CrowdStrike fires insider linked to Scattered Lapsus$ Hunters as hackers boast of paid access

CrowdStrike has fired an employee it says shared internal screenshots and single sign on cookies with the Scattered Lapsus$ Hunters alliance, which includes ShinyHunters and Scattered Spider. The company says core systems were not breached and customers stayed protected, and it has referred the matter to law enforcement. As of early January 2026, there is still no public record of criminal charges tied to the case.

• Hackers claimed they paid the insider and received SSO cookies used for internal access.
• No public criminal charges have surfaced, raising concerns about deterrence for insider threats.
• The same threat alliance is linked to Gainsight and Salesforce supply chain attacks affecting 200 plus companies, according to Google’s threat team.

What happened inside CrowdStrike

In October 2025, cybersecurity heavyweight CrowdStrike discovered an insider problem. Instead of a perimeter breach, investigators traced leaks to a camera pointed at a workstation. Soon after, Scattered Lapsus$ Hunters posted what looked like internal CrowdStrike dashboards in a public Telegram channel and mocked the company.

CrowdStrike spokesperson Kevin Benacci told TechCrunch the company “identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally. Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies.” Read the company’s broader public statements in its official press releases.

On paper, that sounds contained. No core system breach. No customer data loss. Still, when a staffer allegedly takes money from professional hackers in exchange for internal access, a termination is not the end of the story. It is the beginning of a bigger one about accountability and deterrence.

What did the insider allegedly do

Based on screenshots shared in Telegram channels tracked by researchers, the insider exposed internal CrowdStrike views and Okta dashboards that staff use to reach internal apps. Even that can be gold for attackers. Layouts, app names and shortcuts help map how a company actually operates.

According to reporting by Breached, members of the ShinyHunters crew said they paid the insider 25,000 dollars for help and pushed for deeper access and configuration details. Breached details its findings in coverage of the CrowdStrike insider threat linked to Scattered Lapsus$ Hunters.

Researchers quoted ShinyHunters claiming they ultimately received SSO authentication cookies, essentially session tokens that can grant access without a password. CrowdStrike’s monitoring flagged suspicious behavior and cut the employee’s access, which likely prevented a cascade into something on the scale of the recent Gainsight and Salesloft incidents.

To see how this playbook extends across the ecosystem, look at the earlier Salesloft and Drift campaign and the follow-on Gainsight breach. Our deep dive on the 2025 Salesloft Drift hack shows how the same crews chain stolen tokens and integrations across cloud tools.

Why are there no public charges yet

CrowdStrike says it referred the matter to “relevant law enforcement agencies.” Yet, as of November 21, 2025, and still now, there has been no public record of charges against the insider alleged to have accepted money and handed over SSO cookies.

That gap between firing and prosecution raises hard questions. Are investigators still building a case. Did prosecutors conclude intent or damage was not provable. Or are insider cases sliding down the priority list, even when they involve major security vendors.

Legal experts note that passing access tokens or credentials to known hacking crews can be charged under computer fraud statutes if it can be tied to unauthorized access or downstream damage. In plain English, this is not just “violating policy.” It can be a crime. Without visible prosecutions, would-be insiders may conclude that the worst case is losing a job and pocketing a five-figure payout, which is a weak deterrent.

Why this matters far beyond CrowdStrike

CrowdStrike maintains that its systems were not breached and customers stayed safe. That is important. It is also true that one verified insider was allegedly willing to sell access. Every security provider and SaaS platform depends on trust in its people, and that trust is exactly what adversaries are trying to buy.

Scattered Lapsus$ Hunters is not a one-off crew. It is a loose alliance of ShinyHunters, Scattered Spider and Lapsus$, and it has leaned hard into insider recruitment and supply chain abuse. Google’s threat team told TechCrunch it saw “more than 200 potentially affected Salesforce instances” in the Gainsight-related campaign, which the alliance claimed as its work. That is laid out in TechCrunch’s report on how hackers stole data from more than 200 companies via Gainsight.

When that same alliance appears alongside a CrowdStrike insider, the pattern is tough to ignore. Start with a weaker link in a trusted chain, then harvest data and tokens at scale. Our related reporting, from the F5 infrastructure hack in the UK to the rise of AI powered cyberattacks, points the same way. The human factor and the integration layer have become the softest targets.

What should companies do now

Insider risk is the part that keeps many CISOs up at night. It is hard enough to defend against phishing, deepfake-enabled social engineering and password spraying, as we explored in our piece on deepfake scams and AI powered impersonators. When attackers can simply pay a staffer to screenshot dashboards or hand over SSO cookies, the playbook needs an update.

• Bind sessions to devices and contexts. Treat SSO cookies like crown jewels. Pair them with strong device identity and continuous risk checks, and rapidly invalidate when anything looks off.
• Tighten access paths. Default to least privilege, use just-in-time elevation for sensitive tools and require reauthentication for high-risk actions, even inside trusted networks.
• Harden the human layer. Background checks, conflict-of-interest disclosures, financial distress support programs and anonymous reporting lines reduce the odds that a bribe lands.
• Instrument everything. Telemetry on admin consoles, SaaS management platforms and identity providers should flag screen scraping patterns, mass metadata access and unusual session reuse.
• Practice the bad day. Tabletop exercises that simulate insider exfiltration and token theft help teams shorten detection and cut off access faster.
• Pursue consequences. Companies and industry groups increasingly argue that insider cases involving cash and tokens should end in court, not just HR. Public indictments are a stronger deterrent.

Where the CrowdStrike case stands now

CrowdStrike continues to emphasize that customer environments were not impacted and that it is cooperating with authorities. Publicly, there has still been no charging document or court filing naming the insider. The broader trend is unmistakable though. Adversaries are investing in insiders and identity. Security programs need to meet that reality head-on.