Telstra 2025 Breach Claims Withdrawn: Extortion Tactics Exposed

UPDATE: 13 October 2025 – Threat Actor Withdraws Claims

After monitoring the threat actor's dark web leak site today, Rivanorth observed that Scattered LAPSUS$ Hunters has removed Telstra as a victim. No data was published contrary to their initial claims of releasing 100GB of data if the ransom wasn't paid.

This is an interesting turn of events and we think there is a lot to be learned from this about how threats are changing. There is often a lot of coverage on the initial headline news but not much follow-up on the outcome of alleged hacks.

Credit where credit is due, Telstra did well in standing firm and communicating clearly throughout this incident.

This situation highlights the panic these threats can potentially create, even when they don't materialise. For those that have to defend against these threats, we cannot disregard these alerts, but it's crucial to balance early warnings and unnecessary overreactions.

Timeline of Events

1. 8 October 2025 – According to the threat actor, the compromise of Telstra dates back to this date and the data is due to be published on 13/10/2025.
2. 8 October 2025 – Claim of breach was published on the dark web leak site.
3. 9 October 2025 – Telstra denied the cyber attack claims.
4. 13 October 2025 – Threat actor removes Telstra from their leak site. No data was published.

Background

The threat actor "Scattered LAPSUS$ Hunters" claims to have hacked Telstra and stolen 100GB of data. Rivanorth has reviewed the alleged hack and so far there is only a small sample of data released. Telstra is denying the cyber attack according to the Australian Financial Review (AFR). Time will tell as the whole 100GB of data is to be released on the 13th (next Monday) if the ransom isn't paid.

The Claims

The threat actor claims:

• 100GB of data were stolen
• In total, over 19M+ Personally Identifiable Information (PII) records were compromised
• Sample data reviewed by Rivanorth includes employee names, phone numbers, and addresses

Inconsistency: Rivanorth has detected an inconsistency in the claims. The date on the threat actor's site shows July 2023, which raises questions about whether this is a typo, potentially an old breach being resurfaced, or simply a smear campaign?

Telstra's Response

According to the Australian Financial Review (AFR), Telstra has denied that its systems were breached. The telecommunications giant has not confirmed any compromise of their networks or customer data at this time.

Who Are Scattered LAPSUS$ Hunters?

Scattered LAPSUS$ Hunters is a cybercrime alliance that brings together three notorious hacking groups: Scattered Spider, LAPSUS$, and ShinyHunters.

This alliance was first observed in August 2025 when a Telegram channel appeared uniting these three groups. It's an active collaboration where Scattered Spider provides initial access through social engineering, ShinyHunters specialises in data theft and publication, and LAPSUS$ members act as amplifiers and extortionists.

All three groups are tied to a broader underground ecosystem known as "The Com", a loosely organised network of English-speaking cybercriminals, often young adults and teenagers, who share tools, trade access, and collaborate on operations.

The group has also previously compromised global giants like Dell, Kuwait Airways, Lycamobile, Verizon, True Corporation & dtac, Red Hat, and Jaguar Land Rover.

Understanding Data Extortion Attacks

This type of attack is known as a data extortion or "double extortion" attack. Unlike traditional ransomware that encrypts files and demands payment for decryption, data extortion works differently:

1. Initial Access: The attackers gain entry to a company's systems, typically through social engineering techniques like phishing or vishing (voice phishing)
2. Data Exfiltration: They steal sensitive data, in this case, allegedly 100GB of information
3. Extortion Demand: The attackers threaten to publish the stolen data publicly unless a ransom is paid
4. Public Pressure: By listing victims on dark web leak sites and setting deadlines, they create urgency and embarrassment to pressure organisations into paying

This is sometimes called "double extortion" when combined with traditional ransomware, but in cases like this where only data theft and the threat of publication are involved, it's simply data extortion or theft-based extortion.

The tactic is particularly effective because even if a company has good backups and can recover from encryption, they cannot "un-steal" data that's already been exfiltrated. The threat of reputational damage, regulatory fines, and customer trust erosion makes this a powerful leverage point for cybercriminals.

The Importance of Accurate Third-Party Risk Intelligence

This incident underscores why having accurate and trusted data on your third parties is critical to correctly understanding your risk exposure. In the initial stages of this threat, organisations needed to quickly assess whether Telstra was part of their supply chain and what their potential exposure could be.

Rivanorth Oko provides real-time dark web and third-party security monitoring, where initial alerts that are not backed by actual findings are listed as low risk first. Only if confirmed does the risk get adjusted depending on what is found. This approach helps organisations avoid unnecessary panic while remaining vigilant to genuine threats.

While threats continue to evolve, it's crucial to balance early warnings with accurate intelligence to make informed decisions about your cybersecurity posture.