10/8/25, 3:32 PM                         Data Breach at Red Hat Exposes Thousands of High-Profile Clients
           Data Breach at Red Hat Exposes Thousands of High-

           Profile Clients



                                                     BY ANUPRIYA
                                                                OCTOBER 7, 2025

           Categories: Cyber Security News  Cybersecurity  Vulnerability



           Open-source giant Red Hat confirmed that a previously unknown extortion group calling itself “Crimson

           Collective” had stolen sensitive documentation and source code related to its Red Hat Consulting practice.



           The group first announced the hack on September 13, 2025, long before its public disclosure.


           Initial indicators emerged from Telegram, where Crimson Collective, then numbering only 22 followers, posted

           screenshots implicating major telco Claro and Vodafone, both earlier victims of LAPSUS$ extortion campaigns in
           2021 and 2022, respectively.



           Red Hat immediately began notifying impacted clients, warning that stolen files included Consultancy Engagement

           Reports and private certificates in .pfx format belonging to organisations such as ING Bank and Delta Airlines.



           Linking Crimson Collective to LAPSUS$ Affiliates



           Security researcher Brian Krebs noted that the Telegram handle “Miku,” attributed to Crimson Collective’s

           administrator, appears to belong to Thalha Jubair, the UK teenager charged in connection with the Scattered Spider
           group and remanded in custody pending trial.



           Jubair’s alleged involvement with high-profile attacks against Transport for London lends credibility to this
           attribution.



           Further fuel was added when a newly formed site called “Scattered LAPSUS$ Hunters” published a Red Hat entry

           bearing trademark LAPSUS$ signatures, typos previously made by that group, casual racist comments in HTML
           comments, and even a looping Pokémon theme tune.



           This overlap of tactics and personas suggests Crimson Collective is either an evolution of LAPSUS$ or an affiliate
           leveraging its notoriety.



           Crimson Collective’s proof included a file tree enumeration listing over 370,000 directories and 3.4 million files in
           an initial data dump.


      https://cyberpress.org/data-breach-at-red-hat-exposes-thousands-of-high-profile-clients/                      1/3