It’s the start of a new year, which means its time for two things: 1) People are (hopefully) sticking to their New Year’s resolutions; and 2) We’re heading into Data Privacy Week, an international effort led by the National Cybersecurity Alliance to help individuals and businesses take control of their data. In 2026, controlling your data increasingly comes down to controlling identity. Stolen credentials, password reuse, MFA fatigue, and social engineering are now the primary ways attackers get in—not by breaking systems, but by persuading people. That shift is also changing how cybercriminal groups operate. One of the clearest examples is a loose ecosystem known as Scattered Lapsus$ Hunters. This group targets a wide range of organizations and relies on compromised identities, help desk manipulation, and speed.
In the latest episode of The Phish Bowl moderated by Jordan Sher, cyber threat intelligence experts Mike Kosak and Stephanie Schneider connect these dots. We’ll talk about data privacy and why identity sits at the center of it and what groups like Scattered Lapsus$ Hunters tell us about the evolution of social engineering. And with special guest Nate Howard from Flashpoint, we’ll look at how threat intelligence, including visibility into the deep and dark web, helps defenders spot attacks before they land.
Whether your New Year’s resolution was to get smarter on cybersecurity, or you’re responsible for protecting users, systems, and data without a massive security team, we’re glad you’re starting off 2026 on the right foot with us. Let’s get into it.
Trinity of Chaos: Scattered Lapsus$ Hunters
Social engineering is about manipulating the human element of security. It essentially preys on basic human behavior which makes it so effective. It’s easier to hack people than it is to hack machines. Common tactics using this technique include phishing/vishing/smishing, baiting and tailgating, and pretexting. Social engineering will almost certainly continue to be prevalent to all organizations, big and small, in 2026.
Scattered Lapsus$ Hunters is one of the most effective cybercriminal groups excelling at social engineering to get access to accounts or networks. They were behind several recent attacks last year, including Jaguar Land Rover that disrupted the larger automotive supply chain for months with a reported loss of £485 million to £559 million ($637M - $736M) for Q3 2025. The attack was estimated to have a broader impact on the UK economy, potentially reaching over $2 billion.
It’s an amalgamation of three different groups that have been kicking around (Scattered Spider, Lapsus$, and ShinyHunters) and are part of a community called The Com where they share social engineering techniques. We can follow some of these conversations they’re having on DDW to monitor the group’s interests, capabilities, and infer where (which organizations or sectors) and how (with what tactics) they might strike next.
Interview with Nate from Flashpoint
Our special guest is Nate Howard, Flashpoint’s Senior Manager on Customer Success Team, joining us to talk about his perspectives on the deep dark web (DDW), how artificial intelligence (AI) will shape cyber threats, and real-world examples of how having access to intelligence can allow organizations to take proactive measures against threats.
With roots in network engineering and a career that grew into security intelligence and digital offensive security, Nate has spent years countering threats from both sides of the wire. His deep experience across the deep and dark web provides a firsthand understanding of adversary ecosystems, emerging attack techniques, and how defenders can stay ahead. At Flashpoint, he helps support efforts that can be broken down into three pillars: 1) collecting data from across the DDW, 2) creating quality, finished intelligence products, 3) and providing services that play directly into making intelligence actionable for customers to be proactive and drive success in their own organizations.
People see the DDW as a mysterious place, but Nate explains that it’s actually closer to where we’re normally operating than you might think. It’s essentially made up of forums, blogs, and chat services that are relatively easy to find and access on a different internet via Tor. Threat actors like Scattered Lapsus$ Hunters are operating somewhat out in the open on the DDW, which gives us an advantage to monitor them (i.e., their personalities, TTPs, etc.), understand context and analysis around data, and respond proactively.
Talking about the types of threats organizations should be most concerned with, Nate explained why agentic AI threats will continue to pose a significant threat. They allow threat actors who were not capable of certain attacks to now be able to do so and commodify those threats. AI will impact various attack types, particularly phishing and other social engineering tactics. AI will allow attackers to broaden the scale and scope of their attacks. Infostealers and CVE volatility are other threats organizations should pay attention to, according to Nate.
Actioning intelligence in real life: mitigating exposed employee credentials
To really drive home the point about how valuable technical data and real time access to the human side of security can be, and what you can do when you have access to it, Nate talked about a real-world example he says Flashpoint frequently delivers: mitigating exposed credentials. Due to Flashpoint’s broad access to stealer logs, forums, and chat services, they’re able to find employee credentials that are out there and have ability to monitor and alert an affected organization if employee credentials are compromised. This rapid alerting enables companies to act quickly to prevent data loss.
Infostealers are frequently behind breaches, silently grabbing credentials and other sensitive information and selling or posting them online to be used in other attacks. For instance, an infostealer was behind the Snowflake breach in 2024, allowing attackers to take leaked credentials and login to accounts not protected with multi-factor authentication (MFA).
Listen to the full episode
Catch the full episode and additional resources for more cyber threat insights from the LastPass Threat Intelligence, Mitigations, and Escalations (TIME) Team.
- Listen to the full episode of The Phish Bowl wherever you get your podcasts:
- Subscribe for monthly threat intel deep dives.
- Access LastPass's Regional Report for detailed analysis of recent APAC trends and activity.
- Check out the LastPass Labs blog for more insights.
See you back in February to talk about Europe cyber threats!
