The cyber extortion landscape continues to consolidate as criminal crews specialize and collaborate. Scattered Lapsus$ Hunters has claimed responsibility for an extortion campaign targeting Red Hat, publishing alleged samples of stolen materials and threatening a full release if negotiations fail, according to BleepingComputer. Red Hat has acknowledged a compromise of one of its GitLab instances but has not disclosed the scale of data exfiltration.
Red Hat GitLab compromise and claims of 570 GB exfiltration
Last week, a group calling itself Crimson Collective asserted it stole 570 GB from roughly 28,000 internal Red Hat repositories, including customer-facing documentation. While Red Hat confirmed the GitLab incident, details about the scope and specific datasets remain undisclosed. Per reporting by BleepingComputer, Scattered Lapsus$ Hunters surfaced shortly after the claims, shared sample files, and demanded payment to prevent wider publication.
Customer Engagement Reports (CER): why they matter to attackers
Some of the leaked samples reportedly include Customer Engagement Reports (CER)—consulting deliverables that often capture architecture diagrams, configuration details, network topology, integrations, and in some cases sensitive artifacts such as tokens or keys. In adversary hands, CERs can dramatically shorten the attack preparation cycle, enabling faster lateral movement and privilege escalation by pinpointing misconfigurations, exposed secrets, and high-value systems.
Scattered Lapsus$ Hunters and the rise of extortion-as-a-service (EaaS)
Scattered Lapsus$ Hunters is described as a collaboration among members or affiliates of Scattered Spider, LAPSUS$, and ShinyHunters. Samples were posted on ShinyHunters’ newly launched leak site, with a threat to release the full dataset on October 10, 2025 absent a settlement. BleepingComputer notes that ShinyHunters operates an extortion-as-a-service (EaaS) model, acting as a broker for negotiations, infrastructure, and publicity in exchange for a revenue share—reportedly leaving initial intruders with 70–75% and taking 25–30% as a fee.
This “platformization” mirrors broader trends: LAPSUS$ previously targeted major firms including Okta and Microsoft in 2022, while Scattered Spider was linked to social engineering-led intrusions at MGM Resorts in 2023. Such division of labor lowers barriers to entry, accelerates operations, and increases the likelihood of repeat targeting via different affiliates.
Customer and supply chain exposure: plausible attack paths
If the trove indeed contains CERs and related engineering artifacts, the risk profile extends beyond Red Hat to customers and downstream partners. Probable attack vectors include spear-phishing using accurate environment details, exploitation of misconfigured services, reuse of exposed tokens or keys, and compromise of CI/CD pipelines and build artifacts. In previous supply-chain incidents—from Codecov’s 2021 script compromise to the SolarWinds build-system breach—attackers leveraged developer tooling to amplify impact across ecosystems.
Immediate defensive actions for Red Hat customers and partners
Organizations that have engaged Red Hat consulting or shared artifacts referenced in CERs should take immediate steps:
– Rotate secrets at scale: Inventory and rotate keys, tokens, and passwords cited in CERs. Adopt short-lived tokens and enforce IP/context-aware restrictions.
– Harden GitLab/SCM: Enable secret detection, mandatory 2FA/SSO, branch protection rules, and signed commits (Sigstore or Git signing). Restrict personal access tokens and audit project-level permissions.
– Tighten network controls: Review ACLs and segmentation. Apply least-privilege to service accounts and disable unused credentials.
– Enhance monitoring: Alert on anomalous logins, sudden repo permission changes, bulk clones/exports, and unusual API access. Baseline normal developer activity to reduce false positives.
– Reduce data exposure: Encrypt and partition client artifacts, apply DLP and data classification, and minimize sensitive details in consulting reports going forward.
What this signals about the industrialization of extortion
The reported coordination between Crimson Collective and Scattered Lapsus$ Hunters underscores the industrialization of digital extortion. Roles now span initial access, data theft, negotiations, PR, and leak operations—turning extortion into a service economy. As EaaS lowers operational friction, developer platforms like GitLab should be treated as critical infrastructure: segregated from general IT, protected with strong MFA, continuously scanned for secrets, and backed by rapid key rotation processes.
Organizations should assume that any environment details exposed in CERs can be operationalized by adversaries within days. Sustained readiness—visibility into developer tooling, automated secret hygiene, and incident response drills for CI/CD pipelines—will determine the difference between a contained breach and a cascading supply-chain event.
