✅ Report Title: Threat Group Profiling - Crimson Collective

✅ Executive Summary:

📌 Who is the Crimson Collective?

- The Crimson Collective emerged in September 2025 as an international cyber threat group that conducts financially motivated data theft and extortion activities targeting various industries such as gaming, telecommunications, and software.

- The group announces its hacking incidents by publishing stolen data samples on Telegram and attempts to negotiate with victim companies through multiple communication channels.

 - As of October 20, 2025, their Telegram channel had approximately 2,200 subscribers.

- In September 2025, the group launched its first attack by defacing the website of a Japanese gaming company (referred to as Company N) and claiming to have gained internal system access.

- In October 2025, the group demanded ransom from an enterprise open-source software company (referred to as Company R), threatening to leak data. After the company refused, they released a list of approximately 800 Customer Engagement Reports (CERs).

- The group also announced collaboration with Scattered Lapsus$ Hunters to run an “Extortion-as-a-Service” model, posting Company R-related data for sale on a Data Leak Site (DLS) and initiating ransom negotiations.

📌 Activity Timeline (Chronological Order)

📌 Key Activities

1) Website Defacement of Japanese Game Company (Company N)

- (2025-09-24 11:06) The topic domain of a Japanese gaming giant company (Company N) was defaced by a hacker known as “crimson.”

- (2025-09-24 23:30) After launching their Telegram channel, Crimson Collective posted: “found inside n******* data that mario got cucked by peach that was the final scenario,” along with screenshots allegedly showing access to Company N’s internal systems.

- (2025-10-11 10:35) Crimson Collective later posted, “Who said we did not have n******* topics files?” sharing further screenshots to support their hacking claims.

- The leaked screenshots contained multiple folders labeled “infra-test,” “mail,” “dev,” “production,” and “staging.”

- (2025-10-15) According to Japan’s Sankei Shimbun, Company N stated: “There is no confirmation of personal data leakage or internal intrusion. Some external servers displaying our website were altered, but no customer data was affected.”

2) Data Theft from Enterprise Open-Source Software Company (Company R)

- (2025-10-01 22:58) Crimson Collective claimed they reported a vulnerability to Company R’s security team but received no response.

- (2025-10-01 23:06) The group posted an image of git[.]tar[.]gz on Telegram, claiming to have stolen approximately 570GB of data from over 28,000 internal repositories of Company R.

- The stolen data reportedly included around 800 Customer Engagement Reports (CERs) containing sensitive client information such as network details and authentication tokens.

- (2025-10-03) Company R confirmed unauthorized access to its internal GitLab instance, stating: “An unauthorized third party copied a portion of data from our internal GitLab instance used for collaboration.”

3) Collaboration with Scattered Lapsus$ Hunters

- (2025-10-06) After publicizing the data breach, Crimson Collective announced cooperation with ShinyHunters and Scattered Lapsus$ Hunters.

- (2025-10-10) Scattered Lapsus$ Hunters stated they would negotiate ransom on behalf of Crimson Collective, threatening to release the data if no agreement was reached by October 10 (local time).

- (2025-10-16) Scattered Lapsus$ Hunters’ Data Leak Site (DLS) was defaced by an anonymous user and became inaccessible.

- The anonymous user claimed to be a former employee of ChangeNOW, previously hacked by Scattered Lapsus$ Hunters, and said they conducted the defacement out of revenge after being fired due to the breach incident.

🧑‍💻 Author: S2W TALON

👉 Contact us: https://s2w.inc/en/contact

*The full report is available upon request or with a subscription to the S2W platform.