The Scattered Lapsus$ Hunters group is blackmailing Red Hat. The attackers’ site has posted samples of customer engagement reports stolen from the company, and the hackers claim they demanded a ransom from Red Hat but have not yet received a response.
Last week, the extortion group Crimson Collective claimed it had stolen 570 GB of data from 28,000 internal Red Hat repositories. Company representatives confirmed that one of its GitLab instances had been compromised.
At the time, the attackers said that the stolen data included around 800 CER reports (Customer Engagement Reports), which may contain confidential information about customers’ networks and platforms.
CER reports are consulting documents prepared for clients and often contain infrastructure details, configuration data, authentication tokens, and other information that can be used for attacks.
As reported by Bleeping Computer, shortly after the breach was disclosed, attackers from the Scattered Lapsus$ Hunters group (an alliance of members of the hacking groups Scattered Spider, LAPSUS$, and ShinyHunters) attempted to establish contact with Crimson Collective.
Ultimately, the group announced that it had teamed up with Scattered Lapsus$ Hunters, and samples of the data stolen from Red Hat were posted on the newly launched ShinyHunters leak site. The attackers threaten to publish the entire 570 GB of data on October 10, 2025, if the company does not pay the ransom.
“We plan to work with ShinyHunters on future attacks and releases,” the Crimson Collective threat actors told reporters.
Journalists note that ShinyHunters currently operates as an extortion-as-a-service (EaaS): they collaborate with other threat actors to extort money from companies in exchange for a share of the ransom.
This hypothesis was based on numerous attacks carried out by different threat actors, with extortion conducted in the name of ShinyHunters, including attacks against Oracle Cloud and PowerSchool. Conversations with representatives of ShinyHunters supported this theory: the group claimed it was not behind the specific breaches, but merely acted as a broker for the stolen data.
Recently, members of ShinyHunters told BleepingComputer that they do indeed operate under an EaaS model, taking a share of ransoms obtained from attacks carried out by other threat actors.
“Everyone I worked with in the past took 70–75%, and I got 25–30%,” one of the attackers told the publication.