Scattered LAPSUS$ Hunters Posts Defence-Database Sale Sweep

Summary

The day's headline pattern is concentration: a single actor cluster posted a sale sweep spanning more than twenty defence and government databases across a dozen countries, while a separate scraping-style operator dumped national-database lists for 16 unrelated countries. Defenders should treat both as catalogues to validate against their own footprint rather than as confirmed compromises -- the forum economics reward the size of the claim more than the proof, and false catalogues are a measurable share of the day's volume.

Today's developments

Scattered LAPSUS$ Hunters dominated the forum board with a single coordinated sale sweep covering more than twenty separate victims. On the Western defence side the listing claimed databases from the UK Government and the NATO Research and Technology Agency, the United States Navy and Naval Air Systems Command, NASA's Glenn Research Center, and the defence ministries of Spain, Italy, the Netherlands, Latvia and France. The actor also listed the Polish Space Agency and Singapore's Defence Science and Technology Agency, the Australian Department of Defence and the Canadian Armed Forces, and -- across the Atlantic -- Mexico's Secretariat of the Navy.

Outside the defence stack the same actor claimed the Turkish Government wholesale, Georgia's Ministry of Foreign Affairs, Egypt's Ministry of Education and Technical Education, and four corporate or platform victims: Canadian apparel firm Canada Goose, US fintech Abrigo, education-software vendor Canvas LMS and file-host KrakenFiles. A sweep this wide -- 22 government, defence, aerospace, retail, fintech and software targets posted as one bundle -- typically signals either an aggregator reselling other actors' material or a single offensive operation that has been sitting unseen for some time; defenders in these verticals should treat each entry as a hypothesis worth disproving with their own access logs.

Other forum activity was bilateral. NormalLeVrai posted claimed breaches of design tool Canva, headquartered in Australia, and of Meta-owned messaging service WhatsApp -- two of the most consequential consumer-brand claims of the day, neither yet corroborated. Nauan listed a database sale of US fintech LendingTree. Mexico-focused operator Z3r00 claimed a breach of the Instituto Nacional Electoral (INE) in Sinaloa, a politically sensitive electoral-roll target. Whale Market claimed Serbia's Ministry of Internal Affairs. KYCMyASS posted what it called Belgium passport documents and Netherlands driving licences. JAX7 listed Indonesia's Directorate General of Civil Aviation. EXADOS listed Thailand's Royal Irrigation Department. Keymous listed Morocco's Ministry of Foreign Affairs, African Cooperation and Moroccan Expatriates. The Israeli-targeted cluster 404 CREW CYBER TEAM posted three Israeli victims (O.M.C Computers, the Israel Pharmacists Association and the Israeli Endocrinology Society).

Operator hackerxyx ran a tight Uzbekistan cluster of at least seven listings -- Ipoteka Bank, the RAQAMLI TA'LIM educational platform, MinIO, Najot Ta'lim, qtepa Lavash and TIFTO -- plus EGaz Pharma in Egypt and MedClinics in Turkey. The BlackH4t MD-Ghost posted 16 nation-level "database leaks" against Brazil, Canada, Chile, Germany, Iran, Iraq, Israel, Monaco, Morocco, Myanmar, New Zealand (Mega), Norway, Oman, Serbia and Sweden -- a volume and uniformity that typically marks a scraping-style aggregator rather than a discrete intrusion.

Threat landscape signals

The day produced 164 events -- a heavy volume by any week's standard -- of which 86 were categorised as Data Breach or Data Leak. Scattered LAPSUS$ Hunters alone accounted for 23 events, roughly 14 percent of the day, with a payload that concentrates structurally on defence and government rather than on the financial and IT verticals the actor cluster has historically favoured. The top three actors -- Scattered LAPSUS$ Hunters, The BlackH4t MD-Ghost and Nyxera.vx -- held about 30 percent of the day's volume; the actor tail is otherwise long and unrelated. By victim country, France (16), the United States (15), India (13) and Indonesia (13) topped the list, with the United Kingdom, Uzbekistan and Israel forming a second tier. Read in that frame, the week's forum traffic reads less like a fresh wave of intrusions than like a splinter network monetising older footholds against Western military procurement and aerospace research stacks; treat any forum claim against your verticals as an indicator to investigate, not as an attestation that you have been breached.