A 15-year-old identified on-line as “Rey” has been allegedly recognized as a key determine in Scattered LAPSUS$ Hunters (SLSH), a hacking group mentioned to mix members or techniques from Lapsus$ Hunters (SLH/SLSH). The identification got here to mild earlier this week, following direct contact between Rey and cybersecurity reporter Brian Krebs of KrebsOnSecurity.
In response to Krebs, the investigation started after he traced Rey’s real-world particulars and contacted somebody believed to be his father, Zaid Khader, an airline pilot reportedly working for Royal Jordanian Airways. Shortly after, the teenager reached out to Krebs. His actual title is reportedly Saif Al-Din Khader, and he’s mentioned to be one in all three directors behind the SLSH Telegram channel. He turns 16 subsequent month.
The Clues that Pointed to Rey
Rey, who beforehand glided by the alias Hikki‑Chan, is claimed to have made a sequence of primary errors that uncovered clues about his identification. He was additionally reportedly an administrator on BreachForums, a cybercrime market that has been shut down a number of instances by the FBI.
Brian Krebs’ report claims Rey as soon as posted a screenshot whereas utilizing the Telegram deal with @wristmug that unintentionally revealed his personal password. As well as, he dropped private particulars in a Telegram chat on an account referred to as Jacuzzi, mentioning that his father was an airline pilot.
Krebs’ investigation linked this password to the e-mail tackle [email protected]. Knowledge mentioned to return from a shared household pc in Amman allegedly confirmed the surname Khader and even pointed to the household’s Irish hyperlink via the maiden title Ginty, one thing Rey had allegedly talked about in chats.
The SLSH group, a mixture of three nicely‑identified cybercriminal crews, has been lively this yr. They’ve allegedly stolen knowledge from Salesforce programs and threatened corporations like Toyota and FedEx with leaks. They’ve additionally tried to recruit firm insiders, with one CrowdStrike worker fired after sending inner screenshots to SLSH.
The group has used malware from identified ransomware packages reminiscent of ALPHV/BlackCat. Rey, who was allegedly an admin for the Hellcat ransomware group, lately introduced what he mentioned was SLSH’s personal ransomware service referred to as ShinySp1d3r.
SLSH Dismisses Findings
As reported by Krebs, Saif claimed he’s been making an attempt to give up the group and has been working with regulation enforcement since June 2025. “I don’t actually care, I simply wish to transfer on from all these items, even when it’s going to be jail time or no matter they’re gonna say,” the teenager mentioned.
In response, SLSH has launched a scathing assault on the report. On its official Telegram channel, the group dismissed the journalist’s findings as a “determined try to break” their popularity.
The extremely sarcastic response immediately challenged the reporter’s claims, stating that it’s “laughable” to imagine a single particular person would function below a number of aliases with “utterly completely different strategies.” In addition they accused the journalist of twisting Saif’s phrases to make it appear to be an admission of involvement, claiming that Krebs was obsessed.
“We each understand how badly this obsession is hurting you :).”
The publish concluded with a problem to Krebs, stating, “I’ll pay you 10 BTC in the event you can publicly reveal my actual identification and again it up with actual proof.”
Try their full response:
"From what I can inform, Mr. Krebs, your "analysis" is nothing greater than a determined try to break my popularity and an inexpensive method so that you can showcase.
We each know you merely recycled a KELA report from March of this yr, downloaded a log, and turned it into a complete article.
Congratulations, Krebs! You lastly realized how one can use Google.1. The person in query is certainly not directly associated to me. Nonetheless, assuming that particular person is me is laughable. That particular person continued to function below aliases reminiscent of "o5tdev" (utilizing utterly completely different strategies) lengthy after I started working as Rey. Does that sound logically potential? Do I've a number of personalities or bipolar dysfunction? Possibly in your world.
2. Once we spoke, you intentionally fired off questions with out ever disclosing it was an "interview." You falsely implied I used to be linked to ShinySpider ransomware. Out of nowhere_you requested, "Why are you continue to going with SLSH?" I answered that it is onerous to only stroll away from one thing like that. You then cherry-picked that sentence and twisted it to make it appear to be an admission of my involvement.
3. You additionally requested if ShinySpider was AI-generated.. I mentioned I did not know and that the one factor i've performed was merely sharing the Hellcat supply code for them to make use of as a base. Anybody with half a mind can see that ShinySpider and Hellcat at the moment are utterly completely different ransomware variants. Everybody is aware of you are simply somebody who recycles outdated rubbish for a little bit of consideration.
4. You structured your article to make it seem as if you contacted "the daddy" first and that I all of the sudden reached out to you in panic. In actuality, you messaged me first on X, and solely later did I message you on Sign saying "Hello, it is Saif!"
You are in all probability questioning how I knew you have been planning to "expose" me. Easy. It is the identical method I do know that particular person shouldn't be me, but nonetheless associated. Don't be concerned, Krebs, I do know precisely who that Saif is.5. You are so intellectually dishonest that you simply're nonetheless making an attempt to pin the "Sp1d3rHunters" persona from final yr SnowFlake marketing campaign on me, though you supposedly have all of the logs. You could possibly have verified in 5 seconds that it wasn't me. So both you are incompetent and might't learn your personal proof, otherwise you knowingly pushed a lie. That IS referred to as projection.
6. You went out of your strategy to paint me because the "core" of SLSH when you realize that is nonsense. Why did not you write concerning the different admins and members as an alternative? Or was the one factor you managed to get your fingers on a pile of rubbish, and (nonetheless triggered from all of the trolling within the channel) you determined to publish it anyway so you can faux you "received"?
7. You attributed a laundry checklist of TTPs to me: stealer logs, social engineering, phishing, and so forth. You explicitly claimed the particular person "Saif" was working below the alias "o5tdev," defacing web sites, in all probability by way of WordPress vulns. Does it make any sense that somebody would flip from popping WordPress websites to locking down Jaguar Land Rover (inflicting 1.9 billion EUR in losses), Orange, Telefonica, Schneider Electrical, Philips, Apple, and others, all within the span of some months?
We each understand how badly this obsession is hurting you :)
It is time to drop the false accusations and check out performing some precise journalism for as soon as. On the very least, check out Allison Nixon. She managed to correctly hint K1berPhant0m (hes retarded, in any case) and truly contributed to his arrest.So this is my supply, Brian:
I am going to pay you 10 BTC in the event you can publicly reveal my actual identification and again it up with actual proof.
I am going to pay you 15 BTC if, because of your article, I ever get a knock on the door from native regulation enforcement for the belongings you accused me of."
Infostealer Connection
Alon Gal, Co-Founder and CTO at Hudson Rock, a cybercrime intelligence firm that specialises in infostealer malware, shared his perspective on LinkedIn following the report by KrebsOnSecurity.
In response to Gal, the person often called “Rey,” linked to the Hellcat group and several other main breaches together with Jaguar Land Rover, Schneider Electrical and Telefonica, has now been formally doxxed.
Gal famous that cybersecurity agency KELA had already flagged Rey’s suspected identification again in March 2025 utilizing knowledge from an Infostealer an infection that uncovered beforehand used aliases on hacking boards.
That an infection was linked to a Jordanian particular person named Saif Khader. The compromised machine confirmed early indicators of hacking exercise, together with defacements of Israeli web sites and different unsophisticated assaults. Nonetheless, no regulation enforcement motion adopted, even after KELA’s publication.
Gal mentioned he personally examined the contaminated system on the time and got here away with doubts. Evaluating Rey’s identified behaviour and writing fashion with what he noticed on the compromised machine, Gal believed Rey might have deliberately planted traces of outdated discussion board credentials to mislead researchers. The looking historical past, tone and ability degree didn’t match the persona that went on to run ransomware and extortion operations. That distinction, he mentioned, nonetheless surprises him.
Nonetheless, Gal acknowledged that in keeping with Krebs’ reporting, Rey himself confirmed that the machine in query was certainly his. In his evaluation, Gal raised three details:
- Rey continued working publicly after being uncovered, even mocking the unique KELA analysis on-line, earlier than his account was banned.
- The an infection dates again to January 2024, that means regulation enforcement seemingly had months to behave, however didn’t, regardless of Rey being one of the crucial lively risk actors in latest reminiscence.
- The contaminated machine displayed a mismatch in language fashion, search historical past and OPSEC consciousness in comparison with how Rey operates elsewhere.
Whether or not this particular person is actually on the heart of Scattered LAPSUS$ Hunters stays unconfirmed. The report has drawn sharp responses from these allegedly concerned, and the discrepancies highlighted by researchers like Alon Gal recommend there’s nonetheless extra to uncover.
Nonetheless, if the identification is correct, it’s onerous to disregard how somebody publicly uncovered months in the past was nonetheless capable of maintain working and pull off a number of the yr’s most disruptive breaches.
