Google confirmed that miscreants created a fraudulent account in its Law Enforcement Request System (LERS) portal, which police and other government agencies use to ask for data about Google users.
“We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account,” a Google spokesperson told The Register on Tuesday. “No requests were made with this fraudulent account, and no data was accessed.”
Google’s admission follows BreachForums posts by Scattered Lapsus$ Hunters – this is the gang allegedly made up of members from three other notorious cybercrime crews, Scattered Spider, ShinyHunters, and Lapsus$. Shortly after announcing their retirement from the ransomware biz, they indicated via screenshots that they had access to Google LERS, as well as the FBI’s National Instant Criminal Background Check System (NICS), a federal system that provides background checks on would-be gun buyers to ensure they aren’t prohibited from owning a firearm. The FBI declined to comment on the extortionists’ claims.
All this is on point for Scattered Spider, ShinyHunters, and Lapsus$, who seem to enjoy the attention as much as the ill-gotten gains, especially when it comes to trolling law enforcement and Google-owned Mandiant’s threat hunters.
After claiming responsibility for the recent Jaguar attack, plus those on M&S, Co-op, and Harrods over the summer, Scattered Lapsus$ Hunters late last week said they are exiting the cybercrime rat race.
In a goodbye post on Breachforums, the ransomware-slingers said they have “decided to go dark” and praised the eight Scattered Spider and ShinyHunters members who have been arrested since April 2024 as “collateral victims of our war on power.”
“If you worry about us, don’t … [we] will enjoy our golden parachutes with the millions the group accumulated,” their diatribe continued. “Others will keep on studying and improving systems you use in your daily lives. In silence.” They also posted screenshots of what appeared to be Google’s LERS and the FBI’s NICS with “Scattered Lapsus$ Hunters” scrawled over the portal images.
Most infosec analysts took the retirement announcement with a healthy heaping spoonful of salt.
“Rather than a true disbanding, this announcement likely signals a strategic move to distance the group from increasing law enforcement pressure,” Trustwave SpiderLabs security research manager Karl Sigler told The Register.
“It’s plausible that something within the group’s operational infrastructure has been compromised,” such as a breached system or communication channel, he added. “Groups like Scattered Spider don’t disappear. They adapt.” ®