10/8/25, 3:33 PM                      Red Hat breach escalates as Crimson Collective recruits help • The Register
           MONTH


          Red Hat breach escalates as criminals collaborate


          on 'multi-terabyte' extortion plot


          Bad guys promise not to attack customers if they get paid


             Carly Page                                                                     Tue 7 Oct 2025 // 11:58 UTC


          Red Hat's breach nightmare just got worse, as the Crimson Collective crew that claims to have

          ransacked its GitLab repos has joined forces with the ShinyHunters-linked "Scattered Lapsus$
          Hunters" gang to turn the screw with a full-blown extortion campaign.


          The trouble began last week when a criminal group calling itself the Crimson Collective claimed
          it had copied around 570 GB of compressed data from a GitLab environment used by Red Hat's

          consulting arm, allegedly including some 28,000 internal repositories and hundreds of
          Customer Engagement Reports (CERs) that contain detailed infrastructure diagrams,
          configuration files, and, in places, secrets such as access tokens.


          In messages seen by The Register, the group also said it found authentication tokens inside

          repos and reports, which it claimed to have already used to compromise downstream Red Hat
          customers.


          Red Hat last week confirmed to The Reg that the breach was related to a GitLab instance and
          said it had isolated the affected environment and launched an investigation. The attack did not

          target GitLab's own infrastructure, spokesperson Emily James stressed to El Reg, saying: "The
          incident refers to Red Hat's self-managed instance of GitLab Community Edition... Customers
          who deploy free, self-managed instances on their own infrastructure are responsible for
          securing their instances, including applying security patches, configuring access controls, and

          maintenance."


          What initially looked like a standard extortion play escalated this week after the Crimson
          Collective crew announced it had joined forces with a Scattered Lapsus$/ShinyHunters
          syndicate to extort the IBM-owned open source giant.


          "On the 4th April 1949 was created the so ... called NATO, but what if today's new alliance was

          bigger than that? But for a greater purpose, ruining corporations mind [sic]," the group said in
          Telegram messages seen by The Register. "What if Crimson's shininess extends even further
          away?"






      https://www.theregister.com/2025/10/07/red_hat_breach_new_claims/                                             1/2