A new wave of cyber-extortion has sent shockwaves across global industries. A ransomware collective known as The Trinity of Chaos, allegedly linked to Lapsus$, Scattered Spider, and ShinyHunters, has launched a Data Leak Site (DLS) on the TOR network, exposing 39 multinational corporations from sectors including automotive, technology, aviation, retail, and luxury brands.
The revelation follows investigations by cybersecurity firm Resecurity, which reports that the group has shifted from data theft to a full-scale ransomware-for-extortion model.
A Coordinated Campaign of Chaos
According to Resecurity’s analysis, The Trinity of Chaos has not announced fresh attacks but instead released previously unreleased data from earlier breaches. The move, experts say, is a calculated attempt to pressure companies into negotiations before the group publishes the full data trove.
The ransomware trio appears to have pivoted from opportunistic breaches to a more structured ransomware business model, mirroring notorious groups such as Conti and BlackCat.
Following reports of Salesforce instance exploitation, the threat actors released a message threatening to leak a “massive number of records” unless their demands were met. Salesforce publicly denied any new vulnerabilities but acknowledged that previously compromised customer instances could have contributed to the leaks.
Read Full Investigation: ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims
Negotiations, Threats, and Regulatory Pressure
The group claims it attempted to contact Salesforce to “negotiate terms” before disclosure but failed to reach an agreement. In a twist reminiscent of ransomware diplomacy, the attackers threatened to report the data breach to European Union regulators, alleging “criminal negligence” under GDPR provisions—an approach designed to amplify pressure on victims.
Their latest statement, issued under the alias “Scattered LAPSUS & Hunters”, reads like a corporate brochure:
“Specializing in high-value corporate data acquisition and strategic breach operations. Our expertise spans across automotive, financial, insurance, technological, telecommunications, ISPs, and numerous other sectors worldwide. We help you regain control.”
Resecurity suggests that the group’s operations date back to at least 2019, signaling a long-standing, sophisticated campaign that has evolved alongside major cybercrime syndicates.
Fortune 100 Firms Among Victims
The leaked DLS listing reads like a “Who’s Who” of global corporations. Among the 39 listed victims are:
Toyota, FedEx, Disney/Hulu, UPS, Home Depot, Marriott, Walgreens, McDonald’s, KFC, Adidas, Cartier, Chanel, Google Adsense, Cisco, Air France-KLM, Qantas Airways, and IKEA.
Other notable inclusions are Republic Services, Aeromexico, Stellantis, ASICS, GAP, Fujifilm, Instacart, Petco, Kering (Gucci, Balenciaga, Alexander McQueen, Brioni), and TransUnion.
All affected companies have reportedly been given until October 10, 2025, to negotiate or risk public exposure of their complete datasets.
How the Breach Happened: Salesforce Exploitation Suspected
The ongoing investigation points to Salesloft’s Drift AI chat integration within Salesforce environments as a probable root cause. The attackers allegedly exploited stolen OAuth tokens and vishing campaigns to gain access to corporate systems and exfiltrate sensitive information.
Leaked samples reviewed by Resecurity reveal extensive Personally Identifiable Information (PII) but no passwords, supporting the theory of Salesforce instance compromise rather than direct database hacks.
The FBI has since issued a flash alert, advising organizations to inspect their Salesforce configurations for unusual activity tied to UNC6040 and UNC6395, both known cybercrime clusters linked to this campaign.
From Airlines to Tech Titans: Global Fallout
The breach’s impact is already spanning continents and industries.
Airlines: A Persistent Target
Airlines including Air France-KLM, Qantas Airways, and Aeroméxico have surfaced as major victims. The leaked data reportedly contains passenger PII, loyalty program records, internal communications, and booking details.
- Vietnam Airlines, attacked as early as 2023, is confirmed to have been under surveillance for nearly three years before detection.
- The group, once operating under the alias “1973cn,” may have also compromised airport systems at Noi Bai and Tan Son Nhat in Vietnam.
Tech Giants: Cisco and Google
The publication also references data from Cisco and Google AdWords, suggesting the compromise of corporate Salesforce instances.
In June 2025, Google confirmed that its Salesforce environment had been affected by UNC6040, prompting a global security review.
The leaked data includes advertiser records, digital media partners, and agency communications—pointing to a breach of Google AdWords customer ecosystems.
For Cisco, the data set includes records referencing law enforcement and defense agencies in the U.S., India, and Australia. Sensitive details belonging to employees from the FBI, NASA, DHS, DISA, and India’s Ministry of Defence have reportedly been exposed.
A Perfect Storm: Cybercrime Meets Geopolitics
Cybersecurity experts note that the DLS launch coincided with the U.S. government shutdown, raising concerns that national cyber defenses could be hampered during the crisis.
The leak also risks triggering regulatory and legal backlash worldwide, especially under data protection laws like GDPR and India’s DPDP Act.
Industry observers warn that even a small fraction of this stolen data could fuel mass phishing campaigns, identity theft, and AI-driven fraud—as attackers use the leaked context to build synthetic identities and social engineering scripts.
Inside the Numbers: What the Trio Claims to Hold
According to the group, the next wave of leaks—if negotiations fail by October 10—could include:
- 56 billion records
- 760 companies
- 254 million accounts
- 579 million contacts
- 458 million case records
The scale and precision of these claims underscore a meticulously organized cyber-extortion network, capable of breaching cloud-based CRM platforms at enterprise scale.
What Comes Next
Resecurity’s HUNTER team has observed DDoS attacks targeting the newly launched DLS, possibly an effort by impacted firms to take it offline or delay publication. However, given the group’s resilience—it has already re-launched its Telegram channel as “SLSH 6.0 Part 3”—experts warn that further disclosures are imminent.
If the attackers follow through, corporate legal and cybersecurity teams worldwide could face weeks of crisis management, regulatory inquiries, and class-action lawsuits.
The Trinity of Chaos attack reaffirms a critical lesson: cloud security misconfigurations and third-party app integrations remain prime attack vectors. As businesses increasingly depend on SaaS ecosystems like Salesforce, even one compromised integration can cascade into multi-billion-rupee data breaches across industries and continents.
For now, the world watches as the October 10 deadline looms—and the cyber underworld’s newest “trinity” tests the limits of global corporate resilience.
