After monitoring the threat actor's dark web leak site today, Rivanorth observed that Scattered LAPSUS$ Hunters has removed Telstra as a victim. No data was published contrary to their initial claims of releasing 100GB of data if the ransom wasn't paid.
This is an interesting turn of events and we think there is a lot to be learned from this about how threats are changing. There is often a lot of coverage on the initial headline news but not much follow-up on the outcome of alleged hacks.
Credit where credit is due, Telstra did well in standing firm and communicating clearly throughout this incident.
This situation highlights the panic these threats can potentially create, even when they don't materialise. For those that have to defend against these threats, we cannot disregard these alerts, but it's crucial to balance early warnings and unnecessary overreactions.
The threat actor "Scattered LAPSUS$ Hunters" claims to have hacked Telstra and stolen 100GB of data. Rivanorth has reviewed the alleged hack and so far there is only a small sample of data released. Telstra is denying the cyber attack according to the Australian Financial Review (AFR). Time will tell as the whole 100GB of data is to be released on the 13th (next Monday) if the ransom isn't paid.
The threat actor claims:
Inconsistency: Rivanorth has detected an inconsistency in the claims. The date on the threat actor's site shows July 2023, which raises questions about whether this is a typo, potentially an old breach being resurfaced, or simply a smear campaign?
According to the Australian Financial Review (AFR), Telstra has denied that its systems were breached. The telecommunications giant has not confirmed any compromise of their networks or customer data at this time.
Scattered LAPSUS$ Hunters is a cybercrime alliance that brings together three notorious hacking groups: Scattered Spider, LAPSUS$, and ShinyHunters.
This alliance was first observed in August 2025 when a Telegram channel appeared uniting these three groups. It's an active collaboration where Scattered Spider provides initial access through social engineering, ShinyHunters specialises in data theft and publication, and LAPSUS$ members act as amplifiers and extortionists.
All three groups are tied to a broader underground ecosystem known as "The Com", a loosely organised network of English-speaking cybercriminals, often young adults and teenagers, who share tools, trade access, and collaborate on operations.
The group has also previously compromised global giants like Dell, Kuwait Airways, Lycamobile, Verizon, True Corporation & dtac, Red Hat, and Jaguar Land Rover.
This type of attack is known as a data extortion or "double extortion" attack. Unlike traditional ransomware that encrypts files and demands payment for decryption, data extortion works differently:
This is sometimes called "double extortion" when combined with traditional ransomware, but in cases like this where only data theft and the threat of publication are involved, it's simply data extortion or theft-based extortion.
The tactic is particularly effective because even if a company has good backups and can recover from encryption, they cannot "un-steal" data that's already been exfiltrated. The threat of reputational damage, regulatory fines, and customer trust erosion makes this a powerful leverage point for cybercriminals.
This incident underscores why having accurate and trusted data on your third parties is critical to correctly understanding your risk exposure. In the initial stages of this threat, organisations needed to quickly assess whether Telstra was part of their supply chain and what their potential exposure could be.
Rivanorth Oko provides real-time dark web and third-party security monitoring, where initial alerts that are not backed by actual findings are listed as low risk first. Only if confirmed does the risk get adjusted depending on what is found. This approach helps organisations avoid unnecessary panic while remaining vigilant to genuine threats.
While threats continue to evolve, it's crucial to balance early warnings with accurate intelligence to make informed decisions about your cybersecurity posture.