Group creates Telegram channel, immediately claims Nintendo website defacement
September 25, 2025: Announces breach of Claro Colombia, claiming 50 million client invoices stolen
October 1, 2025: Public disclosure of Red Hat breach, claiming 570GB of data from 28,000+ repositories
October 5, 2025: Joins forces with Scattered Spider and Lapsus$ to form Scattered Lapsus$ Hunters

Initial Operations

Unlike established groups that operated in shadows for months before surfacing, Crimson Collective adopted a shock-and-awe approach. Their first week of operations demonstrated:

Rapid target acquisition: Three major breaches in seven days
Cross-industry targeting: Gaming (Nintendo), telecommunications (Claro), enterprise IT (Red Hat)
Immediate extortion attempts: Public data dumps and ransom demands within hours of compromise
Media manipulation: Strategic leaks to journalists to maximize pressure

The Players: Understanding the Alliance

Scattered Spider, also known as UNC3944, Octo Tempest, and Muddled Libra, represents the social engineering backbone of the alliance. Active since May 2022, the group gained notoriety through:

MGM and Caesars attacks (2023): Caused $100+ million in damages to Las Vegas casinos, with MGM refusing to pay ransom while Caesars paid $15 million
Vishing expertise: Perfected help desk impersonation techniques, famously compromising MGM in just 10 minutes
SIM swapping operations: Compromised telecom systems to bypass MFA
English fluency: Native speakers capable of convincing social engineering

The group's criminal evolution includes Noah Urban's conviction - the first Scattered Spider member sentenced to 10 years for cryptocurrency theft. Their attacks expanded beyond casinos to include:

UK Retail devastation (2025): Targeting Harrods, Marks & Spencer, and Co-op
Transport for London attack: £39 million in damages, compromising 5,000 customers' banking information
Aviation sector targeting: Hawaiian Airlines, WestJet, and European airports

As documented in our Jaguar Land Rover breach analysis, Scattered Spider's techniques have evolved to include insider recruitment and advanced persistence mechanisms.

Lapsus$: The Chaos Agents

Lapsus$ brought notoriety and a flair for theatrical extortion to the alliance:

High-profile victims (2021-2022): Microsoft, Nvidia, Samsung, Okta
Teenage leadership: Several arrested members were minors at time of crimes
Public spectacle: Live-streamed attacks on Telegram
Source code theft: Specialized in stealing intellectual property

The group's approach, detailed in our coverage of their retirement announcement, emphasized psychological warfare alongside technical attacks.

ShinyHunters: The Data Brokers

ShinyHunters emerged in 2020 with a focus on massive data theft and underground marketplace operations:

91 victims claimed: Including Tokopedia (91M records), AT&T (73M records), Ticketmaster (560M records)
Forum administration: Operated BreachForums through multiple iterations
Supply chain expertise: Pioneered attacks on cloud platforms like Snowflake and Salesforce
Monetization focus: Specialized in selling stolen data on dark web markets

The group's evolution from Pokémon-inspired hackers to sophisticated operators was documented in our comprehensive ShinyHunters profile, which tracks their transformation from selling databases for profit to conducting voice phishing campaigns that compromised 2.5 billion Gmail users.

Crimson Collective: The New Blood

Crimson Collective's rapid rise suggests either:

Rebranding of existing actors: Possibly former Lapsus$ members avoiding law enforcement
New generation criminals: Young hackers inspired by predecessors' success
State-sponsored facade: Some researchers suspect nation-state involvement given sophistication

Evidence points to connections with arrested Lapsus$ members, particularly through the use of handles like "Miku" associated with UK teenager Thalha Jubair, currently facing charges for the MGM attacks.

The Alliance Forms: Scattered Lapsus$ Hunters

The Merger

On August 8, 2025, a Telegram channel emerged combining all three group names: "scattered lapsu$ hunters." This wasn't just a rebranding—it represented an operational merger combining:

Scattered Spider's access: Social engineering and initial compromise capabilities
Lapsus$'s chaos: Extortion tactics and media manipulation
ShinyHunters' infrastructure: Underground forums and monetization channels
Crimson Collective's momentum: Fresh targets and law enforcement evasion

Organizational Structure

The alliance operates as a loose confederation rather than a hierarchical organization:

Core Leadership:

"Shiny": Alleged ShinyHunters leader (possibly arrested in France, disputed)
"Miku": Connected to UK prosecutions, possibly operating despite custody
"Rey": Spokesperson for major attacks including JLR
"Cvsp/Yukari": Technical lead and exploit developer

Operational Divisions:

Access Team: Scattered Spider veterans handling initial compromise
Exfiltration Team: ShinyHunters operatives managing data theft
Extortion Team: Lapsus$ members orchestrating ransom negotiations
Infrastructure Team: Maintaining forums, leak sites, and communication channels

The Com: The Broader Ecosystem

The alliance operates within "The Com" (short for "The Community"), a sprawling English-speaking cybercrime ecosystem. As detailed in our comprehensive breach analysis, The Com provides:

Talent pool: Thousands of young hackers across US, UK, Canada
Knowledge sharing: Techniques, tools, and target intelligence
Operational support: Money laundering, cryptocurrency exchange
Social validation: Status and reputation within the community

Attack Methodology: The Playbook

Stage 1: Initial Access

The alliance employs multiple vectors for initial compromise:

Vishing (Voice Phishing):

Impersonate IT help desk staff
Use LinkedIn for employee reconnaissance
Deploy AI voice cloning for authenticity
Target new employees or contractors

Insider Recruitment:

Post job offers on Telegram: "Looking for insiders at Fortune 500"
Offer $10,000-100,000 for credentials
Compromise through financial pressure or ideological alignment
As seen in the CrowdStrike insider incident

Supply Chain Compromise:

Target SaaS integrations (Salesforce, Okta, Microsoft)
Exploit OAuth tokens and API keys
Compromise managed service providers
Attack documented in our Drift supply chain analysis

Stage 2: Persistence and Expansion

Once inside, the group establishes multiple persistence mechanisms:

Credential harvesting: Deploy tools like TruffleHog to find secrets in code
Token generation: Create long-lived OAuth tokens for continued access
Backdoor installation: Plant webshells and remote access tools
Lateral movement: Pivot through connected systems and cloud environments

Stage 3: Data Exfiltration

The alliance has perfected large-scale data theft:

Automated extraction: Scripts to dump entire databases
Cloud storage abuse: Use victim's own infrastructure for staging
Distributed exfiltration: Multiple exit points to avoid detection
Selective targeting: Focus on high-value data (PII, source code, credentials)

Stage 4: Monetization

The group employs multiple revenue streams:

Extortion-as-a-Service (EaaS):

Franchise model allowing affiliates to use brand
20-30% commission structure
Centralized negotiation support
Reputation lending for credibility

Data Sales:

Tiered pricing based on data sensitivity
Bulk discounts for complete databases
Exclusive sales to prevent market flooding
Underground auction systems

Ransomware Deployment:

Custom "Sh1nySp1d3r" ransomware development
Partnership with established RaaS operations
Double/triple extortion tactics
Targeted ransoms based on victim financials

Major Campaigns and Impact

The Salesforce Holocaust (2025)

The alliance's most devastating campaign targeted Salesforce customers globally:

1+ billion records stolen: Largest data theft operation in history
760+ organizations compromised: Including Google, Cisco, Palo Alto Networks
Attack vector: Malicious OAuth apps and social engineering
Impact: $2+ billion in damages and remediation costs

Details covered in our Salesforce-Gainsight breach analysis and the earlier Palo Alto Networks and Zscaler supply chain attack. The campaign also targeted insurance companies, as documented in our Allianz Life breach coverage.

The Automotive Apocalypse

The group's attacks on automotive manufacturers demonstrated their ability to disrupt physical infrastructure:

Jaguar Land Rover:

£196 million direct losses
5-week production shutdown
£1.9 billion economic impact
5,000+ businesses affected

Other Automotive Targets:

Toyota: Supply chain disruption
Stellantis: Engineering data stolen
Volkswagen: Customer databases compromised

The Red Hat Revelation

The Red Hat GitLab breach showcased Crimson Collective's capabilities:

28,000 repositories compromised: Containing customer infrastructure details
800 Customer Engagement Reports: Blueprints for enterprise networks
Government exposure: NSA, DoD, Department of Energy affected
Downstream risks: Potential access to hundreds of customer environments

Financial Sector Devastation

Banks and financial institutions faced unprecedented attacks:

TransUnion: Credit data of millions exposed
Multiple banks targeted: Including Citigroup, HSBC, Bank of America
Cryptocurrency exchanges: Focused attacks on crypto infrastructure
Insurance companies: Scattered Spider's pivot to insurance sector

Luxury Brand Campaigns

ShinyHunters specifically targeted high-end retail throughout 2025:

Louis Vuitton and Dior breaches: Customer data including passport details compromised
Kering portfolio attack: 7.4 million records from Gucci, Balenciaga, Alexander McQueen
Chanel, Cartier, Tiffany & Co.: Part of coordinated luxury retail targeting
Attack methodology: Focus on high-net-worth customer databases for maximum extortion value

The Technical Evolution

AI-Powered Operations

The alliance has integrated artificial intelligence into their operations:

Voice cloning: Deepfake audio for vishing attacks
Automated reconnaissance: AI-driven target identification
Code analysis: Machine learning for vulnerability discovery
Chatbot impersonation: AI-powered social engineering

Cloud-Native Attacks

Focus has shifted to cloud infrastructure exploitation:

AWS targeting: Stealing IAM credentials and assuming roles
Azure compromise: Exploiting Microsoft's cloud services
GCP infiltration: Google Cloud Platform attacks
Multi-cloud pivoting: Moving between cloud providers

Zero-Day Development

Investment in proprietary exploits:

Custom malware: Sh1nySp1d3r ransomware family
0-day exploits: Undisclosed vulnerabilities in enterprise software
Tool development: Custom frameworks for automation
Evasion techniques: Advanced anti-forensics and detection bypass

Law Enforcement Response

Arrests and Prosecutions

Despite the alliance's success, law enforcement has made progress:

UK Actions:

Thalha Jubair (19): Charged for MGM attacks and 120+ intrusions, remanded in custody
Owen Flowers (18): Charged in Transport for London attack
Multiple teenagers arrested in connection with Lapsus$
Teen surrenders in Las Vegas (September 2025)

US Response:

Noah Urban sentenced: First Scattered Spider member to face justice, 10 years for $13M theft
Teen charged in $100M casino heist
FBI's Operation Cronos targeting infrastructure
$10 million bounties offered for information
Seizure of BreachForums domains (October 2025)

International Cooperation:

Europol coordination across 23 countries
French arrests of suspected ShinyHunters members
Canadian arrest of Connor Moucka (Snowflake attacks)
Tyler Buchanan detained in Spain

As detailed in our FBI BreachForums takedown analysis, the seizure disrupted the primary marketplace used by ShinyHunters, Baphomet, and IntelBroker, though the decentralized nature of these groups makes complete disruption challenging.

Challenges in Prosecution

Law enforcement faces significant obstacles:

Jurisdiction issues: Criminals operate across borders
Age of perpetrators: Many are minors, complicating prosecution
Technical sophistication: Advanced operational security
Rapid evolution: Groups rebrand faster than investigations progress

The Current State: November 2025

Operational Status

Despite claims of retirement in September 2025, the alliance remains active:

Ongoing attacks: CrowdStrike insider breach (November 2025)
New campaigns: Gainsight/Salesforce attacks continuing
Rebranding efforts: Members operating under new aliases
Infrastructure evolution: New forums and communication channels

As documented in our late 2025 cyberattack overview, ShinyHunters and affiliated groups have maintained operational tempo despite law enforcement pressure, with attacks on TransUnion, Air France-KLM, and dozens of other organizations continuing through October 2025.

Threat Assessment

Security experts consider the alliance among the most dangerous threats:

Microsoft assessment: "One of the most dangerous financially motivated threat groups"
CISA warnings: Multiple advisories issued on their TTPs
Industry impact: $10+ billion in global damages attributed
Victim count: 1,000+ organizations confirmed compromised

Defensive Strategies

Technical Controls

Organizations must implement comprehensive defenses:

Identity and Access Management:

Phishing-resistant MFA (FIDO2/WebAuthn)
Privileged access management
Regular credential rotation
Zero-trust architecture

Monitoring and Detection:

Behavioral analytics for insider threats
OAuth app auditing
Cloud security posture management
Extended detection and response (XDR)

Incident Response:

Vendor-specific playbooks
Tabletop exercises including social engineering
Rapid containment procedures
Forensic readiness

Human Factors

Technology alone cannot stop this alliance:

Security Awareness:

Vishing simulation training
Social engineering education
Insider threat awareness
Regular security updates

Operational Security:

Limited social media presence
Information classification
Vendor risk management
Supply chain security

The Future Landscape

Predicted Evolution

The alliance is likely to:

Increase automation: More AI-driven attacks
Target critical infrastructure: Focus on maximum impact
Develop new monetization: Novel extortion methods
Recruit globally: Expand beyond English-speaking members
Fragment and reform: Constant rebranding to evade law enforcement

Industry Response

The cybersecurity industry must adapt:

Collaborative defense: Information sharing between organizations
Regulatory evolution: New laws targeting cybercrime groups
Technology advancement: Better detection and prevention tools
International cooperation: Enhanced law enforcement coordination

Conclusion

The Crimson Collective's emergence and rapid integration into the Scattered Lapsus$ Hunters alliance represents the natural evolution of cybercrime—from individual actors to organized syndicates capable of causing billions in damages. Their success stems not from revolutionary techniques but from perfecting the convergence of social engineering, insider threats, and supply chain exploitation at unprecedented scale.

As documented across our extensive coverage from the GitHub battlefield to cloud infrastructure attacks, these groups have exposed fundamental weaknesses in our digital ecosystem. The alliance's ability to compromise security vendors themselves—from Palo Alto Networks to CrowdStrike—demonstrates that no organization is immune.

The question facing the industry is not whether another Crimson Collective will emerge, but how quickly we can evolve our defenses to match the pace of criminal innovation. As the alliance itself noted in their retirement message: "The truth is, we were never the problem. We were just the symptom."

Organizations must recognize that in the age of Scattered Lapsus$ Hunters, cybersecurity is no longer just an IT issue—it's an existential business risk that requires board-level attention, unlimited vigilance, and the uncomfortable acknowledgment that sometimes, the hackers are already inside.