Under Siege: Hackers Demand Google Fire Its Own or Face a Data Bomb

Fast Facts

• On September 1, 2025, a Telegram ultimatum threatened Google with a data leak unless two security experts were fired.
• The threat comes from "Scattered Lapsus$ Hunters," a coalition blending tactics of Scattered Spider, Lapsu$, and ShinyHunters.
• Targets include a Google Threat Intelligence Group analyst and a former Mandiant researcher.
• Demands also include halting investigations into several known cybercrime groups tracked by Google and Mandiant.
• No direct evidence of a breach has been provided, but a related August 2025 attack exposed business contact data.

A Brazen Ultimatum in the Cyber Shadows

Picture Silicon Valley in late summer: while most of the tech world is prepping for autumn launches, Google’s security team is blindsided by a message out of the digital underworld. On a Telegram channel infamous for cyber extortion, “Scattered Lapsus$ Hunters” issued an unprecedented demand: fire two of your own, or we’ll spill your secrets.

This wasn’t the usual ransom note. The hackers, drawing their name and style from notorious groups like Scattered Spider, Lapsu$, and ShinyHunters, focused their attack on people - not just data. Their message to CEO Sundar Pichai specifically named two high-profile security experts, one from Google’s Threat Intelligence Group and another recently acquired through Google’s purchase of Mandiant, a major incident response firm.

More Than Money: Targeting the Defenders

Typically, cybercriminals chase financial gain or sensitive information. But this threat is personal. By demanding the firing of analysts who track cybercrime groups - known as “UNC” clusters - Scattered Lapsus$ Hunters are trying a new tactic: weaken the opposition by removing the hunters. According to the original Telegram post (as reported in the Netcrook cluster), the group also wants Google to stop investigating several UNC-numbered groups, which are labels for active hacking collectives tracked by industry experts.

Such a demand is rare. “Threatening to expose data as leverage for firing specific defenders is a calculated move to disrupt investigations,” says a recent report from Recorded Future, which tracks cybercrime trends. Publicly naming individuals puts a human face on the cyber war, escalating the stakes and potentially endangering personal safety.

The Data Dilemma: Real Breach or Bluff?

Despite the dramatic threats, the group has yet to provide evidence of deep access to Google’s internal systems. The only recent breach with a proven link was in August 2025, when ShinyHunters compromised a Salesforce system used by Google for business communications. That incident leaked contact info and opened the door for phishing - fraudulent emails aiming to trick employees - but did not touch core user data or Google’s crown jewels.

Security experts, including those at Mandiant (now part of Google), believe these new threats are less about actual data theft and more about intimidation. By sowing fear and uncertainty, the hackers hope to slow or stop ongoing investigations into their own activities. As seen in past high-profile attacks - such as the 2022 Lapsu$ breaches of Microsoft and Okta - public extortion campaigns are often as much about psychological warfare as technical prowess (see coverage by KrebsOnSecurity and The Record).

Why This Matters: The Market and the Message

Google’s security teams are on the front lines of a global cyber conflict. When attackers target defenders, it’s more than an internal drama - it’s an attempt to tip the scales in a much larger battle. Analysts warn that if such threats succeed, it could encourage “headhunting” tactics across the industry, putting skilled professionals at risk and undermining corporate resilience.

As of publication, Google has not responded publicly to the ultimatum. But the world is watching: the outcome may set the tone for how tech giants - and their staff - handle the next wave of cyber blackmail.

WIKICROOK

• Threat Intelligence Group: A Threat Intelligence Group is a team that investigates, tracks, and analyzes cyber threats and attackers to help protect an organization’s digital assets.
• Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
• UNC (Unknown Numbered Cluster): UNC refers to unidentified hacker groups tracked by cybersecurity experts before their identities or sponsors are confirmed.
• Data Leak: A data leak is the unauthorized release of confidential information, often exposing sensitive data to the public or malicious actors.
• Extortionware: Extortionware is a cyberattack where criminals threaten to leak stolen data unless the victim pays a ransom or meets their demands.