Sign in Subscribe

Hackers Are Blackmailing Red Hat, Threatening to Publish Stolen Data

Hackers Are Blackmailing Red Hat, Threatening to Publish Stolen Data

The Scattered Lapsus$ Hunters group is attempting to blackmail Red Hat, claiming possession of sensitive internal data.
Samples of customer interaction reports allegedly stolen from the company have appeared on the group’s leak site. The hackers say they demanded a ransom from Red Hat but have not yet received a response.

Background: The Crimson Collective Breach

Last week, another extortion group known as Crimson Collective claimed responsibility for stealing 570 GB of data from 28,000 internal Red Hat repositories.
Company representatives later confirmed that one of their GitLab instances had been compromised.

According to the attackers, the stolen files included roughly 800 Customer Engagement Reports (CERs) — consulting documents prepared for clients that often contain network topologies, infrastructure configurations, authentication tokens, and other sensitive operational details that could be leveraged in future attacks.

The Alliance Between Hacker Groups

Shortly after the breach became public, members of the Scattered Lapsus$ Hunters group an alliance of actors affiliated with Scattered Spider, LAPSUS$, and ShinyHunters — reportedly contacted Crimson Collective to collaborate.

The two groups soon announced a partnership, and samples of the stolen Red Hat data were published on the ShinyHunters leak site, which went live recently.
The hackers are threatening to release the entire 570 GB archive on October 10, 2025, if the ransom is not paid.

“We are going to collaborate with ShinyHunters for future attacks and publications,” the Crimson Collective told journalists.

ShinyHunters and the Rise of “Extortion-as-a-Service”

Security analysts note that ShinyHunters now operates as an extortion-as-a-service (EaaS) platform — effectively acting as a broker between data thieves and victims. Under this model, the group provides infrastructure, publicity, and negotiation support in exchange for a share of the ransom.

This structure explains a recent wave of attacks attributed to ShinyHunters, including incidents involving Oracle Cloud and PowerSchool, where investigations showed the group itself did not perform the intrusions but handled the ransom and data publication phases.

In conversations with BleepingComputer, ShinyHunters members confirmed the revenue-sharing model:

“Everyone I’ve worked with in the past took 70–75%, and I got 25–30%,” one participant told the publication.

What’s Next

As of now, Red Hat has not issued a public statement regarding the ransom demand or the authenticity of the leaked materials.
If the hackers follow through on their threats, the release of internal consulting reports could expose sensitive information about enterprise clients’ systems and security configurations, posing both reputational and operational risks.