Discord breach may be connected: The Zendesk campaign may not be an isolated incident. Discord said on October 9 that attackers breached its customer service provider, 5CA, exposing data from about 70,000 users who had submitted government IDs for age verification. The breach also exposed support ticket data for users who had contacted Discord’s customer support or trust and safety teams.The Zendesk campaign likely was one of several attacks Scattered Lapsus$ Hunters promised in early November Telegram posts, ReliaQuest said.Scattered Lapsus$ Hunters initially denied involvement in the Discord attack but later posted on Telegram that they knew who was responsible, according to the researchers.”Wait for 2026, we are running 3-4 campaigns atm [at the moment],” the researchers wrote, quoting the group’s message. “all the IR [incident response] people should be at work watching their logs during the upcoming holidays till January 2026 bcuz #ShinyHuntazz is coming to collect your customer databases.”The group also claimed it compromised the customer success platform Gainsight earlier this month. “It’s realistically possible that Zendesk is the second of these campaign targets promised on Telegram,” ReliaQuest said.
Possibility of copycats: While the infrastructure patterns pointed to Scattered Lapsus$ Hunters, ReliaQuest said in the blog post that copycats inspired by the group’s success couldn’t be ruled out.”It’s also a realistic possibility that the success of Zendesk targeting and similar supply-chain attacks has inspired copycat actors or splinter groups from Scattered Lapsus$ Hunters,” the researchers wrote. “We’ve seen this kind of pattern before, like with Black Basta, where successor groups kept using the same playbook even after law enforcement disrupted the original operation.”Customer support platforms make good targets because companies often don’t monitor them as closely as email, yet they give attackers access to credentials and customer data across many organizations, the researchers said.Despite announcing in September that the group was “going dark” and shutting down operations, Scattered Lapsus$ Hunters later promised to return in 2026 with a new subscription-based “extortion-as-a-service” platform, according to Telegram posts attributed to the group.ReliaQuest said it shared its findings with Zendesk. Zendesk did not immediately respond to CSO’s request for comment.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4097846/scattered-lapsus-hunters-target-zendesk-users-with-fake-domains.html
