A prominent cybercriminal collective, known as “Scattered LAPSUS$ Hunters,” has gained notoriety this year for its consistent data theft and widespread corporate extortion. However, the individual operating as “Rey,” the group’s technical lead and public representative, recently had their true identity revealed. Rey confirmed this identity and agreed to an interview after being located and having their father contacted.
Scattered LAPSUS$ Hunters (SLSH) is believed to be a fusion of three distinct hacking entities: Scattered Spider, LAPSUS$, and ShinyHunters. Individuals associated with these groups frequently interact within shared chat channels on the Com, an English-speaking cybercriminal network spanning numerous Telegram and Discord servers.
In May 2025, SLSH initiated a social engineering operation. This campaign employed voice phishing tactics to deceive victims into linking a malicious application to their organization’s Salesforce portal. Subsequently, the group established a data leak portal, threatening to release the internal data of approximately three dozen companies, including Toyota, FedEx, Disney/Hulu, and UPS, which allegedly had Salesforce data compromised.
This image shows the extortion website linked to ShinyHunters, which threatens to publish stolen data unless Salesforce or individual victim companies agree to pay a ransom.
Recently, the SLSH Telegram channel posted an offer to recruit and compensate “insiders”—employees at major corporations willing to provide internal network access to their employers in exchange for a portion of any ransom paid by the victim company.
While SLSH had previously sought insider access, their most recent appeal for disaffected employees circulated on social media concurrently with reports that cybersecurity firm Crowdstrike had terminated an employee for allegedly sharing internal system screenshots with the hacker group. Crowdstrike stated that its systems remained uncompromised and that the issue had been referred to law enforcement.
The Telegram server for the Scattered LAPSUS$ Hunters has been attempting to recruit insiders at large companies.
Historically, SLSH members have utilized encryptors from other ransomware groups in their attacks, including malware from affiliate programs such as ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. However, last week, SLSH announced on its Telegram channel the launch of its proprietary ransomware-as-a-service operation, named ShinySp1d3r.
The person behind the ShinySp1d3r ransomware offering is a key SLSH member known as “Rey,” who serves as one of three administrators for the SLSH Telegram channel. Prior to this, Rey functioned as an administrator for the data leak website of Hellcat, a ransomware group that active in late 2024, which targeted companies such as Schneider Electric, Telefonica, and Orange Romania.
A recent, slightly redacted screenshot of the Scattered LAPSUS$ Hunters Telegram channel description, showing Rey as one of three administrators.
In 2024, Rey also assumed the role of administrator for the latest version of BreachForums, an English-language cybercrime forum that has seen its domain names repeatedly seized by the FBI and international agencies. By April 2025, Rey had posted on Twitter/X regarding another FBI seizure of BreachForums.
On October 5, 2025, the FBI announced another seizure of domains linked to BreachForums. The agency characterized the forum as a significant criminal marketplace utilized by ShinyHunters and other actors to trade stolen data and enable extortion activities.
The FBI stated that this action “removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors.”
Remarkably, Rey committed several critical operational security errors last year, which provided numerous pathways to determine and verify his real-life identity and location. The following sections detail how Rey’s identity was uncovered.
Who is Rey?
Cyber intelligence firm Intel 471 reported that Rey was a frequent participant on various iterations of BreachForums over the past two years, contributing over 200 posts from February 2024 to July 2025. Intel 471 indicated that Rey previously operated under the handle “Hikki-Chan” on BreachForums, with an initial post that allegedly shared data stolen from the U.S. Centers for Disease Control and Prevention (CDC).
In the February 2024 post concerning the CDC, Hikki-Chan provided the Telegram username @wristmug for contact. In May 2024, @wristmug shared a screenshot in a Telegram group chat named “Pantifan,” displaying an extortion email that reportedly included their email address and password.
The message shared by @wristmug appeared to be part of an automated email scam. Such scams typically claim that a hacker has compromised the recipient’s computer, recorded them via webcam while viewing adult content, and threatens to release the video to their contacts unless a Bitcoin ransom is paid. These emails often include a real password previously used by the recipient.
The @wristmug account reacted to the scam message screenshot with feigned alarm, stating, “Noooooo,” and “I must be done guys.”
A message posted to Telegram by Rey/@wristmug.
When sharing the screenshot, @wristmug redacted the username segment of the email address within the scam message. However, the previously used password remained unredacted, and the domain portion of the email address (@proton.me) was visible in the screenshot.
O5TDEV
A search using @wristmug’s distinct 15-character password within the breach tracking service Spycloud revealed its association with only one email address: [email protected]. Spycloud indicated that these credentials were compromised at least twice in early 2024 due to an infostealer trojan infecting the user’s device, which extracted stored usernames, passwords, and authentication cookies. This discovery was first reported in March 2025 by cyber intelligence firm KELA.
Intel 471 identified the email address [email protected] as belonging to a BreachForums member using the username o5tdev. A Google search for this nickname revealed at least two website defacement archives indicating o5tdev’s prior involvement in defacing sites with pro-Palestinian messages. For instance, an accompanying image shows o5tdev as a member of the group Cyb3r Drag0nz Team.
Rey/o5tdev’s defacement pages. Image: archive.org.
A 2023 report by SentinelOne characterized Cyb3r Drag0nz Team as a hacktivist group known for conducting DDoS attacks, cyber defacements, and data leak operations.
SentinelOne reported that “Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks.” The report added, “To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel.”
Cyber intelligence firm Flashpoint observed that the Telegram user @05tdev was active in 2023 and early 2024, posting in Arabic on anti-Israel channels such as “Ghost of Palestine.”
Irish Connections
Flashpoint data indicated that Rey’s Telegram account (ID7047194296) was notably active in a cybercrime channel named Jacuzzi. In this channel, the user disclosed personal information, including that their father was an airline pilot. In 2024, Rey stated being 15 years old and having familial ties to Ireland.
Rey specifically referenced Irish heritage in multiple Telegram chats, even sharing a graphic illustrating the prevalence of the surname “Ginty.”
Rey, on Telegram claiming to have association to the surname “Ginty.” Image: Flashpoint.
Spycloud’s index of hundreds of credentials taken from [email protected] suggested that Rey’s computer was a shared Microsoft Windows device situated in Amman, Jordan. The credential data from early 2024 indicated multiple users on the compromised PC, all sharing the surname Khader and an address in Amman, Jordan.
Autofill data extracted from Rey’s family PC included an entry for 46-year-old Zaid Khader, noting his mother’s maiden name as Ginty. The infostealer data also revealed Zaid Khader’s frequent access to internal employee websites for Royal Jordanian Airlines.
Saif’s Identity Revealed
The infostealer data unequivocally identified Rey’s full name as Saif Al-Din Khader. Unable to contact Saif directly, an email was sent to his father, Zaid. The message invited Zaid to respond via email, phone, or Signal, explaining that his son appeared to be heavily involved in a significant cybercrime conspiracy.
Within two hours, a Signal message was received from Saif, who explained that his father had suspected the email was a scam and forwarded it to him.
Saif, who stated he would turn 16 the following month, responded, “I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email.’ So I decided to talk to you directly.”
Saif clarified that he had already been in contact with European law enforcement and was attempting to disengage from SLSH. When questioned about his involvement in releasing SLSH’s new ShinySp1d3r ransomware-as-a-service, Saif explained that he could not abruptly leave the group.
He stated, “Well I cant just dip like that, I’m trying to clean up everything I’m associated with and move on.”
The former Hellcat ransomware site. Image: Kelacyber.com
Saif also disclosed that ShinySp1d3r is essentially a revamped version of Hellcat ransomware, enhanced with AI tools. He mentioned, “I gave the source code of Hellcat ransomware out basically.”
Saif asserted that he recently contacted the Telegram account for Operation Endgame, the codename for an ongoing law enforcement initiative targeting cybercrime services, their vendors, and customers.
Saif claimed, “I’m already cooperating with law enforcement. In fact, I have been talking to them since at least June. I haven’t really done anything like breaching into a corp or extortion related since September.”
Saif indicated that publishing a story about him at this time could jeopardize any future cooperation he might offer. He also expressed uncertainty regarding whether U.S. or European authorities had contacted the Jordanian government about his involvement with the hacking group.
Saif stated, “A story would bring so much unwanted heat and would make things very difficult if I’m going to cooperate. I’m unsure whats going to happen they said they’re in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them.”
Saif provided a screenshot suggesting he had contacted Europol authorities recently. However, he could not identify any specific law enforcement officials responding to his inquiries, and his claims remained unverified.
Saif concluded, “I don’t really care I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say.”
