ZadeNor AI
Back to Blog
Cybersecurity

Meet Rey, the Admin of 'Scattered Lapsus$ Hunters'

November 29, 2025
5 min
2,424 views
By ZadeNor AI Team
Meet Rey, the Admin of 'Scattered Lapsus$ Hunters'

Meet Rey, the Admin of ‘Scattered Lapsus$ Hunters’

The Unraveling of Rey: A Cybercrime Conspiracy

In a stunning turn of events, the real-life identity of Rey, the technical operator and public face of the prolific cybercriminal group Scattered LAPSUS$ Hunters (SLSH), has been confirmed. KrebsOnSecurity tracked down and contacted Rey's father, leading to a series of revelations that shed light on the group's inner workings and the individual behind the moniker.

A Brief History of SLSH

SLSH is a cybercriminal group thought to be an amalgamation of three hacking groups: Scattered Spider, LAPSUS$, and ShinyHunters. Members of these gangs hail from various chat channels on the Com, a mostly English-language cybercriminal community that operates across an ocean of Telegram and Discord servers.

In May 2025, SLSH members launched a social engineering campaign that used voice phishing to trick targets into connecting a malicious app to their organization's Salesforce portal. The group later launched a data leak portal that threatened to publish the internal data of three dozen companies that allegedly had Salesforce data stolen, including Toyota, FedEx, Disney/Hulu, and UPS.

The Rise of ShinySp1d3r

Last week, SLSH announced on its Telegram channel the release of their own ransomware-as-a-service operation called ShinySp1d3r. The individual responsible for releasing the ShinySp1d3r ransomware offering is a core SLSH member who goes by the handle "Rey" and who is currently one of just three administrators of the SLSH Telegram channel.

The Unraveling of Rey's Identity

According to the cyber intelligence firm Intel 471, Rey was an active user on various BreachForums reincarnations over the past two years, authoring more than 200 posts between February 2024 and July 2025. Intel 471 says Rey previously used the handle "Hikki-Chan" on BreachForums, where their first post shared data allegedly stolen from the U.S. Centers for Disease Control and Prevention (CDC).

In that February 2024 post about the CDC, Hikki-Chan says they could be reached at the Telegram username @wristmug. In May 2024, @wristmug posted in a Telegram group chat called "Pantifan" a copy of an extortion email they said they received that included their email address and password.

The Infostealer Data

Searching on @wristmug's rather unique 15-character password in the breach tracking service Spycloud finds it is known to have been used by just one email address: [email protected]. According to Spycloud, those credentials were exposed at least twice in early 2024 when this user's device was infected with an infostealer trojan that siphoned all of its stored usernames, passwords, and authentication cookies.

The Connection to Saif

The infostealer data makes clear that Rey's full name is Saif Al-Din Khader. The infostealer data also shows that Saif's family PC contains an entry for a 46-year-old Zaid Khader that says his mother's maiden name was Ginty.

The Interview with Saif

KrebsOnSecurity sent an email to Saif's father Zaid, inviting him to respond via email, phone, or Signal, explaining that his son appeared to be deeply enmeshed in a serious cybercrime conspiracy. Less than two hours later, I received a Signal message from Saif, who said his dad suspected the email was a scam and had forwarded it to him.

Saif explained that he'd already heard from European law enforcement officials, and had been trying to extricate himself from SLSH. When asked why then he was involved in releasing SLSH's new ShinySp1d3r ransomware-as-a-service offering, Saif said he couldn't just suddenly quit the group.

The Implications

The revelation of Rey's identity and the connection to Saif raises several implications. Firstly, it highlights the importance of cybersecurity and the need for individuals and organizations to take measures to protect themselves from cyber threats. Secondly, it demonstrates the effectiveness of law enforcement and cybersecurity firms in tracking down and disrupting cybercriminal groups.

Forward-Looking Thoughts

The case of Rey and SLSH serves as a reminder of the ever-evolving nature of cyber threats and the need for continued vigilance and cooperation between law enforcement, cybersecurity firms, and individuals. As the cyber threat landscape continues to evolve, it is essential that we remain proactive and adapt to the changing landscape to stay ahead of the threats.

Conclusion

The unraveling of Rey's identity and the connection to Saif sheds light on the inner workings of the Scattered LAPSUS$ Hunters cybercriminal group and highlights the importance of cybersecurity and the need for continued vigilance and cooperation between law enforcement, cybersecurity firms, and individuals.

Source: https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/

Source: https://krebsonsecurity.com/2025/11/meet-rey-the-admin-of-scattered-lapsus-hunters/

About the Author

ZadeNor AI Team is a leading expert in CYBERSECURITY, contributing to cutting-edge research and development in the field.

Share this article

TwitterLinkedInFacebookWhatsAppRedditEmail

Related Posts

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Alleged Kimwolf Botmaster 'Dort' Arrested, Charged in U.S. and Canada

Canadian authorities on Wednesday arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast spreading Internet-of-Things botnet that enslaved millions of devices for use in a series of massive distributed denial-of-service (DDoS) attacks over the past six months. KrebsOnSecurity publicly named the suspect in February 2026 after the accused launched a volley of DDoS, doxing and swatting campaigns against this author and a security researcher. He now faces criminal hacking charges in both Canada and the United States.

419
5 min
CISA Admin Leaked AWS GovCloud Keys on Github

CISA Admin Leaked AWS GovCloud Keys on Github

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

411
5 min
'Scattered Spider' Member 'Tylerb' Pleads Guilty

'Scattered Spider' Member 'Tylerb' Pleads Guilty

A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

589
5 min