Cybercrime Collective Claims Insider-Assisted Access Attempt at CrowdStrike

CrowdStrike confirms an insider shared screenshots of internal systems, later posted by the Scattered Lapsus$ Hunters collective. The company says its systems and customer data remain secure and the insider’s access was terminated. Threat actors claim they attempted to buy network access and Salesforce-related data breaches now impact hundreds of companies. DocuSign reports no evidence of compromise.

American cybersecurity firm CrowdStrike confirms that an insider shared screenshots of internal systems with external actors, following their appearance on Telegram channels linked to the “Scattered Lapsus$ Hunters” cybercrime collective. The company states that, despite the leak, its systems remain secure and customer data is not affected.

CrowdStrike says the incident stems from an individual within the organisation who captured and shared pictures of their computer screen. According to the company, no breach of CrowdStrike’s infrastructure took place, and the insider’s access was cut off prior to further misuse.

A CrowdStrike spokesperson tells BleepingComputer:

"We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally.

Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies."

The firm does not name the threat group involved or identify the motivations behind the insider’s actions.

Threat actors claim attempted access purchase

The screenshots appear on Telegram channels operated by ShinyHunters, Scattered Spider, and Lapsus$, who are currently operating collectively under the name “Scattered Lapsus$ Hunters.”

ShinyHunters claim to BleepingComputer that they agreed to pay the insider $25,000 for access to CrowdStrike’s network. They assert that they obtained SSO authentication cookies from the insider, but CrowdStrike had already detected suspicious activity and terminated the account before further access could be granted. They also allege an unsuccessful attempt to purchase internal CrowdStrike reports related to ShinyHunters and Scattered Spider.

CrowdStrike has not publicly confirmed these details and says it will provide further information if available.

Scattered lapsus$ hunters expand operations across global enterprises

The threat collective continues to conduct widespread cyber extortion campaigns targeting large organisations. They previously launched a data-leak site to pressure companies affected by a wave of Salesforce-related breaches.

Since early this year, the group has targeted Salesforce customers using voice-phishing attacks. Organisations affected include Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, Workday, and several LVMH subsidiaries such as Dior, Louis Vuitton, and Tiffany & Co.

Their extortion attempts extend to a wide range of high-profile companies, including Toyota, Instacart, Cartier, Saks Fifth Avenue, Air France & KLM, FedEx, Disney/Hulu, Home Depot, Marriott, Gap, McDonald's, Walgreens, Transunion, HBO Max, UPS, Chanel, and IKEA.

The group also claims responsibility for the Jaguar Land Rover (JLR) incident, where sensitive data theft and operational disruption resulted in losses of more than £196 million ($220 million) in the last quarter.

Shift to new ransomware-as-a-service model

ShinyHunters and Scattered Spider are now transitioning to a new platform they call ShinySp1d3r, moving away from encryptors previously provided by ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.

This week, ShinyHunters also claim a new set of data-theft attacks allegedly affecting Salesforce instances at over 280 companies. Names mentioned in Telegram posts include LinkedIn, GitLab, Atlassian, Thomson Reuters, Verizon, F5, SonicWall, DocuSign, and Malwarebytes.

The threat actors state that these breaches follow their compromise of Gainsight, using secrets obtained in a previous Salesloft drift breach.

DocuSign responds to claims

DocuSign provides a statement to BleepingComputer after being named among the alleged victims:

"We are aware of ShinyHunters’ claim. Following a comprehensive log analysis and internal investigation, we have no indication of a Docusign data compromise at this time.

Out of an abundance of caution, we have taken a number of measures including terminating all Gainsight integrations and containing related data flows. We continue to actively monitor for any suspicious activity and are partnering closely with Salesforce should additional information become available."

Industry perspective: Managing insider risk

Commenting on the incident, Chris Linnell, Associate Director of Data Privacy at Bridewell, outlines the wider challenge organisations face from insider activity.

He explains that insider risks range from accidental errors to intentional acts, including coercion or infiltration. According to Linnell, the difficulty lies in the insider’s legitimate access to systems, which enables them to bypass typical security controls.

"Malicious insider activity represents one of the most costly and challenging cybersecurity threats for organisations. Unlike external attacks, these incidents exploit trust and authorised access, making detection and remediation far more complex. Insiders already have legitimate credentials and knowledge of internal systems, which means their actions can bypass many traditional security controls and cause significant damage before being discovered.

Insider risk exists on a spectrum, from inadvertent mistakes to deliberate acts of sabotage or data theft. While accidental breaches are common, malicious behaviour- such as coercion by external actors or infiltration through fake job applicants - poses a severe risk. Recent cases highlight how motivated insiders can compromise sensitive data or systems, sometimes under pressure from organised crime or state-sponsored groups. Despite this growing threat, many organisations still lack formal insider threat programmes and only identify issues after harm has occurred.

To mitigate these risks, a layered approach combining people, process, and technology is essential. Technical measures such as User and Entity Behaviour Analytics (UEBA) can establish baselines of normal activity and flag anomalies using AI and machine learning. Data Loss Prevention (DLP) tools help monitor and control sensitive data movement, while continuous monitoring of network activity and access logs enables early detection of suspicious behaviour. Preventative controls are equally critical: thorough background checks during recruitment, periodic re-screening for high-risk roles, and clear policies on data handling and consequences for violations.

Finally, organisations should enforce strong access controls, including the Principle of Least Privilege, Multi-Factor Authentication, and regular access reviews. Advanced measures like dynamic watermarking and screen capture blocking can deter and trace leaks, while adaptive protection technologies can automatically revoke access when abnormal behaviour is detected. Insider risk is not a problem that can be solved with a single tool - it requires a holistic, proactive strategy to protect sensitive data and maintain trust."

A growing focus on internal security resilience

The CrowdStrike incident highlights a broader shift in the threat landscape, where criminal groups increasingly seek insiders to help bypass corporate defences. As the Scattered Lapsus$ Hunters continue expanding their operations, security teams across sectors face rising pressure to strengthen internal controls, monitor for unusual behaviour, and maintain rapid incident response processes.

CrowdStrike states it continues to cooperate with law enforcement as the investigation proceeds.