Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’
Recorded: Nov. 29, 2025, 9:02 a.m.
| Original | Summarized |
Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ – Krebs on Security Advertisement Advertisement Skip to content HomeAbout the Author Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ November 26, 2025 24 Comments A prolific cybercriminal group that calls itself “Scattered LAPSUS$ Hunters” has dominated headlines this year by regularly stealing data from and publicly mass extorting dozens of major corporations. But the tables seem to have turned somewhat for “Rey,” the moniker chosen by the technical operator and public face of the hacker group: Earlier this week, Rey confirmed his real life identity and agreed to an interview after KrebsOnSecurity tracked him down and contacted his father. This entry was posted on Wednesday 26th of November 2025 12:22 PM Post navigation 24 thoughts on “Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’” Jim November 26, 2025 It’s a shame about Rey. Reply → gone in n seconds November 28, 2025 it’s a shame about your game. Reply → mealy November 26, 2025 Oof, death by a thousand breadcrumbs! Great investigating and reporting BK, as always. Reply → Fr00tL00ps November 26, 2025 Couldn’t agree more. Gotta love Bryan’s OSINT skills. He is like a bloodhound. Reply → chichicarones November 27, 2025 And to do such work right around Thanksgiving. Proves his dedication to eradicating the world of such pestilence upon mankind. Reply → David Michael Dorbish Jr November 26, 2025 Rest in piss. Reply → RedrumOfCrows Bluesky November 26, 2025 You Rock, Brian. The story had me bouncing monikers and titles against my now ‘bigdatawarehouse’ of domains and related info all the way down while thinking I was reading what was more ‘cyber-info-alert’ a la CISA until the end where you find the fellow ! I’m ready for your first fiction thriller novel because you surely have the knowledge and chops for it. Reply → Michael Sean November 26, 2025 Rey, You’re just the latest to learn… “They sow the wind, and they shall reap the whirlwind” Reply → r0th3r November 26, 2025 now dox one of the big bOys… oh wAit, u cant since yr a fkin sKid Reply → top floor cuck November 27, 2025 very accurate big man Reply → kimbot November 27, 2025 You ever get the feeling like the wrong people get punished, sometimes? Reply → Gotham City Resident November 27, 2025 Brian, you’ve outdone yourself this time. Truly wonderful and very accurate reporting. You doxxed him! Scattered Spider will never be the same again. Reply → Dennis November 27, 2025 He is lying. He got caught and now he is scared like a little bitch that he is. It must be great for his dad to find his name on a site like this one. I’m sure it will help with his pilot license renewal. Reply → fran blanc November 27, 2025 Europol are the least of Rey’s problems. Now he has caught the attention of Tel Aviv. Pack a toothbrush pal, You, should have listened to your Irish grandmother, when she told you it is wrong to steal. Reply → mealy November 27, 2025 Mention of Israel being ‘against stealing’ is doubly ironic though. Ask Vanunu. Reply → Sad WOPR fan. November 27, 2025 Rest in peace, swift programmers. We conquered the BK in 2023. Reply → gone in n seconds November 27, 2025 conquered the best Chelsea Chinese place for soup in the beginning of COVID. What can a man go back to, now? Reply → mark November 27, 2025 Fascinating. One thing I note – they actually had some ethics: “companies over $500M, and no health”. So they don’t want to kill anyone by accident, just hit up companies that can afford anything (and can afford to fight back). Reply → John Deux November 27, 2025 IMHO; some of it is complete BS. For instance, they don’t mention the entire CIS – meaning; they are LARP-ing as Russians and/or being Kremlin-connected. Reply → gone in n seconds November 27, 2025 maybe it’s a moldovan subgroup. Reply → gone in n seconds November 27, 2025 Are we sure sweet baby ray isn’t a Romanian? Reply → xdxdxd November 27, 2025 as always, youre a moron krebs. Reply → Leave a Reply Cancel replyYour email address will not be published. Required fields are marked *Comment * Name * Δ Advertisement Advertisement Search for: Recent Posts Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ Is Your Android TV Streaming Box Part of a Botnet? Mozilla Says It’s Finally Done With Two-Faced Onerep The Cloudflare Outage May Be a Security Roadmap Microsoft Patch Tuesday, November 2025 Edition A Little Sunshine All About Skimmers Ashley Madison breach Breadcrumbs Data Breaches DDoS-for-Hire DOGE Employment Fraud How to Break Into Security Internet of Things (IoT) Latest Warnings Ne'er-Do-Well News Other Pharma Wars Ransomware Russia's War on Ukraine Security Tools SIM Swapping Spam Nation Target: Small Businesses Tax Refund Fraud The Coming Storm Time to Patch Web Fraud 2.0 Why So Many Top Hackers Hail from Russia © Krebs on Security - Mastodon |
Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’ – Krebs on Security Scattered Lapsus$ Hunters (SLSH) has emerged as a significant cybercrime force this year, characterized by its propensity for data theft and mass extortion campaigns targeting a multitude of major corporations. However, recent events appear to have shifted the balance of power somewhat, as the individual known as “Rey,” the technical operator and public face of the group, has taken steps to reveal his true identity and consent to an interview facilitated by KrebsOnSecurity and his father. The operation, known as Scattered Lapsus$ Hunters, is believed to be a convergence of three distinct hacking groups – Scattered Spider, LAPSUS$ and ShinyHunters – encompassing members drawn from shared online communication channels within the Com, primarily a predominantly English-language cybercriminal community operating across a network of Telegram and Discord servers. In May 2025, SLSH launched a sophisticated social engineering campaign, leveraging voice phishing techniques to deceive targets into granting malicious application access to their Salesforce portals. Subsequently, the group unveiled a data leak portal, threatening to publicly release internal data from over thirty companies, including prominent names like Toyota, FedEx, Disney/Hulu, and UPS. The new extortion website, linked to ShinyHunters, posed a ransom demand to both Salesforce and the affected individual corporations, seeking payment in exchange for the safeguarding of their compromised data. Recent developments saw the emergence of a new website affiliated with ShinyHunters, propagating a ransom threat directed towards Salesforce and targeted companies. Last week, the SLSH Telegram channel promoted an offer to recruit and reward individuals with insider access to large companies, specifically targeting disgruntled employees willing to share internal network access in exchange for a portion of any ransom payment ultimately secured. Prior recruitment efforts by SLSH, revolving around soliciting insider access, had been amplified through social media channels concurrent with the announcement of Crowdstrike’s termination of an employee for allegedly divulging internal system screenshots to the hacker group, with Crowdstrike asserting that their systems remained unscathed and subsequently handed the matter over to law enforcement agencies. The Telegram server dedicated to Scattered Lapsus$ Hunters has actively sought to enlist insiders within large companies. Members of SLSH have traditionally relied on other ransomware gangs’ encryptors in their attacks, including the utilization of malware from ransomware affiliate programs such as ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. However, in a notable shift, last week, SLSH announced the release of their own ransomware-as-a-service operation, christened ShinySp1d3r. The individual responsible for distributing the ShinySp1d3r ransomware offering is a core SLSH member designated as “Rey,” and currently one of just three administrators overseeing the SLSH Telegram channel. Previously, Rey had assumed the position of administrator for the most recent incarnation of BreachForums, an English-language cybercrime forum experiencing repeated seizure actions by the FBI and international authorities. In April 2025, Rey posted on Twitter/X regarding another FBI seizure of BreachForums. On October 5, 2025, the FBI announced a further seizure of the domains associated with BreachForums, characterizing it as a principal criminal marketplace facilitating the trafficking of stolen data and enabling extortion activities. Over the course of last year, Rey made a series of operational security mistakes that resulted in multiple avenues for confirming his real-life identity and location. It was revealed that strategic lapses in operation security contributed to the eventual unraveling of his operation. WHO IS REY? According to Intel 471, Rey was an active user on various BreachForums reincarnations over the past two years, contributing more than 200 posts between February 2024 and July 2025. Intel 471 indicates that Rey previously operated under the handle “Hikki-Chan” on BreachForums, where his initial post disclosed allegedly stolen data from the U.S. Centers for Disease Control and Prevention (CDC). In February 2024, Hikki-Chan communicated that they could be reached via the Telegram username @wristmug. In May 2024, @wristmug posted in a Telegram group chat called “Pantifan” a copy of an extortion email they claimed received that included their email address and password. The email cut and pasted by @wristmug appeared to be part of an automated email scam targeting individuals claiming to be hackers who had compromised their computer and recorded a video of them while they were watching pornography. These missives threatened to release the video to all of the recipient’s contacts unless a Bitcoin ransom was paid. “Noooooo,” the @wristmug account wrote in mock horror after posting a screenshot of the scam message. “I must be done guys.” In posting his screenshot, @wristmug redacted the username portion of the email address referenced in the body of the scam message. However, he did not redact his previously-used password, and he left the domain portion of his email address (@proton.me) visible in the screenshot. Using Spycloud to investigate @wristmug’s unique 15-character password reveals that it has been utilized by just one email address: cybero5tdev@proton.me. According to Spycloud, these credentials were exposed at least twice in early 2024 when this user's device was infected with an infostealer trojan that siphoned all of its stored usernames, passwords, and authentication cookies (a finding initially revealed in March 2025 by the cyber intelligence firm KELA). Intel 471 shows the email address cybero5tdev@proton.me belonged to a BreachForums member who goes by the username o5tdev. Searching for this nickname on Google uncovers at least two website defacement archives documenting that a user named o5tdev was previously involved in defacing sites carrying pro-Palestinian messages. The screenshot below, for example, demonstrates that 05tdev was part of a group called Cyb3r Drag0nz Team. Rey/o5tdev’s defacement pages. Image: archive.org. A 2023 report from SentinelOne described Cyb3r Drag0nz Team as a hacktivist group with a history of launching DDoS attacks and cyber defacements as well as engaging in data leak activity. “Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks. To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.” The cyber intelligence firm Flashpoint locates the Telegram user @05tdev was active in 2023 and early 2024, posting in Arabic on anti-Israel channels like “Ghost of Palestine” [full disclosure: Flashpoint is currently an advertiser on this blog]. Flashpoint shows that Rey’s Telegram account (ID7047194296) was particularly active in a cybercrime-focused channel called Jacuzzi, where this user shared several personal details, including that their father was an airline pilot. Rey claimed in 2024 to be 15 years old and to have family connections to Ireland, even posting a graphic that depicts the prevalence of the surname “Ginty.” Rey, on Telegram claiming to have association to the surname “Ginty.” Image: Flashpoint. Spycloud indexed hundreds of credentials stolen from cybero5dev@proton.me, and those details indicate that Rey’s computer is a shared Microsoft Windows device located in Amman, Jordan. The credential data stolen from Rey in early 2024 show there are multiple users of the infected PC, but that all shared the same last name of Khader and an address in Amman, Jordan. The “autofill” data lifted from Rey’s family PC contains an entry for a 46-year-old Zaid Khader that says his mother’s maiden name was Ginty. The infostealer data also shows Zaid Khader frequently accessed internal websites for employees of Royal Jordanian Airlines. MEET SAIF Following an attempt to locate Saif directly, KrebsOnSecurity sent an email to his father Zaid. The message invited the father to respond via email, phone or Signal, explaining that his son appeared to be deeply enmeshed in a serious cybercrime conspiracy. Less than two hours later, I received a Signal message from Saif, who stated that his dad suspected the email was a scam and had forwarded it to him. “I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email,'” said Saif, who told me he turns 16 years old next month. “So I decided to talk to you directly.” Saif explained that he’d already heard from European law enforcement officials, and had been trying to extricate himself from SLSH. When asked why then he was involved in releasing SLSH’s new ShinySp1d3r ransomware-as-a-service operation, Saif said he couldn’t just suddenly quit the group. “Well I cant just dip like that, I’m trying to clean up everything I’m associated with and move on,” he said. The former Hellcat ransomware site. Image: Kelacyber.com Rey, you’re just the latest to learn… “They sow the wind, and they shall reap the whirlwind” SAIF shares that ShinySp1d3r is just a rehash of Hellcat ransomware, except modified with AI tools. “I gave the source code of Hellcat ransomware out basically.” Saif claims he reached out on his own recently to the Telegram account for Operation Endgame, the codename for an ongoing law enforcement operation targeting cybercrime services, vendors and their customers. “I’m already cooperating with law enforcement,” Saif said. “In fact, I have been talking to them since at least June. I have told them nearly everything. I haven’t really done anything like breaching into a corp or extortion related since September.” Saif suggested that a story about him right now could endanger any further cooperation he may be able to provide. He also said he wasn’t sure if the U.S. or European authorities had been in contact with the Jordanian government about his involvement with the hacking group. “A story would bring so much unwanted heat and would make things very difficult if I’m going to cooperate,” Saif said. “I’m unsure whats going to happen they said they’re in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them.” Saif shared a screenshot that indicated he’d contacted Europol authorities late last month. But he couldn’t name any law enforcement officials he said were responding to his inquiries, and KrebsOnSecurity was unable to verify his claims. The story of Rey, the head of Scattered Lapsus$ Hunters, is one of risk, reward, and a sudden, perhaps inevitable, exposure. |