Scattered Lapsus$ Hunters Demand Google Fire Security Experts or Face Data Leak

On Monday, September 1st 2025, a message appeared on a Telegram channel linked to several of the most talked-about cybercrime groups of the past few years. The message, addressed directly to Google CEO Sundar Pichai, demanded that two members of the company’s security team be fired. If Google refused, the hackers threatened to leak what they claimed to be internal databases.

The group behind the threat calls itself “Scattered Lapsus$ Hunters,” a coalition that combines the tactics and branding of Scattered Spider, Lapsu$, and ShinyHunters. In their statement, they singled out Austin Larsen, a principal threat analyst at Google’s Threat Intelligence Group, and Charles Carmakal, a well-known cybersecurity leader who joined Google following its acquisition of Mandiant.

The hackers also “ordered” Google’s security teams to drop their ongoing investigations into several UNC-numbered groups, which are tracked clusters of malicious activity identified by incident response experts.

The Telegram message was explicit in tone. It warned that unless Larsen and Carmakal were terminated and Google Threat Intelligence Group and Mandiant stopped investigating activity attributed to UNC3944, UNC5537, UNC6040, UNC6240, and UNC6395, the group would leak data they claim to have obtained from Google.

So far, they have offered no proof of direct access to Google’s internal systems. However, what adds weight to the situation is the August 2025 activity of ShinyHunters, which previously targeted a Salesforce system used by Google for business communications.

That breach exposed contact information and created opportunities for phishing campaigns, but it did not compromise Gmail accounts or consumer-facing services. Security experts believe the latest demands are more about intimidation and disruption of ongoing investigations than about any confirmed access to Google’s core infrastructure.

The inclusion of individual names in the threat is unusual, even for high-profile cybercrime groups. Typically, hackers focus on financial extortion or stealing sensitive data, but calling for the firing of specific analysts points to a calculated attempt to weaken Google’s ability to track and counter their operations.

Both Larsen and Carmakal have backgrounds in responding to sophisticated incidents and coordinating defence strategies against governments and state-linked and financially motivated groups.

Google has not issued a public response to the Telegram ultimatum. As the screenshots above show, the group has continued to repeat its demands, warning that unless the named employees are dismissed, they will leak what they claim to be stolen Google data.