The notorious hacker group known as ‘Scattered LAPSUS$ Hunters’ (SLSH) has seen a shift in leadership with the real identity of their technical operator and public face, Rey, recently confirmed. This development marks a significant turn in the cybercrime landscape as SLSH continues to evolve.
The Rise of Scattered LAPSUS$ Hunters
SLSH is believed to be an amalgamation of three hacking groups: Scattered Spider, LAPSUS$, and ShinyHunters. Their activities have dominated headlines this year, with frequent data thefts and mass extortions targeting major corporations. In May 2025, they launched a social engineering campaign using voice phishing to steal data from Salesforce portals.
The New Threat: ShinySp1d3r Ransomware
Recently, SLSH announced the release of their own ransomware-as-a-service (RaaS) operation called ShinySp1d3r. This move underscores their growing sophistication and ambition. Rey, a key figure in SLSH, previously managed data leak websites for other ransomware groups like Hellcat.
The Unmasking of Rey
KrebsOnSecurity tracked down Rey through his Telegram account, which featured an offer to recruit insiders from large companies. Rey’s real identity and location were revealed through a series of operational security mistakes he made last year. His username @wristmug was linked to an email address that had been breached, revealing personal details including his family connections.
Family Connections and Legal Issues
Rey claimed Irish heritage and mentioned his father is an airline pilot. He shared a graphic showing the prevalence of the surname ‘Ginty.’ Rey’s computer was traced back to Amman, Jordan, revealing multiple users with similar identities. Law enforcement was already involved in the case, as Saif Al-Din Khader (Rey’s real name) had been communicating with European authorities.
Future Implications
With Rey now cooperating with law enforcement, there are hopes for a resolution to this cybercrime saga. However, Saif expressed concerns about potential repercussions if the story is publicized. The case highlights the challenges in dismantling sophisticated cybercrime operations and the importance of international cooperation in addressing these threats.
The new extortion website tied to ShinyHunters, which threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom.