The Shiny Spider’s Web: BreachForums and the Making of Scattered Lapsus$ Hunters
In early August 2025, a new collective calling itself Scattered LAPSUS$ Hunters appeared on Telegram. At first glance it looked like another channel lost in the chaos of the cyber underground. But its choice of name was deliberate: a fusion of three of the most notorious groups of recent years, Scattered Spider, ShinyHunters, and LAPSUS$, and its arrival was quickly echoed across spaces tied to BreachForums, RaidForums, and ALPHV/BlackCat.
Its launch coincided with renewed turmoil around BreachForums, where mounting law enforcement pressure and rumors of compromised administrators were fracturing the community. Against this backdrop, Scattered LAPSUS$ Hunters positioned itself alongside legacy brands, amplifying its presence through theatrical claims and recycled reputations.
What followed was not a straightforward story of a new group, but a complicated web of identity disputes, impersonation claims, and recycled infrastructure. Some in the security industry dismissed the Hunters as opportunistic imposters. Others saw traces of continuity linking them back to familiar operators. This report follows that trail from the group’s first Telegram appearances to its evolving network of aliases, uncovering how spectacle, impersonation, and persistence intersect in today’s underground.
Incident Trigger and Initial Investigation
In August 2025, a new Telegram presence emerged under the name Scattered Lapsus$ Hunters, using the channel handle t.me/s*****************s. On the surface, it appeared to be just another addition to the crowded ecosystem of short-lived cybercrime channels. What made it stand out, however, was its deliberate choice of branding. The name itself combined three of the most recognizable threat actor groups of recent years - Scattered Spider, ShinyHunters, and Lapsus$ - while styling itself with dramatic titles like “The Com HQ” and “SCATTERED SP1D3R HUNTERS.” This was not the behavior of an unknown vendor testing the waters but a group attempting to stake a claim in the underground through theatrical presentation.
StealthMole’s Dark Web Tracker provided one of the first pivotal clues when the handle, s***************s, was identified in a post on a BreachForums thread, where the group introduced itself as “the Google googley hackers” and invited others to join its Telegram channel. The decision to announce their presence on a forum like BreachForums was significant: BreachForums has long been a successor to the shuttered Raid Forums, positioning itself as a hub for data leaks and underground recruitment. By associating itself directly with that ecosystem, the Hunters signaled an intent to be seen alongside more established criminal brands rather than emerging quietly.
Inside the Telegram channel, the group’s early messages leaned into provocation and performance. Posts claimed that “feds are watching…”, mixed with vague references of accusing the Chinese Communist Party (CCP) of stealing exploits. The rhetoric was chaotic, alternating between conspiratorial statements and hints of access to stolen material. While at first these could be dismissed as noise, the repetition of such messages across connected channels suggested a deliberate strategy of amplification rather than a one-off stunt.
The channel itself did not exist in isolation. Using StealthMole’s indexing and pivoting through the Telegram tracker, I quickly found overlap with other notable spaces. Mentions of the new group appeared in promotion threads that also highlighted legacy names such as BabukLocker and Raid Forums, putting Scattered Lapsus$ Hunters in the same promotional circuits as recognized brands. The circulation of its messages, rather than remaining confined to a single chat, was one of the early indications that this was not an isolated newcomer but part of a broader network.
At this stage, the group’s identity remained unclear but the combination of deliberate branding, cross-channel promotion, and ties to existing ecosystems was enough to justify closer monitoring. The initial findings suggested a pattern worth tracing further: a group presenting itself as new, but behaving in ways consistent with actors who already had access to established infrastructure and reputational channels. The investigation from here focused on following those overlaps, across emails, usernames, deleted Telegram channels, and forum traces, to determine who is really behind the Scattered Lapsus$ Hunters identity.
BreachForums Turmoil and the Rise of SHINYSP1D3R
The timing of Scattered Lapsus$ Hunters’ appearance was no coincidence. By mid-2025, BreachForums was once again in crisis. The site had gone through multiple iterations, each more short-lived than the last. Version 3 (V3) had mysteriously disappeared in April, while Version 4 (V4) flickered online briefly before collapsing in June. Whispers across underground spaces pointed to mounting law enforcement pressure, with rumors of compromised accounts and backend access under surveillance. For a forum that prided itself on being the marketplace of choice for data leaks, the instability left a vacuum in which opportunistic actors could reinvent themselves.
It was against this backdrop that the SHINYSP1D3R brand began surfacing. Promoted as a “superior alternative” to established ransomware-as-a-service (RaaS) outfits like LockBit or DragonForce, the name combined the reputational weight of ShinyHunters and Scattered Spider while cloaking itself in the same loud, chaotic style that defined Lapsus$. Messages circulating in connected Telegram spaces proclaimed: “DRAGONFORCE AND LOCKBIT IS NOTHING COMPARED TO SHINYSP1D3R UPCOMING RAAS!!!!” The exaggeration was typical underground marketing, half brag, half bait, but its intent was clear: to position the new alliance not as a niche crew, but as the natural successor in a post-LockBit ecosystem.
For observers, the overlap was striking. On one hand, BreachForums was disintegrating under pressure, dragging with it the credibility of long-standing actors who had relied on its infrastructure. On the other, this new alliance was loudly insisting it could outshine groups that had spent years building reputations. Whether or not SHINYSP1D3R ever intended to launch a functional RaaS, the messaging itself served a purpose: to capture attention, recycle legacy brands, and insert itself into conversations already happening across the underground.
What became increasingly clear was that this was not a case of new actors filling the void left by BreachForums. Instead, the same operators who had run BreachForums and its predecessors were staging their own pivot. By amplifying Scattered Lapsus$ Hunters and SHINYSP1D3R in the very same channels where BF’s troubles were being dissected, they transformed collapse into continuity. The shift to Telegram, with louder branding and theatrical claims, was less about reinvention than about reasserting dominance under a different mask.
Operators Behind the Mask: The Continuity of BreachForums, BlackCat, and ShinyHunters
If SHINYSP1D3R’s arrival was about noise and branding, the deeper investigation showed something far more deliberate. The same fingerprints that shaped BreachForums continued to appear behind the curtain of Scattered Lapsus$ Hunters. Using StealthMole’s ability to track session IDs, deleted channels, and recycled contact points, a picture began to emerge: this was not a splinter collective but a rebranded face of the same operators who had cycled through RaidForums, BreachForums, ShinyHunters, and ALPHV/BlackCat. However, the question of identity behind these operators remains open and unresolved.
One of the pivotal clues came from the Telegram channel t.me/s********p. Running it through Telegram tracker revealed an associated session ID — 05********************e — along with two linked emails: s*******p@tuta.com and s********ps@tutamail.com. The same session ID later tied back to a deleted channel that briefly bore the username @is*******aa. That handle is notable, since “Is******a” has repeatedly appeared in ALPHV/BlackCat spaces (including the ALPHV’s D**a W****d A*l telegram channel) as owner.
The overlap did not stop there. Messages circulated across RaidForums, Hunger Strike, Babuk Locker, and BreachForums channels often ended with mentions like @sp*******s and @i********a, essentially binding Shiny’s infrastructure to Dedale’s ALPHV presence. StealthMole’s indexing showed that identical messages were echoed as many as twenty times across separate channels, reinforcing the impression that this was a coordinated amplification effort, not random cross-posting.
Even older traces supported the same conclusion. Omnipotent, the founder of RaidForums, had long been suspected of continuing influence within BreachForums. The fact that the same constellation of aliases - Shiny, Deep, Dedale, Omnipotent, Hollow - now appears behind Scattered Lapsus$ Hunters strengthens the case for continuity rather than coincidence. Instead of separate silos, what we see is a network of operators rotating through masks, platforms, and aliases while keeping their grip on the same audiences.
Taken together, the overlap suggested that Mia Dedale (alias @is*********a) and ShinyHunters were not merely collaborators but co-managers of infrastructure stretching across BreachForums, ALPHV, and the new Scattered Lapsus$ Hunters venture. At the same time, it remains unclear whether these accounts reflect the real Dedale and Shiny themselves or successors borrowing their names to maintain continuity.
If BreachForums has stumbled under law enforcement pressure, these channels have provided a parallel stage. They are not an alternative to the forum, nor a replacement for its market role. Rather, they function as a temporary theater: a place to keep attention, brand presence, and community cohesion alive until BreachForums inevitably resurfaces under yet another version.
Fragmented Branding, Shared Playbook
With the operator links established, the next layer of the investigation shifts from “who” to “how.” The pattern that emerged around Scattered Lapsus$ Hunters was not simply a case of recycled aliases, but of recycled tactics. Across Telegram, forums, and affiliate spaces, the group demonstrated a playbook designed to amplify noise, control narrative, and maintain visibility even as specific platforms collapsed.
One example came from the group’s constant invocation of legacy brands. References to RaidForums, BabukLocker, Hunger Strike, and even LockBit were threaded through messages as if to anchor the Hunters within an already-recognized lineage of underground actors. By co-opting those names, the group didn’t just market itself, it effectively borrowed credibility from reputations built over years, allowing new channels to be treated as “authentic” by audiences already primed to trust those labels. Yet this same pattern raises a deeper question: do these invocations point to genuine ties with legacy crews, or are we watching a single operator (or small cluster of operators) impersonating multiple brands to inflate their reach and legitimacy?
At the same time, the Hunters leaned on cross-channel amplification. A single ransom-related announcement, for example, the Cartier leak message was echoed more than a dozen times across separate Telegram channels tied to different “brands.” To an outside observer, this created the illusion of momentum: that multiple crews were validating the same operation, when in reality, the identical wording and synchronized timing suggest something far more controlled: the same operators recycling their own content across façades they managed, generating the illusion of momentum where little independent support existed.
Finally, the branding itself carried a deliberate chaotic aesthetic. Names like “SCATTERED SP1D3R HUNTERS” or “The Com HQ” echoed the meme-driven bravado of Lapsus$, where confusion and flamboyance were not weaknesses but tools. Theatrical claims such as dismissing LockBit or DragonForce as inferior, were less about genuine rivalry than about ensuring the new brand could dominate conversation.
In this sense, Scattered Lapsus$ Hunters was never just a channel. It was a stage-managed spectacle, crafted to hold the spotlight during a moment when BreachForums was faltering, while leaving open the possibility that the loudest voices may themselves be imposters wearing the masks of better-known names.
Alliances, Rivalries, and Network Positioning
If branding was one part of the strategy, the other was how Scattered Lapsus$ Hunters placed itself within the wider underground network. Unlike forums, where hierarchy is enforced through administrators and moderators, Telegram thrives on cross-promotion and theatrics. The Hunters used this to their advantage, making sure their name was echoed across channels already associated with major ransomware and leak crews.
Inside the “official” Scattered Lapsus$ Hunters spaces, nearly every post carried a familiar signature: “Hi, it’s shiny again…” or some variation that made no effort to disguise who was speaking. This wasn’t subtle infiltration. It was Shiny planting a flag, claiming authorship of the new brand while tying it directly to earlier reputations built under ShinyHunters and BreachForums.
The amplification strategy went further. Announcements from either the official Scattered Lapsus$ Hunters channel or the ShinyHunters Corp group were forwarded into spaces tied to crews like Babuk Locker and Hunger Strike. To a casual observer, it looked as if rival groups were amplifying or endorsing the Hunters. In reality, these were not organic signals of support but deliberate self-promotion. By pushing the same messages across multiple façades, the operators inflated their visibility, giving the impression of broad underground recognition when it was simply their own content recycled through parallel channels.
Even their visual choices reinforced the blend of identities. A Corvette photo with a “LAPSUS” license plate and Kentucky tag surfaced in channel imagery, echoing Lapsus$’s meme-driven persona while signaling ties to Scattered Spider/UNC3944 through naming conventions. By layering Shiny’s voice on top of Lapsus$’s symbols and Spider’s lineage, the Hunters positioned themselves as a hybrid force, borrowing credibility from every corner of the underground.
The result was a managed illusion. To casual observers, Scattered Lapsus$ Hunters looked embedded in a broad coalition, endorsed by Babuk, BlackCat, and others. In reality, it was the same small circle of operators, amplifying themselves under different masks to dominate the conversation and to capitalize on BreachForums’ collapse.
Forum Theater: Ownership Claims, Arrest Rumors, and Rebrands
Once the branding push was in motion, the story shifted from channels to narrative control. BreachForums became the stage. One set of posts insisted the forum was compromised and effectively under law-enforcement watch, while another denied that any real administrators had been arrested and dismissed the names circulating in rumor threads as decoys. In the same breath, staff statements asserted that IntelBroker was never the true owner, describing that persona as a public face rather than the operator who controlled infrastructure. The effect was confusion by design, a moving target that let the same people speak with multiple voices while keeping followers inside their orbit.
At the center of these announcements was Shiny. Messages circulated across the network with the familiar greeting, “Hi, it’s Shiny again,” followed by instructions to treat BreachForums as unsafe and to use Shiny directly for escrow while the forum was offline. Shortly after, a new message advertised a transfer of BreachForums ownership for a fixed fee, complete with access to backend services, proxy layers and registrar handling, and boasting of a six-figure user base. Whether that offer was a cash-out, a loyalty test, or a way to keep the story moving, it signaled that the forum was being handled as a tradable asset rather than a community. None of this replaced BreachForums. It kept the audience together while the operators prepared the next iteration.
The same pattern played out around The Jacuzzi. That channel was blocked and immediately replaced with a list of “official” and “backup” spaces, including the Shiny groups, the Scattered Lapsus$ Hunters channel, and an Aegis announcements feed. The handoff was presented as resilience in the face of takedowns, but the choreography was the point. New rooms, same voice, same links, same instruction to follow along.
Historical snapshots tied the persona work back to the operators we have already identified. The now-deleted Telegram profile that used the username @i*******a rotated display names through ShinyHunters, Deep, and Hollow, then reappeared in channel bios connected to ALPHV’s Data World as owner. That continuity matters here because it explains why the BreachForums and Scattered Lapsus$ Hunters narratives move in lockstep. The voice that tells people the forum is unsafe is the same voice that tells them where to go next.
Rebrand talk inside the ecosystem added another layer. One thread framed DragonForce as a rebrand of RansomHub, and RansomHub as a rebrand of ALPHV/BlackCat, complete with accusations of affiliate money gone missing. These were not neutral assessments. They positioned rivals as unstable and untrustworthy while elevating the new banner as the reliable successor. In practice, the Hunters kept repeating that SHINYSP1D3R would be faster and stronger than its competitors, but they never treated it as a substitute for BreachForums. The forum remains the core marketplace and broadcast platform in their narrative. The Telegram constellation is a holding pattern, a way to keep the crowd warm and the brand loud until BreachForums is brought back in another version.
From Collapse to Rebrand: The Second Channel
The takedown of the first Scattered Lapsus$ Hunters channel on 8 August did little to slow the operators. Within a week, on 14 August 2025, a new incarnation appeared under the same name but with sharper theatrics. This second channel framed itself not as a fresh start, but as the continuation of a disrupted performance. Its pinned introduction made that explicit: “Hey, it’s me Shiny again, tonight I’m here to share some really bad news I found out while being banned.”
By stamping the relaunch with Shiny’s voice, the operators reinforced what had already become obvious: despite presenting as a plural “Hunters,” the core identity remained tied to Shiny and his extended network. The new channel also expanded its promotional reach, embedding links to @shinyspiders and mirror groups, alongside a Pastebin note signed “~ Staff BreachForums.” These cross-signals served two purposes. First, they blurred the line between the Hunters’ Telegram presence and the enduring BreachForums brand. Second, they allowed the operators to remind audiences that even if forums were unstable, the same “staff” were still active and reachable.
The content mix in this rebrand revealed the strategy at work. Alongside underground posturing were crude scams promising to double Bitcoin deposits or turn $10k into $50k “in just one hour.” These were not meant as serious revenue streams but as part of the performance—bait for newcomers and a signal to veterans that the group remained willing to flood the ecosystem with noise to stay relevant. The combination of scams, conspiratorial messages, and constant cross-promotion underscored a familiar playbook: channels may be banned, but the narrative survives through rebranding.
Far from weakening their influence, the August 14 rebrand demonstrated resilience. Every channel collapse was reframed as censorship, every relaunch as proof of persistence. For the operators, this cycle of deletion and reappearance was not a setback but a stage trick, one that kept audiences engaged and reinforced the myth of continuity.
Identity Wars: The Real Shiny vs. the Impersonators
From the moment Scattered LAPSUS$ Hunters surfaced, one of the loudest questions surrounding it has been: who is really behind the mask? The branding alone, fusing ShinyHunters, Scattered Spider, and LAPSUS$, was enough to spark debate, and the timing coincided with widespread reports of arrests linked to ShinyHunters in France. Security vendors such as ReliaQuest, FalconFeeds, ZeroFox, and S-RM quickly concluded that the new channel was an impersonation or rebrand rather than a legitimate continuation of the original crew. To many observers, Scattered’s theatrical style and opportunistic timing looked like a play for attention in the chaos of BreachForums’ collapse, not the return of a veteran actor.
The channel lineage tells a more complicated story. Using StealthMole’s Telegram tracker, which preserves snapshots of deleted rooms and captures username changes, we tried to reconstruct the first ten days with precision. The first Scattered LAPSUS$ Hunters channel was created on 8 August under the handle t.me/s****************s. Four days later, on 12 August, the channel was banned, and a replacement channel appeared, using the handle @sp***********s. Shiny himself posted an update on this new channel declaring that BreachForums had been compromised by law enforcement and that they were now in “literal war.” By 14 August, in what looked like a defensive maneuver to avoid further takedowns, the handle @sp************s was switched to @l*********i. Taken together, we can treat all three handles as one continuous channel rather than three unrelated rooms.
What happened next is where the identity dispute ignited. The voice most active across the Scattered ecosystem during these days used the display name ShinyHunters with the username @s*********s. That account drove daily posts, cross‑promotions and claims of access. On 19 August, a different persona stepped in: @s*****8 with the name s******p. In a post on @l***********i, shinycorp warned that multiple parties were impersonating “Shiny,” stated that his only Telegram was @s******8, and urged anyone engaging him to demand PGP verification against the archived RaidForums key. He also shared a one‑to‑one chat screenshot where @s**********s acknowledged copying the brand “to make money.” The timing matters. Shinycorp had posted at launch and then went quiet while @s********s filled the channel. He returned only after impersonator accounts proliferated and confusion peaked.
Using StealthMole’s historical snapshots, we were able to separate rumor from traceable facts. The records show the first channel (8–12 August), the second channel created on the 12th, and the handle change to @l**********i on the 14th. They also captured shinycorp’s profile state on 12 August, which used the same avatar consistent with his other social profiles and included a bio string referencing @s***********s. Taken together, these artifacts directly link @s*****8 to the Scattered operation and indicate that he acted as an administrator or operator for the first and second Scattered channels even if the broader debate over whether he is the “real” Shiny remains unresolved.
There is older context that further supports this reading. In late August 2024, a notice circulated to BreachForums users stating that the @s**p Telegram account and the Jacuzzi 2.0 group had been banned and blacklisted. That message predates the Scattered launch by a year, but it establishes a pattern in which the same operator claims control of Shiny‑branded channels, loses them to takedowns, and reappears under adjacent infrastructure. The Scattered sequence in August 2025 mirrors that pattern almost exactly.
The impersonation issue was not limited to brand confusion. During the week of 18–20 August 2025 several handles closely mimicking the new @l*************i channel appeared, including variants that used inflammatory wording. StealthMole captured posts from @s*******8 on the main channel calling these variants out as fake and advising users not to transact unless PGP validation matched the historical key. Around the same time a separate chat screenshot emerged in which an actor using the handle Sky attempted to extort payment to stop the impersonation campaign and referenced @s*******s by name. This is consistent with what we saw on‑platform: a scramble by opportunists to monetize the confusion as the Scattered brand gained attention.
There are also operational claims tying shinycorp to activity attributed to Scattered. In the days surrounding the first channel, screenshots circulated of shinycorp engaged in a ransom conversation with Australian officials and asserting responsibility for the Qantas incident that Scattered channels had been promoting. We cannot treat a chat screenshot as proof on its own, but taken with the profile linkage and the early‑channel posts, it reinforces the view that @s*******8 was not an outside commentator. He was involved in the campaign’s messaging and in its administration.
Where does this leave the question most people care about: is @s*******8 the “real” ShinyHunters? The answer is still uncertain. What the telemetry allows us to say with confidence is narrower and more useful. The Scattered LAPSUS$ Hunters channel lineage that begins on 8 August and stabilizes under @l**********i was operated by someone with access to @s******8, and that user publicly disavowed @s*******s as an impostor while providing the only consistent verification path through the archived PGP key. Whether @s******8 is the original Shiny or an inner‑circle operator matters less to the attribution of this campaign than the fact that he is the administrator whose fingerprints persist across the channel moves, the handle changes and the cross‑posted announcements.
Conclusion
The emergence of Scattered LAPSUS$ Hunters illustrates how underground ecosystems evolve less through the sudden rise of entirely new actors and more through the strategic recycling of existing ones. What looked like fragmentation was, in practice, continuity masked by new handles and shifting identities. The snapshots we traced, from the first channel on 8 August, through the ban and recreation on the 12th, to the handle change on the 14th, point to a single through-line of administration tied to @s*****8. Even without resolving the broader question of whether this account represents the “real” Shiny, the available evidence places him at the center of Scattered’s operations in its earliest phase.
By staging their presence on Telegram under banners like Scattered LAPSUS$ Hunters and SHINYSP1D3R, the operators preserved their audience while cloaking persistence behind layers of noise. Forums are treated not as fixed strongholds but as disposable stages: when one collapses, the same figures re-emerge in parallel spaces, carrying over their user base, their credibility markers, and even their avatars. The adoption of chaotic branding, theatrical rivalries, and scam callouts is less a collapse of credibility than a deliberate tactic to keep attention in an ecosystem where visibility is currency.
This case underscores that disruption rarely delivers closure. The takedowns of RaidForums and the repeated blows against BreachForums fractured continuity on the surface, but behind it, a resilient operator core adapts, redirects, and reassembles. By steering both the narrative and the infrastructure, these actors maintain loyalty and influence even as individual platforms vanish. Scattered is not an outlier, it is simply the latest mask in a cycle of adaptation that ensures the ecosystem’s gravitational pull never truly dissipates.
Editorial Note
As with all dark web investigations, cyber attribution is inherently probabilistic. The deliberate use of noise, recycled brands, and overlapping identities makes disentangling one actor from another difficult by design. Yet, as this case demonstrates, patterns of continuity persist. Session IDs, recycled usernames, forwarded posts, and deleted channel traces leave artifacts that resist obfuscation.
This investigation, using StealthMole’s indexing of deleted Telegram channels, correlation of session-level artifacts, and ability to track historical infrastructure reuse, shows how apparent chaos can be methodically unpacked. What emerges is a portrait not of fragmentation but of persistence: a core operator set leveraging masks, rebrands, and theatrics to preserve its centrality within the cybercrime underground.
To access the unmasked report or full details, please reach out to us separately.
Contact us: support@stealthmole.com
Labels: Featured, Malicious Group
.svg)
.svg)
.svg)