LAPSUS$ Supergroup Paying Women $1,000 Per Vishing Call

The cybercrime collective Scattered Lapsus$ Hunters (SLH) is actively recruiting women to conduct voice phishing attacks against corporate IT help desks, offering between $500 and $1,000 per successful call. Threat intelligence firm Dataminr detected the recruitment activity on public Telegram channels this week.

SLH represents a merger of three prolific threat groups—LAPSUS$, Scattered Spider, and ShinyHunters—combining their expertise in social engineering, MFA bypass, and data extortion. The recruitment push signals an operational scaling of their help desk compromise tactics.

Why Women, Why Now

The explicit focus on female voices isn't arbitrary. IT security training typically emphasizes male caller profiles when teaching employees to spot social engineering attempts. By diversifying their caller demographics, SLH aims to bypass pattern recognition that help desk staff may have developed.

The group provides pre-written scripts designed to manipulate IT workers into resetting passwords, disabling MFA, or installing remote access tools. Recruits don't need technical skills—they follow a playbook developed from successful intrusions.

This professionalization of social engineering mirrors broader trends we've tracked in enterprise credential theft, where threat actors increasingly treat initial access as a service rather than a one-off capability.

The SLH Playbook

Scattered Spider pioneered the help desk attack model that SLH now scales. The typical operation proceeds:

1. Attacker researches target organization through LinkedIn, corporate websites
2. Calls IT help desk impersonating an employee (using spoofed caller ID)
3. Claims locked account, lost phone, or MFA issues
4. Convinces help desk to reset password or enroll new MFA device
5. Uses fresh credentials to access corporate systems
6. Deploys ransomware or exfiltrates data

The technique bypasses technical controls entirely. No malware, no vulnerability exploitation—just convincing human interaction. Help desks face an impossible challenge: deny legitimate employees having bad days, or risk admitting attackers.

SLH's Track Record

The supergroup emerged from the ashes of LAPSUS$, whose teenage members conducted some of 2022's most brazen intrusions before law enforcement disrupted operations. Scattered Spider continued the social engineering tradition, hitting major casino operators and enterprise targets throughout 2024-2025. ShinyHunters brought data breach expertise and dark web marketplace connections.

Combined, SLH has targeted at least 100 organizations since the start of 2026. Their operational tempo suggests significant resources and organizational maturity—a far cry from the adolescent chaos that characterized early LAPSUS$ operations.

The group's techniques have evolved alongside their ambitions. Beyond MFA prompt bombing and SIM swapping, SLH now exploits Microsoft Azure and Active Directory configurations, moves laterally through virtualized environments, and times data exfiltration to maximize extortion leverage.

The $1,000 Question

Paying $500-$1,000 per call might seem expensive, but the economics make sense. A single successful help desk compromise can yield access worth millions in ransomware payments or data extortion. Even a 10% success rate produces massive returns.

The payment structure also creates plausible deniability. Recruits may not fully understand they're participating in criminal activity until they're already implicated. Some likely believe they're conducting authorized penetration tests or social engineering audits.

For the recruits, the appeal is obvious: easy money for phone calls that require no technical knowledge. The scripts do the heavy lifting. This commoditization of social engineering labor represents a maturation of the cybercrime-as-a-service model.

Defense Recommendations

Organizations should assume their help desks will be targeted. Mitigations include:

1. Callback verification - Never reset credentials on inbound calls. Hang up and call the employee's registered number
2. Multi-channel confirmation - Require manager approval via separate communication channel for sensitive changes
3. Employee awareness - Train help desk staff on SLH's specific tactics and psychological manipulation techniques
4. Caller ID skepticism - Spoofed numbers are trivial to create; don't trust displayed caller information
5. MFA hardening - Use phishing-resistant MFA (FIDO2/WebAuthn) that can't be socially engineered

The SLH recruitment campaign underscores that technical controls alone won't stop determined attackers. Human-layer security—policies, training, and verification procedures—remains the last line of defense when attackers target the people who manage access controls.

Attribution Challenges

Tracking SLH is complicated by their decentralized structure. Members communicate through encrypted channels, use cryptocurrency for payments, and maintain operational security learned from earlier law enforcement takedowns. The group likely spans multiple countries, further complicating jurisdiction.

The Telegram recruitment posts suggest SLH feels confident enough to operate semi-publicly. That confidence may be misplaced—several LAPSUS$ and Scattered Spider members have faced charges after similar exposure. But for now, the group continues expanding operations while law enforcement plays catch-up.

Security teams should monitor for signs of help desk targeting: unusual password reset requests, employees reporting calls they didn't make, or MFA device changes that don't correlate with legitimate activity. Early detection can limit damage from successful compromises.