HAPPY LIFE
WHAT NEWS?
Scattered Spider Insider Marketplace Targets Microsoft, Apple, Salesforce
Scattered Spider Insider Marketplace Targets Microsoft, Apple, Salesforce
Trusted News - Expert Analysis - Global Coverage
The notorious threat actor Scattered Spider has radically transformed its operations, moving from high-visibility hacks and dramatic data leaks to a far more lucrative and covert business model built around insider collaboration and access brokerage. Security researchers warn that the group, associated with LAPSUS$, ShinyHunters, and the broader Scattered LAPSUS$ Hunters collective, is now functioning as a hybrid Ransomware-as-a-Service (RaaS) and insider threat operation targeting some of the world's largest technology companies.
his evolution marks a dangerous shift in the threat landscape: rather than stealing data for short-lived publicity, Scattered Spider is working to secure long-term, privileged access inside corporate environments—and pay employees to help them do it. The group's professionalized approach represents one of the most sophisticated criminal business models to emerge from the dark web in recent years, blending traditional cybercrime with corporate-style recruitment and profit-sharing structures.
Scattered Spider's earlier operations were chaotic, noisy, and designed for notoriety. That era is over. The group has now adopted a professionalized, revenue-driven model focused on buying and selling insider access to corporate networks, recruiting employees across telecom, cloud, gaming, and IT outsourcing sectors, selling stolen access to ransomware affiliates, and leasing footholds in Active Directory, Okta, Azure, and AWS environments.
High-visibility hacks, data leaks, publicity-driven operations
Insider access marketplace, ransomware affiliate networks, quiet persistence
Microsoft, Apple, IBM, EA, Claro, Telefónica, OVH, Salesloft, Salesforce
Companies explicitly mentioned in their recruitment campaigns include Microsoft, Apple, IBM, EA, Claro, Telefónica, OVH, Salesloft, Salesforce, and several others in the U.S., U.K., Canada, France, and Australia. In a dark web post advertising profit-sharing deals, the group stated: "We already have the data. We need access." This signals a deliberate pivot toward persistent access operations, allowing affiliates to exploit networks repeatedly for ransomware and extortion campaigns.
Scattered Spider is now offering 25% of profits for insiders providing Active Directory access and 10% for identity platform access (Okta, Azure AD, AWS IAM root keys). They are also buying VPN credentials, Citrix sessions, AnyDesk or remote-access installations, SSH keys, and OpenLDAP logs.
For Active Directory access provision
For Okta, Azure AD, AWS IAM root access
VPN creds, Citrix sessions, SSH keys, OpenLDAP logs
This structured framework reflects a mature, scalable criminal business model that has moved far beyond the opportunistic hacking of Scattered Spider's earlier days. The group now functions more like a corporate recruitment agency, carefully vetting potential insiders and establishing clear contractual terms for their criminal partnerships.
The Scattered LAPSUS$ Hunters recently launched a revamped extortion leak site, claiming breaches at Salesloft, Salesforce, and nearly 40 other companies. They threatened full data releases if ransoms are not paid by October 10, 2025.
Salesforce denies platform compromise: In a public statement on October 2, Salesforce said: "There is no indication that the Salesforce platform has been compromised... these attempts relate to past or unsubstantiated incidents." Scattered Spider dismisses that explanation, alleging theft of nearly one billion PII records, and threatening lawsuits—naming the data-privacy law firm Berger Montague as a potential partner.
They also warned that they may expose violations of GDPR, CCPA, and HIPAA. The group said it would publish an audit describing how companies "failed as data controllers" to prevent intrusions, positioning themselves not just as criminals but as vigilante auditors of corporate security failures.
In comments to The Cyber Express, Scattered Spider blasted the shared-responsibility model used by cloud providers: "Salesforce is saying 'you can use our services, but you handle most of the security yourself.'" They argued that companies could have blocked their intrusion attempts by simply filtering known threat indicators such as Mullvad VPN and Tor exit nodes—which they claim were not restricted.
Attacks shared-responsibility model, claims basic protections missing
Microsoft, Apple, Google AdSense, Cisco, Toyota, FedEx, Disney/Hulu
UPS, McDonald's, KFC, Instacart, Chanel, Adidas, Air France/KLM
The leak site lists a staggering array of global brands, including Microsoft, Apple, Google AdSense, Cisco, Toyota, FedEx, Disney/Hulu, UPS, McDonald's, KFC, Instacart, Chanel, Adidas, and Air France/KLM. This showcases the group's ambition and the scale of its claimed victim list, which reads like a who's who of global corporate giants.
Scattered Spider's shift from headline-making breaches to quiet, insider-powered access markets represents a significant evolution in modern cybercrime. This model lowers operational risk for attackers, increases long-term profitability, gives ransomware affiliates a constant supply of fresh network footholds, and transforms ordinary employees into high-value assets.
Insider access recruitment and profit-sharing (25% for AD, 10% for IAM)
Access brokerage to ransomware affiliates (subscription/lease model)
Extortion payments from victim companies
Telecom, cloud hosting, enterprise software, gaming, IT outsourcing
U.S., U.K., Canada, France, Australia (avoiding Russia/China/North Korea)
Only targets companies worth over $500M market capitalization
Organizations are urged to strengthen identity and access management, insider threat monitoring, privileged account controls, VPN and remote-access auditing, and behavioral analytics for suspicious authentication attempts. Specific recommendations include:
The Scattered Spider model represents a fundamental shift in the economics of cybercrime. By creating a structured marketplace for insider access, the group has effectively commoditized corporate intrusion, making it easier for less-skilled attackers to launch sophisticated campaigns while distributing risk across multiple participants in their criminal ecosystem.
The success of Scattered Spider's insider marketplace model is likely to inspire imitation across the cybercrime ecosystem. Security experts predict that within the next 12-18 months, similar marketplaces will emerge, potentially specializing in specific industries or geographic regions. This could lead to:
Specialized marketplaces for healthcare, finance, energy sectors
Reduced prices for access as more groups enter the market
Reputation systems for insiders and access quality
Third-party services to ensure payment after successful access
Education for insiders on how to maintain access undetected
Increased law enforcement focus on insider recruitment networks
As organizations grapple with this new threat landscape, the need for comprehensive insider threat programs has never been more urgent. Companies that fail to adapt their security postures to address the insider threat vector risk becoming easy targets for Scattered Spider and the copycat groups that will inevitably follow.
