The Scattered LAPSUS$ Hunters cybercrime group has now claimed responsibility for a series of major security incidents that occurred earlier this year, including the previously undisclosed breach of Red Hat in September and two large-scale data thefts from S&P Global and the Credit Institute of Vietnam (CIC) dating back to February 2025.
The group made the claims on Monday, October 6, via an update to its extortion website. This move officially links them to incidents that were either unconfirmed or unattributed at the time they occurred.
The claim regarding Red Hat appears to be connected to a security event the company was investigating in mid-September 2025. While Red Hat had not publicly confirmed a data breach, the details provided by the threat actor, including the exfiltration of 28,000 git repositories and sensitive client data, provide the first public insight into the potential scale of that event.
Similarly, the claims against S&P Global and CIC Vietnam may solve the mystery of two massive financial and PII datasets that briefly circulated on dark web forums in February. The authenticity of that data was debated at the time, but Scattered LAPSUS$ Hunters are now asserting they were behind the original breaches.
The list of victims added to the group’s site includes:
- Red Hat, Inc. (🇺🇸): A leading provider of enterprise open-source software solutions, owned by IBM.
- Credit Institute of Vietnam (CIC) (🇻🇳): Vietnam’s national credit information center, a public service entity under the State Bank of Vietnam.
- S&P Global (🇺🇸): A major American corporation specializing in financial information and analytics.
The threat actor has provided detailed claims about the data exfiltrated from each organization, setting a ransom deadline of October 10, 2025, for all three.
For Red Hat, the allegedly compromised data is described as a major intellectual property breach, including:
- Over 28,000 git repositories.
- Client Consulting Engagement Records (CERs).
- Client secrets, including Artifactory access tokens, git tokens, and credentials for Azure and Docker.
- Confidential data from over 5,000 Red Hat customers, including Citigroup, JPMorgan Chase, HSBC, Siemens, and Verizon.
- Personal data that falls under GDPR and CCPA regulations.
From the Credit Institute of Vietnam, the group claims to have stolen over 160 million records of sensitive personal information, including:
- Full Names
- Email Addresses
- Phone Numbers
- Dates of Birth
- Citizen, National, Passport, Military, and Student ID numbers
- Credit cards
- Customer account identifiers tied to financial data
Regarding S&P Global, the compromised data is described as “multiple billions” of records, including:
- Personally Identifiable Information (PII).
- Data on small, medium, and large companies.
- Extensive stock and financial data.
