A 15-year-old identified on-line as “Rey” has been allegedly recognized as a key determine in Scattered LAPSUS$ Hunters (SLSH), a hacking group mentioned to mix members or ways from Lapsus$ Hunters (SLH/SLSH). The identification got here to gentle earlier this week, following direct contact between Rey and cybersecurity reporter Brian Krebs of KrebsOnSecurity.
In line with Krebs, the investigation started after he traced Rey’s real-world particulars and contacted somebody believed to be his father, Zaid Khader, an airline pilot reportedly working for Royal Jordanian Airways. Shortly after, the teenager reached out to Krebs. His actual identify is reportedly Saif Al-Din Khader, and he’s mentioned to be one in every of three directors behind the SLSH Telegram channel. He turns 16 subsequent month.
The Clues that Pointed to Rey
Rey, who beforehand glided by the alias Hikki‑Chan, is alleged to have made a sequence of fundamental errors that uncovered clues about his id. He was additionally reportedly an administrator on BreachForums, a cybercrime market that has been shut down a number of instances by the FBI.
Brian Krebs’ report claims Rey as soon as posted a screenshot whereas utilizing the Telegram deal with @wristmug that unintentionally revealed his personal password. As well as, he dropped private particulars in a Telegram chat on an account known as Jacuzzi, mentioning that his father was an airline pilot.
Krebs’ investigation linked this password to the e-mail tackle [email protected]. Knowledge mentioned to return from a shared household pc in Amman allegedly confirmed the surname Khader and even pointed to the household’s Irish hyperlink by the maiden identify Ginty, one thing Rey had allegedly talked about in chats.
The SLSH group, a mixture of three nicely‑identified cybercriminal crews, has been energetic this yr. They’ve allegedly stolen information from Salesforce methods and threatened corporations like Toyota and FedEx with leaks. They’ve additionally tried to recruit firm insiders, with one CrowdStrike worker fired after sending inside screenshots to SLSH.
The group has used malware from identified ransomware packages similar to ALPHV/BlackCat. Rey, who was allegedly an admin for the Hellcat ransomware group, lately introduced what he mentioned was SLSH’s personal ransomware service known as ShinySp1d3r.
SLSH Dismisses Findings
As reported by Krebs, Saif claimed he’s been making an attempt to stop the group and has been working with legislation enforcement since June 2025. “I don’t actually care, I simply need to transfer on from all these things, even when it’s going to be jail time or no matter they’re gonna say,” the teenager mentioned.
In response, SLSH has launched a scathing assault on the report. On its official Telegram channel, the group dismissed the journalist’s findings as a “determined try to wreck” their repute.
The extremely sarcastic response straight challenged the reporter’s claims, stating that it’s “laughable” to imagine a single individual would function below a number of aliases with “fully completely different strategies.” Additionally they accused the journalist of twisting Saif’s phrases to make it appear to be an admission of involvement, claiming that Krebs was obsessed.
“We each understand how badly this obsession is hurting you :).”
The submit concluded with a problem to Krebs, stating, “I’ll pay you 10 BTC if you happen to can publicly reveal my actual id and again it up with actual proof.”
Try their full response:
"From what I can inform, Mr. Krebs, your "analysis" is nothing greater than a determined try to wreck my repute and an inexpensive approach so that you can exhibit.
We each know you merely recycled a KELA report from March of this yr, downloaded a log, and turned it into a complete article.
Congratulations, Krebs! You lastly discovered the right way to use Google.1. The person in query is certainly not directly associated to me. Nonetheless, assuming that individual is me is laughable. That individual continued to function below aliases similar to "o5tdev" (utilizing fully completely different strategies) lengthy after I started working as Rey. Does that sound logically potential? Do I've a number of personalities or bipolar dysfunction? Perhaps in your world.
2. After we spoke, you intentionally fired off questions with out ever disclosing it was an "interview." You falsely implied I used to be linked to ShinySpider ransomware. Out of nowhere_you requested, "Why are you continue to going with SLSH?" I answered that it is laborious to simply stroll away from one thing like that. You then cherry-picked that sentence and twisted it to make it appear to be an admission of my involvement.
3. You additionally requested if ShinySpider was AI-generated.. I mentioned I did not know and that the one factor i've carried out was merely sharing the Hellcat supply code for them to make use of as a base. Anybody with half a mind can see that ShinySpider and Hellcat are actually fully completely different ransomware variants. Everybody is aware of you are simply somebody who recycles outdated rubbish for a little bit of consideration.
4. You structured your article to make it seem as if you contacted "the daddy" first and that I out of the blue reached out to you in panic. In actuality, you messaged me first on X, and solely later did I message you on Sign saying "Hello, it is Saif!"
You are in all probability questioning how I knew you had been planning to "expose" me. Easy. It is the identical approach I do know that individual just isn't me, but nonetheless associated. Don't fret, Krebs, I do know precisely who that Saif is.5. You are so intellectually dishonest that you simply're nonetheless making an attempt to pin the "Sp1d3rHunters" persona from final yr SnowFlake marketing campaign on me, despite the fact that you supposedly have all of the logs. You possibly can have verified in 5 seconds that it wasn't me. So both you are incompetent and might't learn your individual proof, otherwise you knowingly pushed a lie. That IS known as projection.
6. You went out of your option to paint me because the "core" of SLSH when you recognize that is nonsense. Why did not you write concerning the different admins and members as an alternative? Or was the one factor you managed to get your fingers on a pile of rubbish, and (nonetheless triggered from all of the trolling within the channel) you determined to publish it anyway so you could possibly faux you "received"?
7. You attributed a laundry listing of TTPs to me: stealer logs, social engineering, phishing, and so on. You explicitly claimed the individual "Saif" was working below the alias "o5tdev," defacing web sites, in all probability by way of WordPress vulns. Does it make any sense that somebody would flip from popping WordPress websites to locking down Jaguar Land Rover (inflicting 1.9 billion EUR in losses), Orange, Telefonica, Schneider Electrical, Philips, Apple, and others, all within the span of some months?
We each understand how badly this obsession is hurting you :)
It is time to drop the false accusations and take a look at performing some precise journalism for as soon as. On the very least, check out Allison Nixon. She managed to correctly hint K1berPhant0m (hes retarded, in any case) and really contributed to his arrest.So here is my supply, Brian:
I will pay you 10 BTC if you happen to can publicly reveal my actual id and again it up with actual proof.
I will pay you 15 BTC if, due to your article, I ever get a knock on the door from native legislation enforcement for the belongings you accused me of."
Infostealer Connection
Alon Gal, Co-Founder and CTO at Hudson Rock, a cybercrime intelligence firm that specialises in infostealer malware, shared his perspective on LinkedIn following the report by KrebsOnSecurity.
In line with Gal, the person often called “Rey,” linked to the Hellcat group and a number of other main breaches together with Jaguar Land Rover, Schneider Electrical and Telefonica, has now been formally doxxed.
Gal famous that cybersecurity agency KELA had already flagged Rey’s suspected id again in March 2025 utilizing information from an Infostealer an infection that uncovered beforehand used aliases on hacking boards.
That an infection was linked to a Jordanian particular person named Saif Khader. The compromised machine confirmed early indicators of hacking exercise, together with defacements of Israeli web sites and different unsophisticated assaults. Nonetheless, no legislation enforcement motion adopted, even after KELA’s publication.
Gal mentioned he personally examined the contaminated system on the time and got here away with doubts. Evaluating Rey’s identified behaviour and writing fashion with what he noticed on the compromised machine, Gal believed Rey could have deliberately planted traces of outdated discussion board credentials to mislead researchers. The shopping historical past, tone and ability stage didn’t match the persona that went on to run ransomware and extortion operations. That distinction, he mentioned, nonetheless surprises him.
Nonetheless, Gal acknowledged that in accordance with Krebs’ reporting, Rey himself confirmed that the machine in query was certainly his. In his evaluation, Gal raised three details:
- Rey continued working publicly after being uncovered, even mocking the unique KELA analysis on-line, earlier than his account was banned.
- The an infection dates again to January 2024, which means legislation enforcement doubtless had months to behave, however didn’t, regardless of Rey being one of the crucial energetic risk actors in latest reminiscence.
- The contaminated machine displayed a mismatch in language fashion, search historical past and OPSEC consciousness in comparison with how Rey operates elsewhere.
Whether or not this particular person is really on the middle of Scattered LAPSUS$ Hunters stays unconfirmed. The report has drawn sharp responses from these allegedly concerned, and the discrepancies highlighted by researchers like Alon Gal recommend there’s nonetheless extra to uncover.
Nonetheless, if the identification is correct, it’s laborious to disregard how somebody publicly uncovered months in the past was nonetheless capable of maintain working and pull off a few of the yr’s most disruptive breaches.
