‘Trinity of Chaos’ ransomware collective launches data leak site

Includes sensitive data from Google and Cisco, among others

Afro american woman using laptop. Ransomware Malware Attack. Computer Hacked. Unrecognizable person, close up of hands and computer screen.

A new collective of ransomware groups known as Trinity of Chaos has emerged with the launch of a website featuring sensitive data purloined from 39 major organisations, including Google and Cisco.

The alliance compromises three of the most notorious and high profile English-speaking threat groups: Lapsus$, Scattered Spider and ShinyHunters. The newly launched data leak site is hosted on, and accessible via, the TOR network.

Adopting the language of an advertising agency, the group claims to specialise in “high-value corporate data acquisition and strategic breach operations.”

It continues, “Our expertise spans across automotive, financial, insurance, technological, telecommunications, ISPs, and numerous other sectors worldwide. We help you regain control.”

They also say they began their separate ransomware operations as long ago as 2019.

In addition to Cisco and Google, the group claims to have compromised car giants Stellantis and Toyota, as well as FedEx, Disney, Marriott, McDonald’s, Qantas, Pandora and Air France, among others. The group also took responsibility for the alleged theft of one billion Salesforce records earlier this month.

The collective emerged in August 2025 with a Telegram channel combining the brands and membership of the three groups, which was used to coordinate threats, tease data leaks, and market a new ransomware-as-a-service (RaaS) offering dubbed “shinysp1d3r”, according to researchers at Resecurity. That Telegram channel was subsequently banned.

“ShinyHunters confirmed that Scattered Spider provided initial access to targets, while the former handled data exfiltration and dumps. Lapsus$ members were also active participants in this alliance, with all three groups working together on high-profile campaigns, such as the Salesforce and Snowflake breaches,” according to Resecurity.

Members of the group were among a number of ransomware gangs that claimed they would be retiring in October to enjoy their ill-gotten gains before law enforcement agencies closed in. A number of ransomware gang members have already been arrested this year in the US, UK and France.

The emergence of Trinity of Chaos indicates that they may not be retiring, after all.

“Such ‘exits’ have occurred before, providing hacker collectives time to regroup and re-emerge later under different names. The notorious Russian ransomware gang Conti is a prime example of this exit cover,” notes Resecurity.

The groups use a combination of tactics to compromise targeted organisations.

These include, first, social engineering and phishing expeditions, including voice phishing and impersonation to trick employees into granting them access or installing malware.

“Both Lapsus$ and Scattered Spider are known for help-desk impersonation and credential theft, while ShinyHunters has recently adopted similar vishing [voice phishing] tactics, especially in attacks on Salesforce environments.”

Lapsus$ has also resorted to SIM swapping – persuading mobile operators’ customer service staff to switch a mobile number from one SIM to another in order to take over someone else’s phone line – and, failing that, using multi-factor authentication (MFA) bombing to bypass this security measure.

MFA bombing involves using already compromised usernames and passwords to repeatedly generate two-factor authentication messages to the account holder’s device. To make them stop – in the belief that the messages are being generated by a system flaw – the account holder need only approve one of the messages and the attackers are inadvertently let in.

“The groups have jointly targeted organisations in the financial services, technology, retail, and airline sectors… Their campaigns are characterised by rapid adaptation and creative use of cloud service vulnerabilities, especially in VMware hypervisor environments, like VMware ESXi, and software-as-a-service platforms, like Salesforce and Snowflake,” warns Resecurity.

Are you a current or aspiring cybersecurity leader? Register now for the Computing Security Leaders Summit on March 26th 2026. Packed with content including business continuity planning, bridging the cyber skills gap and cloud resilience, it is full of insight and practical advice to take away. Register here for your free place.