From London: As Australians woke on Thursday morning, a fresh intelligence brief was circulating among corporate security teams in Europe and North America with implications that reach well beyond any single organisation. Scattered Lapsus$ Hunters, the cybercrime collective that has spent much of the past year assaulting enterprise networks from Salesforce to Drift, is now openly advertising on Telegram for women willing to pose as employees and deceive corporate IT helpdesks over the phone. The going rate, according to Dataminr, which gathered the posts: between $500 and $1,000 per call, depending on "success and hit rate."
The ads, posted on February 22, invite interested applicants to contact the group's "Support" account on Telegram. Candidates face an initial screening before being handed a script. The target, intelligence analysts confirm, is the IT helpdesk: that pressure-valve of corporate infrastructure where a confident voice and a plausible story can unlock credentials, password resets, and network access that would otherwise require months of technical exploitation to obtain.
The Register reported the recruitment drive on Thursday, citing Dataminr's intelligence brief as its primary source. Jeanette Miller-Osborn, field cyber intelligence officer at Dataminr, described the move as deliberate and calculated.
"By specifically seeking female voices, the group likely aims to bypass the 'traditional' profiles of attackers that IT helpdesk staff may be trained to identify, thereby increasing the effectiveness of their impersonation efforts."
The logic is straightforward, even if the implications are troubling. CISA and the FBI have warned for years that social engineering against helpdesks typically involves an attacker who already knows enough personal detail about a target employee to pass basic security questions. What SLSH appears to be refining now is the vocal profile itself, betting that a female caller will not match the mental image that a helpdesk operator has been conditioned to associate with a threat.
A supergroup with ambitions to match
Scattered Lapsus$ Hunters is not a standard criminal outfit. The group unites elements of three well-known cybercrime entities: Scattered Spider, LAPSUS$, and ShinyHunters. This supergroup blends advanced social engineering, data theft, and extortion tactics into coordinated, multi-stage attacks against high-value enterprise targets. The collective is comprised primarily of teenagers and twenty-somethings.
Between March and June 2025, the group compromised the GitHub repositories of Salesloft and later Drift, gaining unauthorised access to OAuth tokens and customer integration data. The attackers subsequently claimed to have stolen data from 91 organisations, with alleged victims including Adidas, Google, Qantas, Air France-KLM, Cisco, and Chanel. Those claims have not been fully independently verified, and some affected companies have disputed the scope of the breaches. But the pattern is consistent with a group that operates at scale and with a clear commercial motive.
Experts who have listened in on calls carried out by Scattered Spider, one of the component groups that form the collective, previously confirmed that its social engineering tactics are sophisticated and highly effective. Scattered Spider has conducted social engineering attacks by tricking IT help-desk workers into handing over credentials or otherwise bypassing multifactor authentication, allowing them to gain direct access to targeted systems.
The current recruitment drive fits neatly into a pattern of crowdsourcing criminal labour. In October last year, as The Register reported, the group offered $10 in Bitcoin to anyone willing to "endlessly harass" executives at companies it was trying to extort. When the publication asked SLSH directly how much it had paid out after the campaign's first days, the group claimed to have distributed over $1,000, though that figure remains unverified.
Why this matters beyond the firewall
For Australian organisations, Scattered Spider has already caught the attention of Australian authorities, which co-signed an advisory with the FBI, CISA, and British counterparts warning of the group's evolving methods. Scattered Lapsus$ Hunters has launched data extortion attacks against organisations including those using Salesforce, a platform embedded in the operations of thousands of Australian enterprises.
The broader concern, which security researchers have raised with increasing urgency, is that the group's model is essentially scalable. Some analysts predict that groups like this will eventually adopt deepfake AI voice technology to impersonate employees and leadership roles, reducing the need to recruit human social engineers at all. The current Telegram campaign may represent a transitional moment: human callers are still cheaper and more convincing than AI synthesis for now, but that window may not remain open for long.
There is also a structural issue that no technical control alone can fix. Helpdesk staff need training specifically to recognise social engineering tactics, especially urgent or emotional requests and spoofed internal numbers. Yet in organisations where helpdesk functions are outsourced or under-resourced, that training is often the first thing to erode under budget pressure. A group that specifically auditions callers for credibility is, in effect, running a quality-assurance operation against corporate security training. The asymmetry is uncomfortable.
What defenders can actually do
Miller-Osborn's recommendation is practical: organisations should make helpdesk teams aware that the caller profile is shifting, and that identity verification should not rely on voice characteristics alone. Video calls or secondary internal verification channels, she argues, should become standard practice rather than an exception reserved for high-risk requests.
Australia's cyber security authorities have echoed similar guidance in recent advisories, urging organisations to implement phishing-resistant multifactor authentication and to treat any request for a credential reset as a potential social engineering attempt, regardless of how convincing the caller sounds.
The tension here is real and worth acknowledging. Strict verification protocols add friction to helpdesk operations that are already stretched. Employees locked out of systems cost money. Security teams that demand video calls for every password reset will face complaints from frustrated colleagues and from managers anxious about productivity. Those are legitimate concerns, not excuses. The challenge is calibrating verification requirements to the genuine risk posed by a specific request, rather than applying either blanket leniency or blanket suspicion.
What SLSH's latest move confirms is that the social engineering threat is not static. Groups that treat cybercrime as a managed business, with recruitment campaigns, commission structures, and quality control, will keep finding the gap between a company's security policy and its actual human behaviour. Closing that gap requires investment in people and processes, not just in technology. That is an unglamorous truth, but the Telegram ads posted on February 22 make it harder to ignore.