Cybersecurity firm CrowdStrike confirmed the termination of a “suspicious insider” who allegedly shared internal information with hackers. The move came after an internal investigation revealed that the individual had leaked images of his computer screen externally, potentially exposing sensitive company dashboards.  The hacker collective known as Scattered Lapsus$ Hunters later posted screenshots on a public Telegram channel, claiming insider access to CrowdStrike systems. The images reportedly included dashboards with links to internal resources, such as employees’ Okta dashboards, which are used to access company applications. 

The CrowdStrike Insider Threat Incident 

In a statement to The Cyber Express, a CrowdStrike spokesperson clarified the situation:

“We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally. Our systems were never compromised, and customers remained protected throughout. We have turned the case over to the relevant law enforcement agencies.” 

The hackers alleged that they gained access to CrowdStrike through a recent breach at Gainsight, a customer relationship management platform used by Salesforce clients to manage customer data. According to their claims, the stolen information from from this was leveraged to breach the cybersecurity company's internal systems. However, CrowdStrike rejected these as “false” claims. 

Understanding Scattered Lapsus$ Hunters 

The Scattered Lapsus$ Hunters collective operates as a “supergroup,” combining the capabilities of multiple cybercriminal organizations. Its members draw expertise from Scattered Spider, LAPSUS$, and ShinyHunters to conduct high-impact campaigns targeting high-value enterprise environments, particularly SaaS platforms, as well as companies in retail, aviation, fashion, and insurance.  Scattered Spider, also known under aliases such as UNC3944, 0ktapus, and Octo Tempest, focuses on IT help desks, telecommunications, and large enterprise environments. Its members, often aged 19–22, are known for advanced social engineering tactics including SMS phishing (smishing), phone-based help-desk impersonation, and SIM swapping.   LAPSUS$ first drew attention with a ransomware attack on the Brazilian Ministry of Health in December 2021, which compromised millions of COVID-19 vaccination records. Since then, it has targeted major technology companies.   ShinyHunters is a financially motivated group specializing in data theft and extortion rather than ransomware. Active from 2020, it primarily exploits SaaS and cloud platforms via social engineering, including vishing (voice phishing), followed by large-scale data exfiltration. The group has continued operations, introducing a ransomware variant called shinysp1d3r that targets VMware ESXi hosts.  This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on this insider threat incident or any additional information on Scattered Lapsus$ Hunters.  The CrowdStrike insider incident highlights the risk of suspicious insiders who break the organizations from the inside. Groups like Scattered Lapsus$ Hunters take advantage of such insiders to steal information from big organizations. While CrowdStrike confirmed no systems were compromised, the case denotes the importance of proactive threat intelligence and continuous monitoring.   Platforms like Cyble, with AI-powered threat detection and autonomous cybersecurity capabilities, demonstrate how organizations can identify exposed assets, track insider activity, and mitigate risks before they escalate.  

Experience Cyble firsthand—book a free demo to uncover vulnerabilities and detect suspicious insiders right now. 

Two alleged members of the Scattered Spider threat group pled not guilty today to charges related to a cyberattack on Transport for London in August 2024. Thalha Jubair, 19, of east London, and Owen Flowers, 18, from Walsall in the West Midlands, were arrested in the UK in September. They appeared before Southwark Crown Court today and entered not guilty pleas to charges of conspiring to commit unauthorized acts against computer systems belonging to Transport for London (TfL), according to news reports. Sky News reported that the two “stood in the dock together and spoke only to confirm their names and enter not guilty pleas.” The charge states in part that the two are accused of "causing, or creating a significant risk of, serious damage to human welfare and intending to cause such damage or being reckless as to whether such damage was caused. Flowers is also accused of unauthorized acts against computer systems belonging to SSM Health, and attempting to commit unauthorized acts against computer systems belonging to Sutter Health. Jubair is also accused of failing to disclose the pin or passwords for devices seized from him in March 2025, and Jubair also faces substantial charges in the U.S. Both men continue to be held on remand, the BBC reported.

Scattered Spider Trial Date Set

A provisional trial date has been set for June 8, 2026, at Southwark Crown Court, with a pre-trial hearing scheduled for February 13. The cyberattack allegedly caused £39m of damage and disrupted TfL services for three months. While transport itself was unaffected, many TfL online services and information boards were knocked offline as part of the attack. Traffic cameras and "dial a ride" bookings were some of the affected services, and some payment systems were also affected. Personal data including names, emails and home addresses were accessed, and TfL was forced to inform thousands of customers that there may have been unauthorized access to personal information that may have included bank account numbers and sort codes.

Jubair Faces U.S. Charges Too

Jubair has also been charged by the U.S. Department of Justice (DoJ) for conspiracies to commit computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions and extortion involving 47 U.S. entities. The unsealed U.S. complaint alleged that Jubair’s victims paid at least $115 million in ransom payments. The U.S. claims Jubair could face up to 95 years in prison on the charges. Scattered Spider recently joined with ShinyHunters and LAPSUS$ to form the Scattered LAPSUS$ Hunters threat collective, which remains active, that Recent attacks by the group have targeted Salesforce data, including one involving the Gainsight customer success platform this week. Scattered LAPSUS$ Hunters also claims to have been behind an insider attack at security vendor CrowdStrike, according to Bleeping Computer, although CrowdStrike says its systems and customer data were not affected by the incident.

Salesforce is investigating potential unauthorized access to customers’ Salesforce data that may have occurred through the Gainsight customer success platform. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” Salesforce said in an advisory today. The Salesforce advisory was short on detail, but the incident appears to share similarities with a recent OAuth-based breach of the Salesloft Drift platform that compromised the Salesforce environments of dozens, if not hundreds, of organizations. That breach was linked to the Scattered LAPSUS$ Hunters threat group. In an email exchange with The Cyber Express, Scattered LAPSUS$ Hunters also claimed responsibility for the current Gainsight incident. “Yes, we are responsible for it,” the group told The Cyber Express. “Nearly 300 organisations are affected by it.” The group named four large organizations allegedly hit in the latest incident, but it is The Cyber Express’ policy not to name unconfirmed cyberattack victims.

Salesforce Detects ‘Unusual Activity’ Involving Gainsight App

Salesforce said in the advisory that it has identified “unusual activity involving Gainsight-published applications connected to Salesforce.” Those apps are installed and managed directly by customers. “Our investigation indicates this activity may have enabled unauthorized access to certain customers’ Salesforce data through the app’s connection,” the CRM vendor said. “Upon detecting the activity, Salesforce revoked all active access and refresh tokens associated with Gainsight-published applications connected to Salesforce and temporarily removed those applications from the AppExchange while our investigation continues.” Salesforce said there is “no indication” that the incident resulted from a vulnerability in the Salesforce platform. “The activity appears to be related to the app’s external connection to Salesforce,” the company said. Salesforce said it has notified known affected customers directly and will continue to provide updates. The CRM vendor said customers who need assistance can reach the company through Salesforce Help.

Salesloft Drift Breach Affected Gainsight Too

It will be some time before the extent of the current incident is known, but the Salesloft Drift incident affected the CRM environments of scores of well-known companies, among them Google, Cloudflare, Palo Alto Networks, and many more prominent names. The Scattered LAPSUS$ threat group launched social engineering attacks on Salesforce environments too. Scattered LAPSUS$ Hunters claims 760 organizations were hit in the Salesloft Drift incident, one of which was Gainsight’s own Salesforce environment. The Cyber Express has reached out to Gainsight for comment and will update this story as new information emerges.