ZenoX Discloses Global Cyber Attack That Exposed Up to 1.5 Billion Records

The “digital ghosts” of Lapsus$$ are back, more sophisticated and with a clear target: the digital supply chain. A new threat intelligence report from ZenoX, a cybersecurity startup of the Dfense Group, reveals that an offshoot of the infamous collective, self-identified as “Scattered Lapsus$$ Hunters”, is behind one of the largest documented supply chain attacks to date, compromising between 989 million and 1.5 billion corporate records by exploiting integrations of the Salesforce platform.

The study, titled “Digital Ghosts: The Metamorphosis of Lapsus$$ into Scattered Hunters”, details how the group evolved from the chaotic tactics that paralyzed giants like Microsoft, Nvidia, and the Ministry of Health between 2021 and 2022 into a financially motivated, strategically articulated criminal operation. The ZenoX investigation indicates that the recent campaign exploited a vulnerability in the integration between the Salesforce and the sales engagement platform Salesloft Drift.

By exploiting gaps in the digital supply chain, the criminals compromised Salesloft and obtained access tokens (OAuth) capable of bypassing multi-factor authentication (MFA), paving the way to infiltrate Salesforce instances used by hundreds of corporations. The victim list includes technology giants (Google AdSense, Cisco), aviation (Qantas, Air France, KLM, FedEx), retail (Home Depot, IKEA), luxury (Louis Vuitton, Chanel, Dior, Cartier), automotive (Toyota, Stellantis), food & beverage (McDonald's, KFC), media & entertainment (Disney/Hulu, HBO Max) and finance (Allianz Life, TransUnion), among others.

“What we are witnessing is the maturation of a ghost. The original Lapsus$$, formed by teenagers, proved that well-executed social engineering was more devastating than any complex malware. Now, their successors, the Scattered Lapsus$$ Hunters, have learned the lesson, joined forces with other experienced groups like Scattered Spider and ShinyHunters, and industrialized the method,” analyzes Ana Cerqueira, CRO of ZenoX. “They demonstrated that the weakest link is no longer just an inattentive employee, but the trust we place in interconnected software ecosystems. Attacking a SaaS platform like Salesloft was like finding a master key to enter hundreds of companies at once.”

The ZenoX report details that the exposed data is highly sensitive and includes full names, Social Security numbers (SSNs), dates of birth, driver's license information, emails, phone numbers, purchase history, support ticket content, API keys, access tokens, and other corporate credentials.

The group's motivation became clear in an ultimatum: the cybercriminals demanded a payment of 20 bitcoins (approximately $1.3 million) directly from Salesforce, setting a final deadline for October 10, 2025. If the payment is not made, the group threatens not only to publicly release the billion records but also to cooperate with law firms in litigation against Salesforce and report the company to data protection regulators in Europe and the US (GDPR, CCPA).

“The double extortion tactic has evolved into triple or quadruple extortion: they threaten the main company, the client companies, and even promise to arm regulators with evidence. It is a show of force that puts the entire SaaS industry on alert,” adds Cerqueira. “Traditional defenses are insufficient against adversaries who exploit trust as the primary attack vector. The only effective response is proactive intelligence, monitoring the partner ecosystem and the criminal underworld to anticipate these moves before they materialize into a crisis of global proportions.”