Skip to main content
CybersecuritySocial Engineering

Lapsus$ Hunters Pose Dangerous, Exclusive Threat to Zendesk

Lapsus$ Hunters Pose Dangerous, Exclusive Threat to Zendesk

What happens when a patchable misstep meets a novel form of crowd-powered coercion? “We will never stop,” vowed members of the loose collective known as Scattered Lapsus$ Hunters after a recent takedown, a refrain that speaks less to permanence than to persistence—and it is persistence that now appears to threaten Zendesk through a fresh phishing campaign, according to reporting that traces new malicious domains to the group’s activity.

Security researchers have identified a cluster of phishing domains and related infrastructure that point to a campaign tied to the Scattered Lapsus$ Hunters collective, a derivative of the original Lapsus$ phenomenon known for credential theft, data leaks and extortion. Analysts say the new activity leans heavily on social‑engineering and credential-capture techniques aimed at support platforms and enterprise help‑desks—precisely the type of surface a company like Zendesk exposes by design as a customer‑service backbone for thousands of organizations .

Background matters. Lapsus$ first drew widespread attention in 2021–2022 for high‑profile breaches that combined social engineering with brute‑force credential access and public shaming. Scattered Lapsus$ Hunters, a looser, younger and oft‑renamed spin on that model, has experimented with new tactics: crowd‑sourced harassment incentivized by micropayments, rapid rebranding after enforcement actions, and campaigns that shift attention away from heavy‑payload ransomware toward scalable nuisance and leak pressure. Those shifts complicate detection and response because the actors prize notoriety, operate in ephemeral channels, and can rapidly fragment across platforms when visible infrastructure is seized .

At issue now is exclusivity and access. Zendesk, like other SaaS support platforms, acts as an operational pivot: agents often access customer accounts, reset passwords, and handle sensitive requests. A targeted phishing campaign that compromises support credentials can provide an adversary with privileged routes into corporate and customer data without needing to break hardened perimeter defenses. Researchers say the newly observed phishing domains mimic legitimate Zendesk workflows and branding—an effective lure for overworked or inattentive staff and for reused or weak credentials that the collective has exploited before .

Why this threatens more than a single vendor:

  • Attack surface: Support platforms are trusted intermediaries. Compromise yields outsized access to customer records, internal tickets, or password resets that ripple across many organizations.
  • Operational advantage for attackers: Social engineering and credential theft require less infrastructure and are harder to attribute than large, centralized breach operations; Scattered Lapsus$ Hunters has repeatedly demonstrated agility—announcing retirements, reappearing under new names, and leveraging public spectacle to pressure targets .
  • Scale via crowdsourcing: Micropayment-driven harassment expands the pool of actors willing to participate in coercive campaigns, turning reputational nuisance into a low-cost lever that can force hurried or costly responses from victims .

Different observers see different priorities. Technologists warn that reliance on single‑factor processes and lax internal workflows make help‑desk compromise a persistent problem; they urge stronger multifactor authentication, tighter session controls, and explicit limits on agent access. Policy experts point out the legal and enforcement gaps: statutes tailored for organized, hierarchical criminal enterprises struggle to address decentralized, incentive‑driven mobs that fragment attribution and diffuse culpability. For users and customers, the threat is immediate and practical—exposure of personal data, fraudulent account changes, or the downstream fallout of leaked corporate secrets. And for the adversaries themselves, the calculus is straightforward: low setup costs, plausible deniability, fast attention, and a history of resurfacing when pressure eases .

Practical mitigation steps recommended by security practitioners include:

  • Enforce strong, phishing‑resistant multifactor authentication for help‑desk and agent accounts, including hardware tokens or FIDO2 where possible.
  • Segment and minimize the privileges of support roles; log and regularly review agent actions for anomalies.
  • Adopt robust phishing detection and domain‑monitoring programs to catch look‑alike sites quickly and coordinate takedowns with registrars and hosting providers.
  • Train staff on social‑engineering tactics specifically targeted at support workflows and run realistic tabletop exercises simulating credential‑capture incidents.

There are tradeoffs. Vendors must balance usability for legitimate support agents against security controls that can slow response times. Regulators must weigh free‑speech and platform liability issues while crafting tools that can deter coordinated harassment bought with micropayments. And defenders must recognize that taking down a public site or naming actors rarely ends the threat; the social structures and skills persist, and participants often migrate to encrypted channels or rebrand, restarting the cycle later .

For Zendesk and organizations that depend on similar platforms, the choice is not binary: stop using cloud support software or accept a perpetual risk. Rather, it is a matter of hardening the interfaces attackers rely on, investing in detection and response, and collaborating across industry and government to close the policy and enforcement gaps exploited by distributed, incentive‑driven groups.

As investigators trace phishing domains and defenders patch exposed workflows, one question looms: will defenders treat this as a temporary nuisance to be patched away, or as a structural problem—one where fractured, attention‑seeking collectives and micropayment economies have rewritten the adversary playbook? The answer will determine whether Zendesk and its customers are merely bruised or permanently reshaped by this next chapter in digital coercion.

Source: https://www.infosecurity-magazine.com/news/scattered-lapsus-hunters-zendesk/