Cybersecurity firm CrowdStrike confirmed the termination of a “suspicious insider” who allegedly shared internal information with hackers. The move came after an internal investigation revealed that the individual had leaked images of his computer screen externally, potentially exposing sensitive company dashboards.
The hacker collective known as Scattered Lapsus$ Hunters later posted screenshots on a public Telegram channel, claiming insider access to CrowdStrike systems. The images reportedly included dashboards with links to internal resources, such as employees’ Okta dashboards, which are used to access company applications.
The CrowdStrike Insider Threat Incident
In a statement to The Cyber Express, a CrowdStrike spokesperson clarified the situation:
“We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally. Our systems were never compromised, and customers remained protected throughout. We have turned the case over to the relevant law enforcement agencies.”
The hackers alleged that they gained access to CrowdStrike through a recent breach at Gainsight, a customer relationship management platform used by Salesforce clients to manage customer data. According to their claims, the stolen information from from this was leveraged to breach the cybersecurity company’s internal systems. However, CrowdStrike rejected these as “false” claims.
Understanding Scattered Lapsus$ Hunters
The Scattered Lapsus$ Hunters collective operates as a “supergroup,” combining the capabilities of multiple cybercriminal organizations. Its members draw expertise from Scattered Spider, LAPSUS$, and ShinyHunters to conduct high-impact campaigns targeting high-value enterprise environments, particularly SaaS platforms, as well as companies in retail, aviation, fashion, and insurance.
Scattered Spider, also known under aliases such as UNC3944, 0ktapus, and Octo Tempest, focuses on IT help desks, telecommunications, and large enterprise environments. Its members, often aged 19–22, are known for advanced social engineering tactics including SMS phishing (smishing), phone-based help-desk impersonation, and SIM swapping.
LAPSUS$ first drew attention with a ransomware attack on the Brazilian Ministry of Health in December 2021, which compromised millions of COVID-19 vaccination records. Since then, it has targeted major technology companies.
ShinyHunters is a financially motivated group specializing in data theft and extortion rather than ransomware. Active from 2020, it primarily exploits SaaS and cloud platforms via social engineering, including vishing (voice phishing), followed by large-scale data exfiltration. The group has continued operations, introducing a ransomware variant called shinysp1d3r that targets VMware ESXi hosts.
This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on this insider threat incident or any additional information on Scattered Lapsus$ Hunters.
The CrowdStrike insider incident highlights the risk of suspicious insiders who break the organizations from the inside. Groups like Scattered Lapsus$ Hunters take advantage of such insiders to steal information from big organizations. While CrowdStrike confirmed no systems were compromised, the case denotes the importance of proactive threat intelligence and continuous monitoring.
Platforms like Cyble, with AI-powered threat detection and autonomous cybersecurity capabilities, demonstrate how organizations can identify exposed assets, track insider activity, and mitigate risks before they escalate.
