A prolific cybercriminal group, known as ‘Scattered LAPSUS$ Hunters’ (SLSH), has recently dominated headlines for its aggressive data theft and extortion tactics against numerous major corporations. However, the narrative has taken a significant turn for "Rey," the technical operator and public face of this notorious group. In a remarkable development, Rey has confirmed his real-life identity and agreed to an interview after KrebsOnSecurity successfully tracked him down and contacted his father. This investigation uncovers the intricate web of SLSH’s operations, Rey’s ascent through the cybercrime ranks, and the series of operational security blunders that led to his unmasking.

SLSH is understood to be a formidable alliance of three distinct hacking collectives: Scattered Spider, LAPSUS$, and ShinyHunters. The members of these groups originate from a shared ecosystem of online chat channels, predominantly on platforms like Telegram and Discord, forming a largely English-speaking cybercriminal community. This interconnectedness allows for rapid dissemination of information and coordination of attacks.

In May 2025, SLSH launched a sophisticated social engineering campaign. Employing voice phishing tactics, they successfully tricked targets into connecting a malicious application to their organization’s Salesforce portal. This breach paved the way for the group to establish a data leak portal, threatening to publish the internal data of over three dozen companies from whom Salesforce data had allegedly been stolen. Prominent victims in this campaign included industry giants like Toyota, FedEx, Disney/Hulu, and UPS, highlighting the broad reach and impact of SLSH’s operations. The associated extortion website explicitly warned victims that their stolen data would be publicly released unless ransom demands were met.

Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’

More recently, the SLSH Telegram channel has been actively recruiting "insiders" – employees within large corporations willing to provide internal network access in exchange for a share of any ransom payments. This recruitment drive gained particular attention as it coincided with news of a cybersecurity firm, Crowdstrike, firing an employee suspected of sharing internal system screenshots with a hacker group. While Crowdstrike maintained its systems were not compromised and reported the incident to law enforcement, the timing underscored SLSH’s persistent strategy of leveraging internal vulnerabilities. The SLSH Telegram channel has been actively seeking disgruntled employees to act as informants and facilitators.

Historically, SLSH members have relied on the ransomware encryptors of other cybercriminal entities, participating in affiliate programs with ransomware gangs such as ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. However, this reliance shifted dramatically last week with SLSH’s announcement of their own ransomware-as-a-service (RaaS) operation, named ShinySp1d3r. The individual credited with launching this new RaaS offering is "Rey," a core SLSH member and one of the three administrators of the group’s Telegram channel. Rey’s cybercriminal journey predates SLSH; he previously served as an administrator for the data leak website of Hellcat, a ransomware group active in late 2024, which was implicated in attacks against companies like Schneider Electric, Telefonica, and Orange Romania.

Further underscoring Rey’s prominence in the underground, in 2024, he took over as administrator of the most recent iteration of BreachForums. This English-language cybercrime forum has been a recurring target of law enforcement, with its domain names repeatedly seized by the FBI and international authorities. Rey himself publicly acknowledged these seizures, posting on Twitter/X about another FBI takedown of BreachForums in April 2025. The FBI’s repeated actions against BreachForums, which they described as a critical hub for illicit data trafficking and extortion, highlight the significant disruption caused by these law enforcement operations. The FBI stated that these takedowns "remove access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors."

The unraveling of Rey’s anonymity began with a series of critical operational security mistakes made in the past year. These errors provided multiple avenues for investigators to ascertain and confirm his real-life identity and location, ultimately leading to his unmasking.

Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’

WHO IS REY?

Cyber intelligence firm Intel 471 reports that Rey has been an active participant on various incarnations of BreachForums for the past two years, contributing over 200 posts between February 2024 and July 2025. Intel 471 also notes that Rey previously used the alias "Hikki-Chan" on BreachForums. His very first post on the platform allegedly shared data stolen from the U.S. Centers for Disease Control and Prevention (CDC).

In that February 2024 post concerning the CDC data, Hikki-Chan provided a Telegram username, @wristmug, as a contact method. In May 2024, the @wristmug account posted a screenshot in a Telegram group chat called "Pantifan." This screenshot contained a copy of an extortion email they claimed to have received, which included their email address and password. The message shared by @wristmug appeared to be part of an automated sextortion scam. These scams typically allege that the recipient’s computer has been compromised, a video of them watching pornography has been recorded, and threaten to release this video to their contacts unless a Bitcoin ransom is paid. Crucially, these emails often reference a real password previously used by the recipient.

In a display of mock horror, the @wristmug account posted, "Noooooo, I must be done guys," after sharing the screenshot of the scam message. While @wristmug redacted the username portion of the email address within the scam message, they failed to obscure their previously used password. Furthermore, the domain portion of their email address, "@proton.me," remained visible in the screenshot.

Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’

O5TDEV

A search of @wristmug’s distinctive 15-character password within the breach tracking service Spycloud revealed that it had been used by only one email address: [email protected]. According to Spycloud, these credentials were compromised at least twice in early 2024. This occurred when the user’s device was infected with an infostealer trojan, which siphoned stored usernames, passwords, and authentication cookies. This finding was initially reported in March 2025 by the cyber intelligence firm KELA.

Intel 471 data indicates that the email address [email protected] belonged to a BreachForums member who used the username "o5tdev." A Google search for this nickname surfaces at least two website defacement archives, indicating that o5tdev was involved in defacing websites with pro-Palestinian messages. One such screenshot shows o5tdev as part of a group called Cyb3r Drag0nz Team.

A 2023 report from SentinelOne described the Cyb3r Drag0nz Team as a hacktivist group known for launching DDoS attacks, conducting website defacements, and engaging in data leak activities. SentinelOne reported, "Cyb3r Drag0nz Team claims to have leaked data on over a million of Israeli citizens spread across multiple leaks. To date, the group has released multiple .RAR archives of purported personal information on citizens across Israel." The cyber intelligence firm Flashpoint has identified the Telegram user @05tdev as active in 2023 and early 2024, posting in Arabic on anti-Israel channels like "Ghost of Palestine."

Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’

"I’M A GINTY"

Flashpoint’s analysis of Rey’s Telegram account (ID7047194296) shows significant activity in a cybercrime-focused channel called "Jacuzzi." In this channel, Rey shared several personal details, including that his father was an airline pilot. In 2024, Rey claimed to be 15 years old and mentioned having family ties to Ireland. Specifically, Rey repeatedly stated his Irish heritage in Telegram chats and even posted a graphic illustrating the prevalence of the surname "Ginty."

Spycloud indexed hundreds of credentials stolen from [email protected]. This data indicates that Rey’s computer is a shared Microsoft Windows device located in Amman, Jordan. The credential data stolen from Rey in early 2024 reveals multiple users of the infected PC, all sharing the same last name, Khader, and an address in Amman, Jordan. Autofill data extracted from Rey’s family PC includes an entry for Zaid Khader, aged 46, stating that his mother’s maiden name was Ginty. The infostealer data also shows that Zaid Khader frequently accessed internal websites for employees of Royal Jordanian Airlines.

MEET SAIF

Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’

The infostealer data unequivocally establishes Rey’s full name as Saif Al-Din Khader. After failing to establish direct contact with Saif, KrebsOnSecurity sent an email to his father, Zaid. The email explained that his son appeared to be deeply involved in a serious cybercrime conspiracy and invited Zaid to respond via email, phone, or Signal. Less than two hours later, a Signal message was received from Saif himself. He explained that his father had suspected the email was a scam and had forwarded it to him.

"I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email’," Saif stated, adding that he turns 16 next month. "So I decided to talk to you directly." Saif revealed that he had already been contacted by European law enforcement officials and was attempting to distance himself from SLSH. When questioned about his involvement in releasing SLSH’s new ShinySp1d3r RaaS offering, Saif explained that he couldn’t simply abandon the group abruptly. "Well I cant just dip like that, I’m trying to clean up everything I’m associated with and move on," he said.

He also shared that ShinySp1d3r is essentially a reworked version of the Hellcat ransomware, enhanced with AI tools. "I gave the source code of Hellcat ransomware out basically," he admitted. Saif claims to have recently reached out to the Telegram account for Operation Endgame, the ongoing law enforcement operation targeting cybercrime services, vendors, and their customers. "I’m already cooperating with law enforcement," Saif stated. "In fact, I have been talking to them since at least June. I have told them nearly everything. I haven’t really done anything like breaching into a corp or extortion related since September."

Saif suggested that a public story about him at this juncture could jeopardize his ongoing cooperation with authorities. He also expressed uncertainty about whether U.S. or European authorities had contacted the Jordanian government regarding his involvement with the hacking group. "A story would bring so much unwanted heat and would make things very difficult if I’m going to cooperate," Saif explained. "I’m unsure whats going to happen they said they’re in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them." Saif provided a screenshot indicating he had contacted Europol authorities late last month, but he could not name specific law enforcement officials he was in contact with. KrebsOnSecurity was unable to independently verify his claims. "I don’t really care I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say," Saif concluded.