A 15-year-old known online as “Rey” has been allegedly identified as a key figure in Scattered LAPSUS$ Hunters (SLSH), a hacking group said to blend members or tactics from Lapsus$ Hunters (SLH/SLSH). The identification came to light earlier this week, following direct contact between Rey and cybersecurity reporter Brian Krebs of KrebsOnSecurity.
According to Krebs, the investigation began after he traced Rey’s real-world details and contacted someone believed to be his father, “Z-K” (full name redacted for privacy purposes), an airline pilot reportedly working for Royal Jordanian Airlines. Shortly after, the teen reached out to Krebs. His real name is reportedly “Saif” (full name redacted for privacy purposes), and he is said to be one of three administrators behind the SLSH Telegram channel. He turns 16 next month.
The Clues that Pointed to Rey
Rey, who previously went by the alias Hikki‑Chan, is said to have made a series of basic mistakes that exposed clues about his identity. He was also reportedly an administrator on BreachForums, a cybercrime marketplace that has been shut down multiple times by the FBI.
Brian Krebs’ report claims Rey once posted a screenshot while using the Telegram handle @wristmug that accidentally revealed his own password. In addition, he dropped personal details in a Telegram chat on an account called Jacuzzi, mentioning that his father was an airline pilot.
Krebs’ investigation connected this password to the email address [email protected]. Data said to come from a shared family computer in Amman allegedly confirmed the surname K (surname redacted for privacy purposes) and even pointed to the family’s Irish link through the maiden name Ginty, something Rey had allegedly mentioned in chats.
The SLSH group, a mix of three well‑known cybercriminal crews, has been active this year. They have allegedly stolen data from Salesforce systems and threatened companies like Toyota and FedEx with leaks. They have also tried to recruit company insiders, with one CrowdStrike employee fired after sending internal screenshots to SLSH.
The group has used malware from known ransomware programs such as ALPHV/BlackCat. Rey, who was allegedly an admin for the Hellcat ransomware group, recently announced what he said was SLSH’s own ransomware service called ShinySp1d3r.
SLSH Dismisses Findings
As reported by Krebs, “S” claimed he’s been trying to quit the group and has been working with law enforcement since June 2025. “I don’t really care, I just want to move on from all this stuff, even if it’s going to be prison time or whatever they’re gonna say,” the teen said.
In response, SLSH has launched a scathing attack on the report. On its official Telegram channel, the group dismissed the journalist’s findings as a “desperate attempt to damage” their reputation.
The highly sarcastic response directly challenged the reporter’s claims, stating that it is “laughable” to assume a single person would operate under multiple aliases with “completely different techniques.” They also accused the journalist of twisting “S”‘s words to make it look like an admission of involvement, claiming that Krebs was obsessed.
“We both know how badly this obsession is hurting you :).”
The post concluded with a challenge to Krebs, stating, “I’ll pay you 10 BTC if you can publicly reveal my real identity and back it up with real proof.”
Check out their full response:
"From what I can tell, Mr. Krebs, your "research" is nothing more than a desperate attempt to damage my reputation and a cheap way for you to show off.
We both know you simply recycled a KELA report from March of this year, downloaded a log, and turned it into an entire article.
Congratulations, Krebs! You finally learned how to use Google.
1. The individual in question is indeed indirectly related to me. However, assuming that person is me is laughable. That person continued to operate under aliases such as "o5tdev" (using completely different techniques) long after I began operating as Rey. Does that sound logically possible? Do I have multiple personalities or bipolar disorder? Maybe in your world.
2. When we spoke, you deliberately fired off questions without ever disclosing it was an "interview." You falsely implied I was connected to ShinySpider ransomware. Out of nowhere_you asked, "Why are you still going with SLSH?" I answered that it's hard to just walk away from something like that. You then cherry-picked that sentence and twisted it to make it look like an admission of my involvement.
3. You also asked if ShinySpider was AI-generated.. I said I didn't know and that the only thing i have done was simply sharing the Hellcat source code for them to use as a base. Anyone with half a brain can see that ShinySpider and Hellcat are now completely different ransomware variants. Everyone knows you're just someone who recycles old garbage for a bit of attention.
4. You structured your article to make it appear as though you contacted "the father" first and that I suddenly reached out to you in panic. In reality, you messaged me first on X, and only later did I message you on Signal saying "Hi, it's Saif!"
You're probably wondering how I knew you were planning to "expose" me. Simple. It's the same way I know that person is not me, yet still related. Don't worry, Krebs, I know exactly who that Saif is.
5. You're so intellectually dishonest that you're still trying to pin the "Sp1d3rHunters" persona from last year SnowFlake campaign on me, even though you supposedly have all the logs. You could have verified in five seconds that it wasn't me. So either you're incompetent and can't read your own evidence, or you knowingly pushed a lie. That IS called projection.
6. You went out of your way to paint me as the "core" of SLSH when you know that's nonsense. Why didn't you write about the other admins and members instead? Or was the only thing you managed to get your hands on a pile of garbage, and (still triggered from all the trolling in the channel) you decided to publish it anyway so you could pretend you "won"?
7. You attributed a laundry list of TTPs to me: stealer logs, social engineering, phishing, etc. You explicitly claimed the person "Saif" was operating under the alias "o5tdev," defacing websites, probably via WordPress vulns. Does it make any sense that someone would turn from popping WordPress sites to locking down Jaguar Land Rover (causing 1.9 billion EUR in losses), Orange, Telefonica, Schneider Electric, Philips, Apple, and others, all in the span of a few months?
We both know how badly this obsession is hurting you :)
It's time to drop the false accusations and try doing some actual journalism for once. At the very least, take a look at Allison Nixon. She managed to properly trace K1berPhant0m (hes retarded, anyways) and actually contributed to his arrest.
So here's my offer, Brian:
I'll pay you 10 BTC if you can publicly reveal my real identity and back it up with real proof.
I'll pay you 15 BTC if, thanks to your article, I ever get a knock on the door from local law enforcement for the things you accused me of."
Infostealer Connection
Alon Gal, Co-Founder and CTO at Hudson Rock, a cybercrime intelligence company that specialises in infostealer malware, shared his perspective on LinkedIn following the report by KrebsOnSecurity.
According to Gal, the individual known as “Rey,” linked to the Hellcat group and several major breaches including Jaguar Land Rover, Schneider Electric and Telefonica, has now been formally doxxed.
Gal noted that cybersecurity firm KELA had already flagged Rey’s suspected identity back in March 2025 using data from an Infostealer infection that exposed previously used aliases on hacking forums.
That infection was linked to a Jordanian individual named Saif. The compromised machine showed early signs of hacking activity, including defacements of Israeli websites and other unsophisticated attacks. However, no law enforcement action followed, even after KELA’s publication.
Gal said he personally examined the infected system at the time and came away with doubts. Comparing Rey’s known behaviour and writing style with what he saw on the compromised machine, Gal believed Rey may have intentionally planted traces of old forum credentials to mislead researchers. The browsing history, tone and skill level didn’t match the persona that went on to run ransomware and extortion operations. That contrast, he said, still surprises him.
Still, Gal acknowledged that according to Krebs’ reporting, Rey himself confirmed that the machine in question was indeed his. In his analysis, Gal raised three main points:
- Rey continued operating publicly after being exposed, even mocking the original KELA research online, before his account was banned.
- The infection dates back to January 2024, meaning law enforcement likely had months to act, but didn’t, despite Rey being one of the most active threat actors in recent memory.
- The infected machine displayed a mismatch in language style, search history and OPSEC awareness compared to how Rey operates elsewhere.
Whether this individual is truly at the center of Scattered LAPSUS$ Hunters remains unconfirmed. The report has drawn sharp responses from those allegedly involved, and the discrepancies highlighted by researchers like Alon Gal suggest there’s still more to uncover.
However, if the identification is accurate, it’s hard to ignore how someone publicly exposed months ago was still able to keep operating and pull off some of the year’s most disruptive breaches.
