Rey, the technical operator and public face of the cybercriminal group Scattered LAPSUS$ Hunters (SLSH), has confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father. SLSH is thought to be an amalgamation of three hacking groups—Scattered Spider, LAPSUS$, and ShinyHunters.
The Rise of ShinySp1d3r Ransomware
Last week, SLSH announced the release of their own ransomware-as-a-service operation called ShinySp1d3r. The individual responsible for releasing the offering is Rey and currently one of just three administrators of the SLSH Telegram channel.
Operational Security Mistakes
Rey made several critical operational security mistakes that provided multiple avenues to ascertain and confirm his real-life identity and location. These included posting a screenshot of an extortion email he received on a Telegram group chat, using a unique but exposed password, and sharing personal details online.
The Case Against Rey
Intel 471 traced Rey’s activities back to the username Hikki-Chan, which they say shared data allegedly stolen from the U.S. Centers for Disease Control and Prevention. The screenshot of the extortion email posted by Rey on Telegram included his father’s email address and password, which were exposed in early 2024.
The Real Identity: Saif Al-Din Khader
Rey turned out to be Saif Al-Din Khader, a 16-year-old from Jordan. He had already reached out to law enforcement and was cooperating with them, although he expressed concern about the potential consequences of being exposed to the public.
Conclusion
The case of Rey highlights the risks associated with using compromised credentials and the importance of taking responsibility for one’s actions. Saif’s decision to cooperate with law enforcement shows that it is possible to move on from cybercrime, but it requires courage and a willingness to confront the consequences of past mistakes.