A prolific and audacious cybercriminal collective known as "Scattered LAPSUS$ Hunters" (SLSH) has significantly impacted the cybersecurity landscape throughout the year, consistently targeting and extorting major corporations. However, the tables appear to be turning for "Rey," the individual widely recognized as the technical operator and public face of this formidable hacking group. In a significant development, Rey has confirmed his real-life identity and agreed to an interview following an investigation by KrebsOnSecurity, which successfully tracked him down and contacted his father.

The SLSH group is understood to be a formidable alliance, formed from the amalgamation of three distinct hacking entities: Scattered Spider, LAPSUS$, and ShinyHunters. The operatives behind these gangs frequently congregate in shared digital spaces, primarily across a vast network of Telegram and Discord servers, forming a cohesive, albeit clandestine, cybercriminal community.

In May of 2025, SLSH orchestrated a sophisticated social engineering campaign. This operation involved the strategic use of voice phishing, commonly known as vishing, to manipulate targets into connecting a malicious application to their organization’s Salesforce portal. Following this initial breach, the group launched a dedicated data leak portal, threatening to publicly expose the sensitive internal data of over three dozen companies that had allegedly fallen victim to the Salesforce data theft. Prominent corporations like Toyota, FedEx, Disney/Hulu, and UPS were among those named as targets.

More recently, the SLSH Telegram channel has been actively recruiting "insiders" – employees within large corporations who are willing to provide internal network access in exchange for a share of any ransom payments ultimately collected from their employers. This solicitation for insider access comes at a particularly sensitive time, coinciding with news that the cybersecurity firm Crowdstrike had terminated an employee for allegedly sharing screenshots of internal systems with a hacking group. While Crowdstrike maintained that its systems were never compromised and has handed the matter over to law enforcement, the incident highlights the persistent threat of insider collaboration.

Traditionally, SLSH members have leveraged the encryption tools of other ransomware syndicates, participating in affiliate programs with groups such as ALPHV/BlackCat, Qilin, RansomHub, and DragonForce. However, a significant shift occurred last week when SLSH announced the launch of its own ransomware-as-a-service (RaaS) operation, branded as ShinySp1d3r. The individual credited with releasing this new RaaS offering is a core SLSH member known by the handle "Rey." Rey holds a prominent position as one of only three administrators for the SLSH Telegram channel. His prior experience in the cybercrime underground includes serving as an administrator for the data leak website of Hellcat, a ransomware group active in late 2024 that was implicated in attacks against major corporations like Schneider Electric, Telefonica, and Orange Romania.

Furthermore, in 2024, Rey assumed administrative duties for the most recent iteration of BreachForums, a notorious English-language cybercrime forum whose domains have been repeatedly seized by international law enforcement agencies, including the FBI. Rey publicly commented on these seizures, posting on Twitter/X about another FBI takedown of BreachForums in April 2025. The FBI’s announcement on October 5, 2025, regarding the seizure of BreachForums domains, described it as a crucial criminal marketplace utilized by ShinyHunters and other threat actors for trafficking stolen data and facilitating extortion.

Remarkably, Rey’s operational security (OpSec) faltered significantly over the past year, providing multiple avenues for investigators to ascertain and confirm his real-life identity and location.

WHO IS REY?

According to cyber intelligence firm Intel 471, Rey has been an active participant on various reincarnations of BreachForums for the past two years, contributing over 200 posts between February 2024 and July 2025. Intel 471 also reports that Rey previously operated under the alias "Hikki-Chan" on BreachForums. His inaugural post on the platform detailed the alleged exfiltration of data from the U.S. Centers for Disease Control and Prevention (CDC).

In that February 2024 post concerning the CDC data, Hikki-Chan provided a Telegram username, @wristmug, as a contact method. In May 2024, the @wristmug account posted within a Telegram group chat named "Pantifan," sharing a screenshot of an extortion email they claimed to have received. This email contained their email address and password. The message shared by @wristmug appeared to be part of an automated sextortion scam, falsely asserting that a hacker had compromised the recipient’s computer and recorded them engaging in illicit activities, threatening to release the fabricated video unless a Bitcoin ransom was paid. The scam messages typically reference a previously used, legitimate password to lend an air of credibility.

In a message posted to Telegram, the @wristmug account expressed mock horror: "Noooooo, I must be done guys." While redacting the username portion of the email address in the screenshot, @wristmug inadvertently left their previously used password visible and revealed the domain of their email address as @proton.me.

O5TDEV

A search for the distinctive 15-character password used by @wristmug within the breach tracking service Spycloud revealed that this password was associated with only one email address: [email protected]. Spycloud data indicates that these credentials were compromised at least twice in early 2024 when the user’s device was infected with an infostealer trojan. This malware siphoned stored usernames, passwords, and authentication cookies – a finding initially brought to light in March 2025 by the cyber intelligence firm KELA.

Intel 471 data links the email address [email protected] to a BreachForums member who used the moniker "o5tdev." A Google search for this nickname unearths at least two website defacement archives, indicating that "o5tdev" was involved in defacing websites with pro-Palestinian messages. One screenshot shows "o5tdev" as part of a group named "Cyb3r Drag0nz Team."

A 2023 report from SentinelOne characterized the Cyb3r Drag0nz Team as a hacktivist group known for launching Distributed Denial of Service (DDoS) attacks, performing website defacements, and engaging in data leak activities. SentinelOne reported that the group claimed to have leaked data on over a million Israeli citizens, releasing multiple .RAR archives containing purported personal information.

Cyber intelligence firm Flashpoint notes that the Telegram user @05tdev was active in 2023 and early 2024, posting in Arabic on anti-Israel channels such as "Ghost of Palestine."

"I’M A GINTY"

Flashpoint data reveals that Rey’s Telegram account (ID7047194296) was particularly active in a cybercrime-focused channel called "Jacuzzi." Within this channel, Rey shared several personal details, including that his father was an airline pilot. In 2024, Rey claimed to be 15 years old and indicated family connections to Ireland, even posting a graphic illustrating the prevalence of the surname "Ginty."

Spycloud indexed hundreds of credentials stolen from [email protected]. This data suggests that Rey’s computer is a shared Microsoft Windows device located in Amman, Jordan. The credential data stolen from Rey in early 2024 indicates multiple users of the infected PC, all sharing the same last name, Khader, and an address in Amman, Jordan. Autofill data extracted from Rey’s family PC includes an entry for a 46-year-old individual named Zaid Khader, whose mother’s maiden name is listed as Ginty. The infostealer data also shows that Zaid Khader frequently accessed internal websites for employees of Royal Jordanian Airlines.

MEET SAIF

The infostealer data conclusively identifies Rey’s full name as Saif Al-Din Khader. After failing to establish direct contact with Saif, KrebsOnSecurity emailed his father, Zaid. The email explained that his son appeared to be deeply involved in a serious cybercrime conspiracy and invited a response via email, phone, or Signal.

Less than two hours later, a Signal message was received from Saif, who stated that his father had suspected the email was a scam and had forwarded it to him. "I saw your email, unfortunately I don’t think my dad would respond to this because they think its some ‘scam email,’" Saif wrote, adding, "So I decided to talk to you directly."

Saif, who stated he would turn 16 the following month, explained that he had already been contacted by European law enforcement officials and was attempting to extricate himself from SLSH. When questioned about his involvement in releasing SLSH’s new ShinySp1d3r RaaS offering, Saif claimed he could not simply abandon the group. "Well I cant just dip like that, I’m trying to clean up everything I’m associated with and move on," he stated.

He further shared that ShinySp1d3r is essentially a modified version of the Hellcat ransomware, enhanced with AI tools, and that he had essentially "gave the source code of Hellcat ransomware out." Saif claims he recently initiated contact with the Telegram account for "Operation Endgame," the ongoing law enforcement initiative targeting cybercrime services, vendors, and their customers.

"I’m already cooperating with law enforcement," Saif asserted. "In fact, I have been talking to them since at least June. I have told them nearly everything. I haven’t really done anything like breaching into a corp or extortion related since September."

Saif suggested that a public story about him at this time could jeopardize his ongoing cooperation. He also expressed uncertainty about whether U.S. or European authorities had engaged with the Jordanian government regarding his involvement with the hacking group. "A story would bring so much unwanted heat and would make things very difficult if I’m going to cooperate," Saif stated. "I’m unsure whats going to happen they said they’re in contact with multiple countries regarding my request but its been like an entire week and I got no updates from them."

Saif provided a screenshot indicating he had contacted Europol authorities late the previous month, but he could not name any specific law enforcement officials responding to his inquiries, and KrebsOnSecurity was unable to independently verify his claims. "I don’t really care I just want to move on from all this stuff even if its going to be prison time or whatever they gonna say," Saif concluded.