- CrowdStrike quietly fired a “suspicious insider” who shared internal screenshots and access data with the Scattered Lapsus$ Hunters cybercrime alliance.
- The hackers, including ShinyHunters, claimed they paid the insider and received SSO cookies used for internal access.
- No public criminal charges have surfaced yet, raising tough questions about accountability and deterrence for insider threats.
- The same threat alliance is linked to the Gainsight and Salesforce supply chain hacks that hit more than 200 companies, according to Google’s threat team.
Inside the recent CrowdStrike insider threat scandal
In October 2025, cybersecurity giant CrowdStrike found a problem inside its own walls. The company terminated an employee it says had shared internal screenshots with the Scattered Lapsus$ Hunters cybercrime alliance, a loose collective that includes ShinyHunters, Scattered Spider and Lapsus$ itself. The case did not start with a dramatic network intrusion. It started with a camera pointed at a computer screen.
Scattered Lapsus$ Hunters later posted what looked like internal CrowdStrike dashboards in a public Telegram channel, alongside taunts aimed at the company. CrowdStrike, which is used to investigating other people’s breaches, suddenly had to explain its own insider threat.
CrowdStrike spokesperson Kevin Benacci told TechCrunch that the company “identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally. Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies.” You can find the company’s broader public statements in its official press releases.
On the surface, it sounds like a contained incident. No breach of core systems. No customer data stolen. But when an employee is allegedly paid by professional hackers for internal access, firing them is not the end of the story. It is the start of a much bigger one.
What exactly the CrowdStrike insider did
Security researchers following the Telegram posts say the screenshots showed internal CrowdStrike systems and Okta dashboards used by staff to reach internal apps. That alone is sensitive. Internal layouts, shortcut links and application names all help an attacker map how a company really operates.
According to reporting by Breached, which closely tracked the case, members of the ShinyHunters crew claimed they paid the CrowdStrike insider 25,000 dollars for help and were actively seeking deeper access and sensitive configuration details that could fuel future hacking campaigns. Breached’s investigation into the incident is detailed in its own coverage of the CrowdStrike insider threat linked to Scattered Lapsus$ Hunters.
Researchers quoted ShinyHunters saying the group ultimately received SSO authentication cookies from the insider, essentially session tokens that can grant access without a password. By the time those cookies were in the hackers’ hands, CrowdStrike’s internal monitoring had already flagged suspicious behavior and cut off the employee’s network access. That quick move may be the only reason this story is not already another full scale breach on the level of the recent Gainsight and Salesloft incidents.
If you want a picture of how these tactics fit into a wider playbook, look at the earlier Salesloft Drift hacking campaign and the follow on Gainsight breach. Our own deep dive on the 2025 Salesloft Drift hack shows how the same groups chain stolen tokens and integrations across cloud tools.
Why there is no public criminal case yet
Here is where the CrowdStrike story gets uncomfortable. The company says it has turned the case over to “relevant law enforcement agencies.” Yet as of November 21 2025, there is no public record of charges against the insider who allegedly took hacker money and passed along SSO cookies.
In practice, that gap between firing and prosecution raises fair questions. Is law enforcement still building the case. Did prosecutors decide intent or damage thresholds were not clear enough. Or are insider cases simply getting deprioritized even when they involve major security vendors.
Cybercrime and cybersecurity law experts say that is a risky place for the industry to be. Under US federal law, passing sensitive access credentials or tokens to known hacking crews can fall under computer fraud statutes if it can be tied to unauthorized access and downstream damage. In other words, this is not just “violating policy.” It can be a crime.
There is also a messaging problem. If insiders see that the worst case is losing a job and maybe walking away with a five figure payout from criminals, the deterrent effect is weak. That is exactly the concern raised by some legal academics and former prosecutors who spoke to reporters about the CrowdStrike case and the wider Scattered Lapsus$ Hunters campaign.
Why this scandal puts every tech company at risk
CrowdStrike insists its systems were not breached and that customer environments stayed safe. That matters. What also matters is that one verified insider was allegedly willing to trade internal access for money. That single fact is a reputational and regulatory headache for every security provider and SaaS platform that relies on trust in its people.
Scattered Lapsus$ Hunters is not a random one off gang. It is a “supergroup” made up of ShinyHunters, Scattered Spider and Lapsus$, and it has moved aggressively into insider recruitment and supply chain abuse. Google’s Threat Intelligence Group told TechCrunch it was aware of “more than 200 potentially affected Salesforce instances” in the Gainsight related attack, a campaign Scattered Lapsus$ Hunters claimed as its work. That is described in detail in TechCrunch’s report on how hackers stole data from more than 200 companies via Gainsight.
When the same alliance now shows up linked to a CrowdStrike insider, the pattern is hard to ignore. First, abuse the weaker link in a trusted chain. Then harvest data and tokens at scale. Our coverage of related incidents, from the F5 infrastructure hack in the UK to the rise of AI powered cyberattacks, points in the same direction. The human factor and the integration layer are now the softest targets.
Industry calls for tougher penalties on insider cybercrime
The insider element is what worries many security leaders the most. It is hard enough to defend against phishing, deepfake social engineering and password spraying, as we explored in our recent piece on deepfake scams and AI powered impersonators. When attackers can simply pay a staff member to screenshot dashboards or steal SSO cookies, the defense playbook looks very different.
That is why many policy and law enforcement voices argue that termination is not enough. Insider cases that involve cash payments and access tokens should end up in court. They want public indictments, not just quiet HR actions. Public cases make it much harder for future insiders to tell themselves that “everyone does it” or that nothing really happens if you get caught.
CrowdStrike for its part has tried to emphasize its cooperation. In its public messaging the company has repeated that it “turned this case over to the relevant