The “Scattered Lapsus$ Hunters” collective exploited a third-party vendor to breach Discord’s systems, stealing high-risk data including government IDs and internal network details like ‘SLHM’. This sophisticated attack bypassed MFA, highlighting a critical supply chain vulnerability and the group’s use of targeted extortion.
SLHM is the alleged internal network name exposed by the “Scattered Lapsus$ Hunters” group, serving as an Indicator of Compromise that confirmed their deep access within Discord’s environment.
Discord confirmed the security incident on October 3, 2025, but was quick to note that its core systems were not directly breached. The attack leveraged a supply chain vulnerability, successfully compromising a third-party customer service provider (T1199).
The Hackers’ Goal: Financial Extortion
The objective of the unauthorized party was purely financial, focused on demanding a significant ransom payment from Discord. Discord’s immediate response was to execute its own TTP: revoking the vendor’s access to the ticketing system.
The Data Haul: High-Risk PII
The breach exposed PII, including names, emails, Discord usernames, and limited billing fragments, such as the last four credit card digits. Crucially, the hackers obtained a small number of government-issued IDs submitted for age verification appeals.
Criticality of Exposed Data
Stealing these high-fidelity documents—passports or driver’s licenses—vastly increases the risk of severe identity theft for users. These documents are often the master key needed for high-security account takeovers and credential resets.
Table : Exposed Data Classification and Risk Profile
| Data Type | Risk Profile and Identity Impact |
| Names, Usernames, Email Addresses | Medium – Enables targeted phishing and initial reconnaissance. |
| Support Chats/Messages | Medium/High – Provides conversational context for future social engineering. |
| Limited Billing Details (Last 4 Digits) | High – Useful for payment platform correlation and fraud confirmation attempts. |
| Government-Issued ID Images (Passports, Licenses) | CRITICAL – Enables synthetic identity fraud, high-security account takeover, and deep vetting bypass. |
The Threat Group: Scattered Lapsus$ Hunters
The collective known as Scattered Lapsus$ Hunters (SLH) publicly claimed responsibility for the cyber attack. This is an alliance combining the expertise of Scattered Spider, LAPSUS$, and ShinyHunters, uniting for maximum impact.
SLH Strategy: Unified Chaos
SLH’s model is efficient: Scattered Spider handles initial access (TA0001), ShinyHunters manages bulk data theft (TA0010), and LAPSUS$ drives the public extortion (T1491). This team operates as a sophisticated ecosystem, often linked through the criminal community “The Com”.
TTPs: Initial Access and Evasion
TTP: Identity-Centric Intrusion
SLH’s core TTP is “log in, not hack in,” focusing on compromising a legitimate user identity rather than exploiting network vulnerabilities. This strategy circumvents traditional network perimeter defenses, disguising malicious activity as authorized traffic.
TTP: Vishing and Phishing (T1566)
Initial access was gained by compromising a single support agent account at the vendor through social engineering tactics. The Scattered Spider faction specializes in sophisticated Vishing (voice phishing) calls to impersonate IT helpdesk staff (T1566.004).
Credential Harvesting and Brokerage (T1552)
They use advanced phishing kits like Evilginx to steal both credentials and active session cookies, which are essential for bypassing MFA. The LAPSUS$ component is known for purchasing pre-stolen corporate credentials or paying malicious insiders for access (T1552).
TTP: MFA Bypass and Okta Exploitation (T1621)
SLH publicly mocked Discord’s defense efforts, specifically stating that disabling Okta and Kolide logins would not prevent their intrusion. This points to the exploitation of a known vulnerability in Okta’s Classic sign-on policy (T1621).
Technical Evasion: The User-Agent Artifact
The exploitation required the attackers to use a valid username/password while submitting the login request with an “unknown” user-agent string (like a custom script). This TTP allowed them to bypass application-specific policies requiring MFA or device checks.
IOCs: Reconnaissance and Lateral Movement
IOC: Internal Network Artifact
A critical Indicator of Compromise (IOC) was the group revealing the alleged internal Discord network identifier “SLHM” in their public posts. This artifact confirms successful internal reconnaissance (TA0007) beyond the initial third-party entry point.
Targeting Administrative Resources
Screenshots shared by the group confirmed access to Discord’s internal administrative tools, including data privacy dashboards. Targeting these dashboards confirms deliberate lateral movement to locate the most damaging, highly regulated information, like the government photo IDs.
Table : Observed Indicators of Compromise (IOCs) and Artifacts
| IOC Type | Indicator/Artifact | Context and Significance |
| Threat Actor Alias | Scattered Lapsus$ Hunters | Name of the collective behind the high-profile operation. |
| Network Artifact | “SLHM” | Alleged internal network name revealed by attackers, confirming internal reconnaissance. |
| Communication/Extortion | Telegram Channel | Primary public platform for taunting, extortion, and data leaks (Signature LAPSUS$ TTP). |
| Technical Artifact | Unknown User-Agent Strings | Specific payload used to exploit the Okta Classic sign-on policy bypass vulnerability. |
| Targeted Resource | Data Privacy Dashboards | Administrative access point targeted for high-value data identification. |
TTPs: Extortion and Impact
TTP: Data Exfiltration (TA0010) and Theft
The ShinyHunters faction is primarily responsible for the bulk data theft and monetization, stealing chat logs, PII, payment fragments, and high-risk IDs. The sheer volume indicates a large-scale, rapid exfiltration event.
TTP: Double Extortion via DLS (T1486)
The attackers used their Telegram channel as a Command and Control (C2) platform to broadcast their success and demand a financial ransom (T1491). They explicitly threatened to publish additional stolen material on their Dedicated Leak Site (DLS) (T1486).
Leveraging Shame
Threatening to leak sensitive government IDs on a DLS maximizes the regulatory exposure and reputational damage to Discord. This tactic replaces file encryption, establishing double extortion as the primary coercion mechanism.
Mitigation and Defense Recommendations
To defeat credential harvesting, companies must mandate phishing-resistant MFA, like FIDO2 tokens, for all support staff (T1562.001). Also, organizations must actively log and block login attempts using “unknown” user-agent strings to counter the Okta bypass technique.
To counter social engineering, security teams must implement strict challenge-response protocols for help desk staff processing account reset requests. Furthermore, monitoring internal channels is crucial to detect malicious insider recruitment, a documented LAPSUS$ TTP (T1547.001).
Crucially, organizations must strictly prohibit third-party systems from storing high-risk PII like scanned government ID images. All vendor access must adhere to a Zero Trust architecture, strictly limiting access and monitoring all vendor activity.
Table : SLH Tactics, Techniques, and Procedures (TTPs) Mapping
| MITRE ATT&CK Tactic | SLH Technique Used (T-ID) | Discord 2025 Incident Application |
| Initial Access (TA0001) | Phishing/Vishing (T1566) | Compromising third-party support agent credentials via social engineering. |
| Initial Access (TA0001) | Trusted Relationship (T1199) | Targeting third-party customer service vendor systems for initial entry. |
| Defense Evasion (TA0005) | Multi-Factor Authentication Bypass (T1621) | Exploiting the Okta Classic sign-on policy bypass via unknown user-agents. |
| Credential Access (TA0006) | Credentials from Password Stores (T1552) | Acquiring session tokens or passwords via stealer malware or dark web markets. |
| Collection (TA0009) | Data from Information Repositories (T1213) | Accessing support ticket queues to retrieve PII and government ID images. |
| Impact (TA0040) | Extortion (T1491) | Demanding financial ransom and threatening to publish data on Telegram/DLS. |