Listen to this Post
In the shadowy world of cybercrime, alliances are rare — but when they happen, they can rewrite the rules of the game. That’s exactly what appears to be unfolding between two of the most notorious hacking groups of recent years: ShinyHunters and Scattered Spider. Once operating with vastly different styles and motives, new evidence suggests these threat actors are now aligning their tactics, pooling resources, and coordinating attacks on a scale that could make them far harder to detect or stop.
The Growing Alliance Between Two Cybercrime Giants
An in-depth analysis of recent cyberattacks against high-profile companies — including Google, Louis Vuitton, and Allianz — has uncovered patterns that hint at a strategic partnership between ShinyHunters and Scattered Spider. Security researchers at ReliaQuest point to shared attack infrastructure, overlapping victim lists, and synchronized timelines as strong indicators of cooperation.
Traditionally, ShinyHunters specialized in data theft for profit. Emerging in 2020, they targeted major global brands like AT\&T, Santander, Ticketmaster, Adidas, Air France, and most recently Google, Allianz, and Louis Vuitton. Their method was straightforward: use stolen credentials to infiltrate networks, exfiltrate sensitive data, and sell it on underground markets.
Scattered Spider, on the other hand, burst onto the scene in 2022 as masters of social engineering and phishing schemes. Often composed of young, native English-speaking hackers, this group gained infamy for impersonating IT staff to trick employees into revealing credentials. Their track record includes high-profile breaches at MGM Resorts and Caesars Palace in 2023, which caused multimillion-dollar losses.
The new twist? ShinyHunters’ latest campaigns now bear a striking resemblance to Scattered Spider’s methods. Instead of sticking solely to credential misuse, they have adopted vishing (voice phishing) tactics, spoofed legitimate applications like Salesforce, and used VPN obfuscation tools such as Mullvad to hide their tracks.
Shared Infrastructure and Synchronized Attacks
ReliaQuest found multiple technical overlaps suggesting the collaboration is deliberate:
Domain naming conventions match Scattered Spider’s style, such as “SSO-company[.]com,” mirrored by ShinyHunters domains like “ticket-lvmh[.]com” and “ticket-dior[.]com.”
Domain registration through GMO Internet — a service previously favored by Scattered Spider — is now common to both groups.
Parallel targeting patterns have emerged. When Scattered Spider attacked retail giants like Marks & Spencer and Harrods earlier this year, ShinyHunters hit other brands in the same sector, such as Tiffany, Dior, and Adidas. Similarly, both groups pivoted to insurance companies within weeks of each other.
One Telegram user, going by the alias “Sp1d3rhunters”, even claimed publicly that the two gangs were working together — a rare instance of cybercriminals openly boasting about a partnership.
Why This Alliance is So Dangerous
By combining ShinyHunters’ skills in data theft and extortion with Scattered Spider’s expertise in social engineering and initial access, the groups gain a significant tactical advantage. Brandon Tirado, director of threat research at ReliaQuest, warns that this makes attribution much harder. Indicators of compromise once unique to a single group are now interchangeable, rendering traditional detection models less effective.
Defenders will need to pivot toward monitoring tactics, techniques, and procedures (TTPs) instead of simply linking attacks to known actors. This means proactively scanning for domains mimicking company brands, hardening SaaS applications, and investing heavily in employee training against phishing and vishing threats.
What Undercode Say:
The potential partnership between ShinyHunters and Scattered Spider represents a paradigm shift in cybercrime operations — one that could set the tone for the next wave of large-scale attacks. Here’s why it matters and what it means for the future:
1. Blended Threat Models Are Harder to Predict
When groups merge tactics, defenders lose the advantage of pattern recognition. If ShinyHunters suddenly adopts Scattered Spider’s vishing playbook, any predictive models trained on past behavior become obsolete.
2. Diversification of Attack Vectors
These two groups together can strike via multiple channels simultaneously — phishing, vishing, credential stuffing, and data exfiltration — making it more difficult for companies to mount a unified defense.
3. Sector-Specific Targeting
The synchronized targeting of industries (e.g., retail in April, insurance in June) suggests they may be coordinating to maximize market disruption while avoiding stepping on each other’s toes. This coordinated sequencing allows for sustained pressure on one sector at a time.
4. Increased Attack Frequency
With both groups operating in parallel, companies may face double the volume of attacks without realizing they stem from two cooperating entities.
5. Psychological Pressure on Victims
Businesses hit by one group might expect the assault to be over — only to find the second group following up with a new attack, creating the illusion of an endless siege.
6. Potential for Expanded Recruitment
A merged operational model could attract more cybercriminal talent, as new recruits might be drawn to a “supergroup” with proven success and global recognition.
7. Challenge for Law Enforcement
Multi-jurisdictional investigations are already complex, but shared infrastructure and overlapping targets make attribution and prosecution even more difficult.
8. Possible Evolution into a Cybercrime Cartel
If this collaboration proves profitable, it could encourage the formation of larger, more structured alliances, similar to organized crime cartels in the physical world.
In short, the partnership of ShinyHunters and Scattered Spider isn’t just a “two plus two” situation — it’s exponential. Their combined strengths could outpace many companies’ current cybersecurity readiness, particularly if those organizations are still relying on static threat intelligence and outdated detection strategies.
🔍 Fact Checker Results
✅ ReliaQuest’s analysis confirms strong overlaps in infrastructure and targeting patterns between the two groups.
✅ Historical records show both ShinyHunters and Scattered Spider have executed major attacks independently before these similarities emerged.
❌ There is no independent confirmation outside cybercriminal forums that “Sp1d3rhunters” is an authoritative source on the partnership.
📊 Prediction
If the ShinyHunters–Scattered Spider collaboration continues, we may see a new wave of multi-vector, sector-specific attacks targeting industries with both high-value data and a reliance on SaaS platforms, such as healthcare, fintech, and cloud-based service providers. Expect shorter attack cycles, more advanced brand impersonation campaigns, and increased use of vishing to bypass MFA protections. Within 12 months, the combined group could emerge as the single most disruptive cybercrime entity on record — unless security teams rapidly adapt their detection and defense strategies.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.darkreading.com
Extra Source Hub:
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
