They call themselves the Trinity of Chaos. A Telegram channel. A BreachForums account. And, according to the group’s own claims, a membership drawn from three of the most destructive cybercriminal outfits in recent memory: Scattered Spider, Lapsus$, and ShinyHunters.
Scattered Lapsus$ Hunters first surfaced in August 2025. By the time most security researchers had finished typing up their initial alerts, the group had already claimed the theft of more than 1 billion customer records from Salesforce. One billion. That number is the single most important fact in this story, and it deserves a hard stare.
One billion records is not a rounding error. It is not a data spill. It is the wholesale removal of a database that, if the claim holds, would rank among the largest single data thefts in history. Salesforce has not confirmed the number. The group has not provided proof beyond its own Telegram posts. But the claim alone shifts the conversation.
The group’s campaigns carry designations from threat intelligence firms: UNC6040 and UNC6395. Those codenames track a trail that includes breaches at RedHat and the doxxing of ICE officials. Each incident fits a pattern. The group hits, it steals, and it posts. It uses its own website, BreachForums, to publicize the exploits and apply extortion pressure. The brazenness is the point.
This is not a group that hides in the shadows. It operates in the open. Telegram is its bullhorn. BreachForums is its gallery. The group posts the stolen data, names the victim, and waits. That approach has already worked against Salesforce. It worked against RedHat. It worked when the group published personal information of ICE employees.
The claimed origins matter because they explain the group’s apparent competence. Scattered Spider specialized in social engineering and SIM-swapping. Lapsus$ hit Microsoft, Nvidia, and Okta with a mix of insider access and MFA fatigue. ShinyHunters built a reputation for mass credential theft and database sales. Combine those skill sets and you get a group that knows how to get in, how to stay in, and how to monetize the exit.
But the claims are just claims. Telegram channels are easy to start. Names are easy to borrow. There is no independent verification that any member of Lapsus$ or Scattered Spider actually joined this new group. The Trinity of Chaos could be a handful of people with a good story and a stolen dataset. Or it could be exactly what it says it is. Either way, the result is the same: stolen records, extorted companies, exposed officials.
The international scope of the group adds another layer. These are not state-sponsored actors with a political agenda. They are extortionists. They steal for money. They leak for leverage. And they operate across borders in a way that makes law enforcement response slow and fragmented. A group that can hit a U.S. cloud giant and a European open-source company in the same month is a group that understands jurisdictional friction.
Security researchers are watching. Law enforcement agencies are likely watching too. But watching is not the same as stopping. Scattered Lapsus$ Hunters has been active since August. It has already claimed multiple major breaches. It shows no signs of slowing down.
The group’s methods are not novel. Telegram, BreachForums, extortion notes — these are standard tools in the modern cybercrime kit. What is novel is the branding. The merger. The claim that three infamous crews have pooled their talent into one operation. Whether that claim is true or not, the group has already achieved something that matters: it has gotten the attention of the entire cybersecurity industry. And it has done so by pointing at a billion stolen records and daring anyone to prove it wrong.
