Teen Declares Himself Leader of Cybercrime Group Scattered Lapsus$
TL;DR
A 15-year-old from Jordan, identified as Saif Al-Din Khader, claims to be a key figure in the cybercrime group Scattered Lapsus$ Hunters (SLSH), one of the most active in the world.
A 15-year-old from Jordan, identified as Saif Al-Din Khader, claims to be a leading figure in the cybercrime group Scattered Lapsus$ Hunters (SLSH), one of the most active in the world. This revelation came after investigations conducted by security expert Brian Krebs, founder of the blog KrebsOnSecurity.
The story began with the launch of ShinySp1d3r, a ransomware service developed by SLSH. The group announced its new technology in a Telegram channel, where one of the administrators, known as "Rey", made the official announcement.
Rey and His History in Cybercrime Groups
Rey had a strong presence in other cybercrime organizations. He was linked to the ransomware group Hellcat, which gained notoriety for its attacks on companies such as Telefonica and Schneider Electric.
In a previous operation, the group BreachForums, where Rey served as an administrator, was targeted by the FBI. This connection to the forum network is significant as authorities believe that data from this forum was used to facilitate extortions carried out by SLSH.
Identity Revealed by Oversights
Despite his prominent role, Rey did not have his identity revealed willingly, but rather due to vulnerabilities in his digital security. Personal information shared on forums made his location and identity accessible to cybersecurity experts.
Intel 471, a cyber intelligence company, identified Rey as an active user across various BreachForums, with over 200 posts between February 2024 and July 2025.
Multiple Aliases, One Individual
Before assuming the identity of Rey, he was known as Hikki-Chan, and his first post included leaked data from a government institution. In a post also made under the name @wristmug, he inadvertently revealed his email address and other credentials, making it easier to trace his identity.
This data was confirmed through the service SpyCloud, which helped identify that his credentials had been leaked multiple times, leading investigators to link him to specific devices in his hometown.
Experiences in Activist Cybercrime Groups
Rey was also associated with the Cyb3r Drag0nz Team, an activist group known for targeted attacks and leaks related to groups they deemed unjust. This team gained notoriety for leaking data of Israeli citizens during politically charged conflicts.
Identity Confirmed and Intentions to Change
With the collected information, Rey's true identity was confirmed to be Saif Al-Din Khader. Krebs contacted his father, recognizing the severity of the situation, although initially, he did not believe the seriousness of the allegations.
However, in a conversation with Krebs, Saif stated that he wishes to leave the criminal environment and is willing to cooperate with authorities, including the Endgame operation.
"I have been cooperating with authorities since June. I have not committed any illegal activity since September,"
Saif's stance has generated repercussions, and his independence within SLSH was questioned by the group, which claimed that his statements could be attempts to destabilize their structure.
The Scattered Lapsus$ Hunters, in response, challenged the validity of Krebs's investigations, claiming that the allegations were unfounded and that there were distortions in reports about their operations.
This case highlights how the combination of digital oversights and cybersecurity surveillance can lead to the exposure of individuals involved in fraudulent activities. Furthermore, it illustrates the complexity of digital relationships and the role of digital identities in the information age.
The future implications of Saif's testimony and collaboration may reverberate in how cybercrime cases are handled, increasing pressure on online criminal activities.
Content selected and edited with AI assistance. Original sources referenced above.


