Red Hat, Walmart, Pentagon: Hackers Form Alliance to "Destroy Corporations"
Previous incidents involving these criminals have already led to the compromise of millions of users.
Against the backdrop of growing cybercriminal activity, a new phenomenon has emerged: alliances that unite different hacker teams for a single goal. Recent events surrounding Red Hat have shown how attackers are turning isolated attacks into large-scale extortion campaigns, acting in a coordinated manner under a common brand.
The breach was initially reported by the group Crimson Collective, which claimed to have gained access to 28,000 internal Red Hat Consulting repositories. According to its representatives, about 570 gigabytes of data were exfiltrated from the GitLab system, including around 800 Customer Engagement Reports (CERs) containing information about clients' network diagrams, infrastructure, and platforms used. The hackers claimed they tried to contact the company to ransom the stolen data but received no response.
A few days later, Crimson Collective announced a partnership with other players in the ransomware market—the group Scattered Lapsus$ Hunters and the operator of a new leak site, ShinyHunters, where stolen materials are published and demands are made to victims. Their joint statement presented the idea of creating an "alliance against corporations"—a symbolic union intended to be an analogue of a military bloc, but aimed at destroying the corporate world.
A page with Red Hat's name and an ultimatum has already appeared on the ShinyHunters website: if an agreement is not reached by October 10, all stolen information will be published. As proof of the threat, samples of reports related to clients from various countries were posted, including Walmart, HSBC, Bank of Canada, Atos Group, American Express, and the US Department of Defense. Red Hat has not yet commented on the situation.
ShinyHunters is already known for a number of data theft incidents involving PowerSchool, Oracle Cloud, and Snowflake. For several months, experts have suspected that the group operates on a "ransomware-as-a-service" model—providing other criminals with the infrastructure for blackmail and taking a cut of the ransom. ShinyHunters representatives confirmed that they indeed take a percentage of their partners' revenue—usually 25-30%, while the attack perpetrators get the rest.
Despite arrests linked to ShinyHunters and the Breached v2 forum, new attacks continue, and extortion letters are still signed with their name. The creation of a public leak platform shows that the group has not only retained its influence but has also expanded its capabilities, turning into an intermediary between hackers and victims.
Another target of extortion is the company S&P Global, which another group allegedly hacked in February 2025. At the time, the company denied the incident, but now its data has appeared on the same ShinyHunters resource, and it has also been given a deadline—October 10. When asked about the situation, S&P Global representatives stated that they do not comment on such claims, noting only that as a public company, they are obligated to disclose significant incidents if they actually occur.
The emerging network of cooperation between extortion groups shows that cybercrime is evolving from chaotic attacks to a structured model where each party plays its role—from hacking and leakage to negotiations and publication. This new coalition, which has declared its intention to "destroy entire corporations," is turning data theft into a tool of politicized pressure and economic blackmail. Combating it now requires not only technical but also strategic solutions.
