Read Time 3 mins | 09 October 2025
This is an ongoing investigation. This article will be updated as more information becomes available.
The threat actor "Scattered LAPSUS$ Hunters" claims to have hacked Telstra and stolen 100GB of data. Rivanorth has reviewed the alleged hack and so far there is only a small sample of data released. Telstra is denying the cyber attack according to the Australian Financial Review (AFR). Time will tell as the whole 100GB of data is to be released on the 13th (next Monday) if the ransom isn't paid.
Timeline of Events
8 October 2025 – According to the threat actor, the compromise of Telstra dates back to this date.
8 October 2025 – Breach was published on the dark web leak site.
9 October 2025 – Telstra denies the cyber attack claims.
13 October 2025 – If the ransom is not paid, all the data will be published on this date.
The Claims
The threat actor claims:
- 100GB of data were stolen
- In total, over 19M+ Personally Identifiable Information (PII) records were compromised
- Sample data reviewed by Rivanorth includes employee names, phone numbers, and addresses
Inconsistency: Rivanorth has detected an inconsistency in the claims. The date on the threat actor's site shows July 2023, which raises questions about whether this is a typo, potentially an old breach being resurfaced, or simply a smear campaign?
Telstra's Response
According to the Australian Financial Review (AFR), Telstra has denied that its systems were breached. The telecommunications giant has not confirmed any compromise of their networks or customer data at this time.
Who Are Scattered LAPSUS$ Hunters?
Scattered LAPSUS$ Hunters is a cybercrime alliance that brings together three notorious hacking groups: Scattered Spider, LAPSUS$, and ShinyHunters.
This alliance was first observed in August 2025 when a Telegram channel appeared uniting these three groups. It's an active collaboration where Scattered Spider provides initial access through social engineering, ShinyHunters specialises in data theft and publication, and LAPSUS$ members act as amplifiers and extortionists.
All three groups are tied to a broader underground ecosystem known as "The Com", a loosely organised network of English-speaking cybercriminals, often young adults and teenagers, who share tools, trade access, and collaborate on operations.
The group has also previously compromised global giants like Dell, Kuwait Airways, Lycamobile, Verizon, True Corporation & dtac, Red Hat, and Jaguar Land Rover.
Understanding Data Extortion Attacks
This type of attack is known as a data extortion or "double extortion" attack. Unlike traditional ransomware that encrypts files and demands payment for decryption, data extortion works differently:
- Initial Access: The attackers gain entry to a company's systems, typically through social engineering techniques like phishing or vishing (voice phishing)
- Data Exfiltration: They steal sensitive data, in this case, allegedly 100GB of information
- Extortion Demand: The attackers threaten to publish the stolen data publicly unless a ransom is paid
- Public Pressure: By listing victims on dark web leak sites and setting deadlines, they create urgency and embarrassment to pressure organisations into paying
This is sometimes called "double extortion" when combined with traditional ransomware, but in cases like this where only data theft and the threat of publication are involved, it's simply data extortion or theft-based extortion.
The tactic is particularly effective because even if a company has good backups and can recover from encryption, they cannot "un-steal" data that's already been exfiltrated. The threat of reputational damage, regulatory fines, and customer trust erosion makes this a powerful leverage point for cybercriminals.
Supply Chain Impact Analysis
All third-party security implications will be available in Rivanorth Oko. Once the full 100GB drops on Monday, we'll have comprehensive third-party impact analysis available, helping you understand your supply chain exposure immediately.