Threat Summary
Category: Corporate Extortion Campaign
Features: Data leak site, enterprise targeting, Salesforce customer extortion, social engineering compromise
Delivery Method: Voice phishing, impersonation of IT staff, credential theft, extortion via leak site
Threat Actor: Scattered Spider (also tracked as UNC3944 / Octo Tempest)
Scattered Spider — one of the most notorious cybercriminal collectives in the world — has launched a new extortion site, listing dozens of major corporations and claiming to have stolen their Salesforce data. The group paired the leak site with a long extortion note directed not just at the victims but at Salesforce itself, threatening that demands could be rescinded if the software giant paid a ransom directly.
Salesforce confirmed awareness of the site, telling investigators and Recorded Future News that its teams are engaging with impacted customers and working with law enforcement and outside experts. The company emphasized that its core platform has not been compromised and that “this activity is not related to any vulnerability in our technology.” Instead, the attacks stem from manipulation of end users, social engineering, and impersonation campaigns.
“Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised,” a Salesforce spokesperson said.
Anatomy of the Campaign
The extortion wave builds on tactics that Scattered Spider has perfected:
- Voice Phishing (Vishing): Attackers impersonate IT support in phone calls, convincing employees to share credentials or approve access.
- Credential Theft: Employees, often in English-speaking branches of multinational companies, are tricked into handing over sensitive login data.
- Salesforce Exploitation: With stolen credentials, attackers access Salesforce instances, pull data, and exfiltrate records.
- Extortion: Victims are listed on the new leak site, pressured to pay under threat of having their data dumped or sold.
Google’s August blog confirmed that Salesforce environments have been targeted in this way, describing how attackers “relied on manipulating end users, not exploiting any vulnerability inherent to Salesforce.”
In June, Google itself acknowledged that one of its corporate Salesforce instances was accessed during a short window before being cut off. The compromised dataset contained only basic business contact information, but the case demonstrated how the group can infiltrate even the most hardened organizations.
Scale and Impact
The leak site went live in early October and already lists dozens of global enterprises. The group claims to hold more than 1 billion records across its combined campaigns. Salesforce has urged customers to stay alert for phishing, reinforcing its March advisory on how to spot social engineering attempts.
The company is providing direct support to affected organizations, but has not commented on whether it would meet Scattered Spider’s ransom deadline of October 10.
The Department of Justice, in a complaint unsealed last week, noted that Scattered Spider has already extorted at least $115 million from victims in 120 attacks since 2022. Two members appeared in Westminster Magistrates Court under accusations tied to the Transport for London hack. Some ransoms have been staggering, with individual organizations paying $25 million and $36.2 million respectively.
TRJ Verdict
This campaign underscores how modern extortion groups do not need zero-days to compromise global enterprises. Scattered Spider demonstrates the efficiency of manipulating people rather than code — using phone calls, deception, and persistence to burrow into customer-facing ecosystems like Salesforce.
By creating a public leak site and explicitly naming Salesforce, the group has escalated its psychological warfare: turning not only on the victims but also attempting to shame the vendor into paying. Even if the claims of “1 billion records” are exaggerated, the reputational and financial leverage is undeniable.
Scattered Spider has made clear that their strongest weapon is not malware, but social engineering scaled to corporate environments. For multinational firms, this means the weakest link is not technology but human trust.
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 1 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed.
🔥 Kindle Edition 👉 https://a.co/d/9EoGKzh
🔥 Paperback 👉 https://a.co/d/9EoGKzh
🔥 Hardcover Edition 👉 https://a.co/d/0ITmDIB
🔥 NOW AVAILABLE! 🔥
📖 INK & FIRE: BOOK 2 📖
A bold and unapologetic collection of poetry that ignites the soul. Ink & Fire dives deep into raw emotions, truth, and the human experience—unfiltered and untamed just like the first one.
🔥 Kindle Edition 👉 https://a.co/d/1xlx7J2
🔥 Paperback 👉 https://a.co/d/a7vFHN6
🔥 Hardcover Edition 👉 https://a.co/d/efhu1ON
Get your copy today and experience poetry like never before. #InkAndFire #PoetryUnleashed #FuelTheFire
🚨 NOW AVAILABLE! 🚨
📖 THE INEVITABLE: THE DAWN OF A NEW ERA 📖
A powerful, eye-opening read that challenges the status quo and explores the future unfolding before us. Dive into a journey of truth, change, and the forces shaping our world.
🔥 Kindle Edition 👉 https://a.co/d/0FzX6MH
🔥 Paperback 👉 https://a.co/d/2IsxLof
🔥 Hardcover Edition 👉 https://a.co/d/bz01raP
Get your copy today and be part of the new era. #TheInevitable #TruthUnveiled #NewEra
🚀 NOW AVAILABLE! 🚀
📖 THE FORGOTTEN OUTPOST 📖
The Cold War Moon Base They Swore Never Existed
What if the moon landing was just the cover story?
Dive into the boldest investigation The Realist Juggernaut has ever published—featuring declassified files, ghost missions, whistleblower testimony, and black-budget secrets buried in lunar dust.
🔥 Kindle Edition 👉 https://a.co/d/2Mu03Iu
🛸 Paperback Coming Soon
Discover the base they never wanted you to find. TheForgottenOutpost #RealistJuggernaut #MoonBaseTruth #ColdWarSecrets #Declassified
Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!
https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a
Sponsored • TRJ Ads
Inquiries: contact@therealistjuggernaut.com
This is an exceptionally thorough and well-articulated summary of a highly complex and evolving cyber threat. 🛡️
You’ve done a fantastic job breaking down the Scattered Spider campaign into clear, digestible sections—covering the threat category, delivery methods, actor profile, and real-world impact. I particularly appreciate how you explained the mechanics of the attack, from vishing and credential theft to Salesforce exploitation and extortion, making it clear that the danger lies in human manipulation rather than technical vulnerabilities.
Thank you very much — I really appreciate that. The Scattered Spider campaign is a perfect example of how cybercrime evolves: not just through code, but through manipulation of people. Breaking it down into the mechanics was important to us because too often the focus gets stuck on “vulnerabilities” while the real entry point is social engineering. Human trust is the exploit, and Salesforce was just the stage where it played out. Your words mean a lot, and I’m glad the breakdown helped shine a light on how these actors actually operate. 😎