Report Names Teen in Scattered LAPSUS$ Hunters, Group Denies

A 15‑year‑old in Jordan who goes by the handle “Rey” online has been allegedly identified as a key figure in the hacking crew Scattered Lapsus$ Hunters (SLH/SLSH), a collective said to combine elements of Scattered Spider, Lapsus$, and ShinyHunters. The supposed unmasking and the agreement to speak came earlier this week, after Rey allegedly contacted the reporter directly.

The claim surfaced after cybersecurity reporter KrebsOnSecurity allegedly traced Rey’s real‑world family details and reached out to someone believed to be his father, Zaid Khader, an airline pilot thought to work for Royal Jordanian Airlines. After that message was sent, the teen, whose name is allegedly Saif Al‑Din Khader and who turns 16 next month, got in touch. Saif is allegedly one of three administrators running the SLSH Telegram channel.

****The Clues that Pointed to Rey****

The hacker, who also used the name Hikki‑Chan in the past, allegedly made several simple mistakes that exposed identifying information. He was allegedly an administrator at BreachForums, a criminal marketplace taken down more than once by the FBI.

According to the report by Brian Krebs, Rey allegedly posted a screenshot that revealed his own password while using the Telegram name @wristmug. He also allegedly shared personal hints in a cybercrime channel called Jacuzzi, including that his father was a pilot.

A Telegram message by Rey (Source: KrebsOnSecurity)

Krebs’ investigation allegedly connected this password to the email address [email protected]. Data said to come from a shared family computer in Amman allegedly confirmed the surname Khader and even pointed to the family’s Irish link through the maiden name Ginty, something Rey had allegedly mentioned in chats.

The SLSH group, a mix of three well‑known cybercriminal crews, has been active this year. They have allegedly stolen data from Salesforce systems and threatened companies like Toyota and FedEx with leaks. They have also allegedly tried to recruit company insiders, with one CrowdStrike employee fired after allegedly sending internal screenshots to SLSH.

The group has used malware from known ransomware programs such as ALPHV/BlackCat. Rey, who was allegedly an admin for the Hellcat ransomware group, recently announced what he said was SLSH’s own ransomware service called ShinySp1d3r.

Rey confirming the association with the surname (Source: KrebsOnSecurity)

****SLSH Dismisses Findings****

According to KrebsOnSecurity, Saif claimed he’s been trying to quit the group and has been working with law enforcement since June 2025. “I don’t really care, I just want to move on from all this stuff, even if it’s going to be prison time or whatever they’re gonna say,” the teen said.

In response, SLSH has launched a scathing attack on the report. On its official Telegram channel, the group dismissed the journalist’s findings as a “desperate attempt to damage” their reputation.

The highly sarcastic response directly challenged the reporter’s claims, stating that it is “laughable” to assume a single person would operate under multiple aliases with “completely different techniques.” They also accused the journalist of twisting Saif’s words to make it look like an admission of involvement, claiming that Krebs was obsessed.

“We both know how badly this obsession is hurting you :).”

The post concluded with a stunning challenge: “I’ll pay you 10 BTC if you can publicly reveal my real identity and back it up with real proof.”

****Check out their full response:****

_"From what I can tell, Mr. Krebs, your “research” is nothing more than a desperate attempt to damage my reputation and a cheap way for you to show off.
_
_We both know you simply recycled a KELA report from March of this year, downloaded a log, and turned it into an entire article.
Congratulations, Krebs! You finally learned how to use Google.

1. The individual in question is indeed indirectly related to me. However, assuming that person is me is laughable. That person continued to operate under aliases such as “o5tdev” (using completely different techniques) long after I began operating as Rey. Does that sound logically possible? Do I have multiple personalities or bipolar disorder? Maybe in your world.

2. When we spoke, you deliberately fired off questions without ever disclosing it was an “interview.” You falsely implied I was connected to ShinySpider ransomware. Out of nowhere_you asked, “Why are you still going with SLSH?” I answered that it’s hard to just walk away from something like that. You then cherry-picked that sentence and twisted it to make it look like an admission of my involvement.

3. You also asked if ShinySpider was AI-generated… I said I didn’t know and that the only thing i have done was simply sharing the Hellcat source code for them to use as a base. Anyone with half a brain can see that ShinySpider and Hellcat are now completely different ransomware variants. Everyone knows you’re just someone who recycles old garbage for a bit of attention.

4. You structured your article to make it appear as though you contacted “the father” first and that I suddenly reached out to you in panic. In reality, you messaged me first on X, and only later did I message you on Signal saying “Hi, it’s Saif!”
You’re probably wondering how I knew you were planning to “expose” me. Simple. It’s the same way I know that person is not me, yet still related. Don’t worry, Krebs, I know exactly who that Saif is.

5. You’re so intellectually dishonest that you’re still trying to pin the “Sp1d3rHunters” persona from last year SnowFlake campaign on me, even though you supposedly have all the logs. You could have verified in five seconds that it wasn’t me. So either you’re incompetent and can’t read your own evidence, or you knowingly pushed a lie. That IS called projection.

6. You went out of your way to paint me as the “core” of SLSH when you know that’s nonsense. Why didn’t you write about the other admins and members instead? Or was the only thing you managed to get your hands on a pile of garbage, and (still triggered from all the trolling in the channel) you decided to publish it anyway so you could pretend you "won"?

7. You attributed a laundry list of TTPs to me: stealer logs, social engineering, phishing, etc. You explicitly claimed the person “Saif” was operating under the alias “o5tdev,” defacing websites, probably via WordPress vulns. Does it make any sense that someone would turn from popping WordPress sites to locking down Jaguar Land Rover (causing 1.9 billion EUR in losses), Orange, Telefonica, Schneider Electric, Philips, Apple, and others, all in the span of a few months?

We both know how badly this obsession is hurting you :)

It’s time to drop the false accusations and try doing some actual journalism for once. At the very least, take a look at Allison Nixon. She managed to properly trace K1berPhant0m (hes retarded, anyways) and actually contributed to his arrest.

So here’s my offer, Brian:

_
_I’ll pay you 10 BTC if you can publicly reveal my real identity and back it up with real proof.
_
I’ll pay you 15 BTC if, thanks to your article, I ever get a knock on the door from local law enforcement for the things you accused me of."

****Infostealer Connection****

Alon Gal, Co-Founder and CTO at Hudson Rock, a cybercrime intelligence company that specialises in infostealer malware, shared his perspective on LinkedIn following the report by KrebsOnSecurity. According to Gal, the individual known as “Rey,” linked to the Hellcat group and several major breaches including Jaguar Land Rover, Schneider Electric and Telefonica, has now been formally doxxed.

Gal noted that cybersecurity firm KELA had already flagged Rey’s suspected identity back in March 2025 using data from an Infostealer infection that exposed previously used aliases on hacking forums.

That infection was linked to a Jordanian individual named Saif Khader. The compromised machine showed early signs of hacking activity, including defacements of Israeli websites and other unsophisticated attacks. However, no law enforcement action followed, even after KELA’s publication.

Gal said he personally examined the infected system at the time and came away with doubts. Comparing Rey’s known behaviour and writing style with what he saw on the compromised machine, Gal believed Rey may have intentionally planted traces of old forum credentials to mislead researchers. The browsing history, tone and skill level didn’t match the persona that went on to run ransomware and extortion operations. That contrast, he said, still surprises him.

Still, Gal acknowledged that according to Krebs’ reporting, Rey himself confirmed that the machine in question was indeed his. In his analysis, Gal raised three main points:

1. Rey continued operating publicly after being exposed even mocking the original KELA research online, before his account was banned.
2. The infection dates back to January 2024, meaning law enforcement likely had months to act, but didn’t, despite Rey being one of the most active threat actors in recent memory.
3. The infected machine displayed a mismatch in language style, search history and OPSEC awareness compared to how Rey operates elsewhere.

Despite this denial, William Wright, CEO of Closed Door Security, shared his views with Hackread.com, stating that this investigation is a “brilliant piece of investigative journalism.” He noted that while positive, “there will be a lot of concern among the general public around how a 15-year-old could cause so much damage to some of the biggest organisations in the UK.”

Wright cautioned that the reality is “not so simple,” adding: “Rey was collaborating with Russian threat actors, using their infrastructure to execute highly sophisticated attacks.” He concluded, “Rey claims to be working with law enforcement now, which is causing trouble across the Scattered Lapsus$ Hunter Telegram channel. This could lead to other members of the gang being identified, but Rey may get off lightly if he supports law enforcement enough.”