Cybersecurity giant CrowdStrike has confirmed the termination of an insider who allegedly provided sensitive internal system details to a notorious hacking collective.
The incident, which came to light late Thursday and Friday morning, involved the leak of internal screenshots on a public Telegram channel operated by the threat group known as “Scattered Lapsus$ Hunters.”
The leaks surfaced when Scattered Lapsus$ Hunters, a self-proclaimed “supergroup” comprising members from Scattered Spider, LAPSUS$, and ShinyHunters, posted images purportedly showing access to CrowdStrike’s internal environment.
The screenshots, which TechCrunch reviewed, displayed internal dashboards, including an Okta Single Sign-On (SSO) panel used by employees to access corporate applications.
The hackers claimed these images were proof of a broader compromise achieved through a third-party breach at Gainsight, a customer success platform used by Salesforce clients.
However, the reality appears to be less about a technical breach and more about human vulnerability. Reports indicate that the threat actors allegedly offered the insider $25,000 to facilitate access to the network.
While the hackers claimed to have received authentication cookies, CrowdStrike maintains that its security operations center detected the activity before any malicious access could be fully established.
CrowdStrike swiftly addressed the claims, clarifying that the leaked images were the result of an employee sharing pictures of their screen rather than a systemic network intrusion.
CrowdStrike spokesperson said to Cybersecurity News, “We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally. Our systems were never compromised, and customers remained protected throughout. We have turned the case over to the relevant law enforcement agencies.”
This incident is part of a larger, aggressive campaign by Scattered Lapsus$ Hunters, who have recently targeted major corporations by exploiting third-party vendors like Gainsight and Salesloft.
In October 2025, the group claimed to have exfiltrated nearly 1 billion records from Salesforce customers, listing high-profile victims such as Allianz Life, Qantas, and Stellantis on their data leak site.
The group’s modus operandi often involves high-pressure social engineering and recruiting insiders to bypass perimeter defenses, a tactic that has become increasingly common in 2025.
While CrowdStrike successfully contained this specific insider threat without customer impact, the event highlights the persistent danger posed by recruited employees in high-stakes cybersecurity environments.
The convergence of sophisticated social engineering with the pooled resources of three major cybercrime gangs represents a significant evolution in the threat landscape facing tech enterprises today.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post CrowdStrike Fires Insider for Sharing Internal System Details with Hackers appeared first on Cyber Security News.
