The Targeted Employees and Security Stakes: A New Era of Cyber Warfare
TL;DR: Cybercriminals have escalated beyond data theft to directly targeting cybersecurity professionals, demanding their termination and threatening their safety—marking a dangerous new phase where human capital becomes a weapon in cyber warfare.
Breached Company
The Human Targets in Google's Crosshairs
In an unprecedented escalation of cyber warfare tactics, a coalition of hackers calling themselves "Scattered LapSus Hunters" has issued an extraordinary ultimatum to Google: fire two prominent cybersecurity professionals or face the leak of alleged internal databases. The targets are not random employees—they are Austin Larsen, a Principal Threat Analyst with Google's Threat Intelligence Group who leads rapid response and investigation coordination for major global cyber events, and Charles Carmakal, Senior Vice President and CTO of Mandiant Consulting, who has helped over a thousand organizations respond to complex security breaches orchestrated by foreign governments, organized criminals, and political hacktivists.
Both men have built distinguished careers exposing cybercriminal networks. Larsen previously served as a Senior Incident Response Consultant at Mandiant, specializing in helping organizations navigate attacks from nation-state actors and advanced threat groups. Carmakal has testified before Congress on multiple cybersecurity topics and is regularly interviewed by mainstream media organizations. Their expertise and public visibility have made them symbols of resistance against cybercrime—and now, ironically, targets themselves.
The Catalyst: A Supply Chain Breach with Far-Reaching Consequences
The threats against Larsen and Carmakal stem directly from their investigative work into a widespread data theft campaign carried out by the actor tracked as UNC6395, which beginning as early as Aug. 8, 2025 through at least Aug. 18, 2025, targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application.
The actor systematically exported large volumes of data from numerous corporate Salesforce instances, with GTIG assessing the primary intent was to harvest credentials including Amazon Web Services (AWS) access keys, passwords, and Snowflake-related access tokens. This wasn't just another data breach—it was a strategic operation designed to gather the keys to countless other systems.
The scope was staggering. Austin Larsen told Recorded Future News the current campaign has targeted about 20 organizations across hospitality, retail, education and other sectors across the Americas and Europe. In some instances, extortion demands weren't made until several months after the initial intrusion activity, suggesting UNC6040 has partnered with a second threat actor that monetizes access to the stolen data.
The Alliance of Adversaries
The group making threats against Google represents something new and deeply concerning: a convergence of three powerful cybercrime collectives—Scattered Spider, ShinyHunters, and Lapsus$—working together under the umbrella of a broader network called "The Com".
Each group brings distinct capabilities to this alliance:
Scattered Spider has established itself as one of the most dangerous financially motivated hacker collectives currently active, with many operators believed to be 19- to 22-year-old native English speakers. The group has built a reputation since 2022 for conducting advanced social engineering campaigns, including phishing and vishing attacks targeting IT help desks.
ShinyHunters gained notoriety in 2020 through a series of large-scale data breaches and extortion campaigns targeting major global brands, with operations revolving around monetizing stolen data via underground forums. Members acted as administrators of the popular cybercriminal platform "BreachForums".
Lapsus$ emerged as a threat collective that has been active since at least mid-2021 and has specialized in large-scale social engineering and extortion campaigns. In March 2022, London police arrested seven people, aged 16 to 21, for their alleged roles in the digital intrusions and extortion attempts.
The Com is suspected to include both Scattered Spider and ShinyHunters members—a sprawling network of disparate sub-groups and cliques that engage in account takeover activity, SIM-swapping, cryptocurrency theft, swotting, and sextortion. Most alarmingly, some sub-groups have even engaged in more extreme activities like "violence for hire" and coercing individuals into self-harm.
Breached Company
Beyond Data: Weaponizing Fear and Influence
What makes this threat unique is its departure from traditional cybercrime motivations. The incident underscores a troubling evolution: hacker groups leveraging media exposure to weaponize fear, rather than just stolen data. Analysts suggest that the groups are now driven by a desire for power, influence, and the thrill of disruption, turning their attacks into public performances of dominance.
The strategic targeting of threat intelligence professionals represents a calculated attempt to cripple organizational defenses from within. The threats show a shift in hacker tactics—from stealing data to targeting people and influence. By demanding the removal of key security personnel, these groups seek to:
- Undermine institutional knowledge: Larsen and Carmakal possess years of expertise in tracking and countering cybercriminal networks
- Create internal discord: Forcing organizations to choose between employee safety and capitulating to criminal demands
- Set dangerous precedents: For Google, firing employees under hacker pressure would set a dangerous precedent
- Generate media attention: Public ultimatums create fear and demonstrate power to other potential victims
The Broader Human Cost of Cybersecurity
This targeting of individual cybersecurity professionals reflects a broader trend that extends far beyond high-profile cases. More than 90% of web users are concerned about doxxing today, and 73% have limited what they share online to avoid being doxxed. One-quarter of Americans know someone who has been doxxed.
For cybersecurity professionals specifically, the risks are escalating. As cybercriminals become more advanced and better resourced, cyber threats targeting executives have emerged as one of the most concerning trends for Chief Information Security Officers. Executives are a lucrative target for cybercriminals because they typically operate with elevated access levels, often bypassing multi-factor authentication or strict access controls due to "trust".
The psychological toll is severe. The most common consequences of victims included financial losses, mental health impacts, damage to professional reputations, and physical safety risks. As one FBI official noted regarding Scattered Spider operations, there have been "direct threats against family members, specifically children, delivered to CEOs or chief officers. The mental and emotional toll of that is very significant and obviously done to apply direct pressure from an extortion perspective".
The Evolving Threat Landscape
The cybersecurity industry is facing multiple converging pressures that make professionals increasingly vulnerable:
Skills Shortage Creates Visibility
There is a shortage of four million cybersecurity professionals in 2024, which could reach eighty-five million by 2030 if not addressed. This scarcity means that skilled professionals like Larsen and Carmakal become high-visibility targets whose removal could significantly impact organizational defenses.
AI Amplification of Threats
In 2024, social engineering, cloud intrusions, and malware-free techniques surged, and nation-state actors intensified cyber espionage and added AI to their arsenal. Agentic AI has been weaponized, with AI models now being used to perform sophisticated cyberattacks, not just advise on how to carry them out.
Financial Motivation Intensifies
Worldwide cybercrime costs are estimated to hit $10.5 trillion annually by 2025. Ransomware costs are projected to reach around $265 billion USD annually by 2031, significantly up from $20 billion in 2021. These massive financial incentives drive increasingly aggressive tactics.
The Strategic Implications
The targeting of Larsen and Carmakal represents more than an isolated incident—it signals a fundamental shift in how cybercriminals view the cybersecurity industry itself. When threat groups join forces, it complicates things for defenders in several ways. The collaboration enables highly effective, multi-stage cyber extortion operations that integrate Scattered Spider's human-centric access vector tactics with ShinyHunters' monetization of stolen data.
This evolution poses several critical challenges:
Attribution Complexity
The convergence of capabilities suggests a disturbing evolution in the cyber threat landscape, as cybercrime collectives evolve into structured coalitions. To what extent individuals cross over between the groups remains an open question, making it difficult for law enforcement and security teams to track and counter these threats.
Escalation of Tactics
The new coalition has already claimed credit for a series of high-profile intrusions, with luxury brands like Gucci and retail giant Victoria's Secret among their recent targets. In an even more alarming development, the groups have also alleged successful breaches of government agencies in several countries.
Operational Security Evolution
Criminals with few technical skills are using AI to conduct complex operations, such as developing ransomware, that would previously have required years of training. This democratization of sophisticated attack capabilities means the threat landscape will only expand.
Defending the Defenders
The cybersecurity industry must now grapple with protecting not just organizational assets, but the professionals who defend them. This requires a multi-layered approach:
Institutional Resilience
Organizations must resist demands to terminate employees under threat. Most cybersecurity experts believe Google will—and must—resist, as firing employees under hacker pressure would set a dangerous precedent.
Personal Security Protocols
For CEOs, cybersecurity pros, and public figures, the risks are exponentially higher. Use virtual private networks (VPNs), separate personal and professional online profiles, and review and tighten privacy settings on all social media accounts to limit the visibility of personal information.
Industry-Wide Support
Information-sharing communities are forums, professional associations and other communities where analysts share firsthand experiences, insights, threat data and other intelligence with one another. The industry must strengthen these networks to provide mutual support and protection.
The Stakes Moving Forward
The targeting of Austin Larsen and Charles Carmakal represents a watershed moment in cybersecurity. Whether the group is bluffing or not, the real cost is trust in platforms, in providers, and in the people tasked with defending them.
As billionaire businessman and philanthropist Warren Buffet calls cybercrime the number one problem with mankind, and cyberattacks a bigger threat to humanity than nuclear weapons, the industry faces a sobering reality: the defenders themselves have become the targets.
The success or failure of these threats against Google's cybersecurity professionals will likely influence whether such tactics become more widespread. If successful, such tactics might become more prevalent, pushing cybercriminals beyond financial gain to exert influence over corporate human resources and strategic decisions.
The cybersecurity community now stands at a crossroads. The very professionals who have dedicated their careers to protecting others are finding themselves in the crosshairs. How the industry responds to this escalation will determine not just the fate of two individuals, but the future of cybersecurity defense itself.
Bottom Line: The targeting of cybersecurity professionals marks a dangerous evolution in cyber warfare, where criminals seek to eliminate defensive capabilities by threatening the humans who operate them. This represents a shift from data-focused attacks to influence operations that could fundamentally alter how cybersecurity is practiced, making personal protection of security professionals as critical as technical defenses.
