A new wave of cyber-extortion is causing significant unease across various global industries. A ransomware group called The Trinity of Chaos, reportedly linked to other notorious collectives like Lapsus$, Scattered Spider, and ShinyHunters, has recently established a Data Leak Site (DLS) on the TOR network. This site has already exposed a total of 39 multinational companies, which span numerous sectors including automotive, technology, aviation, retail, and luxury goods.
This alarming situation follows recent investigations by Resecurity, a cybersecurity firm, which found that The Trinity of Chaos has shifted its strategy from mere data theft to a full-fledged ransomware-for-extortion model, escalating the stakes for targeted organizations.
A Coordinated Campaign of Chaos
According to Resecurity’s detailed analysis, the group has not initiated fresh attacks but has released previously undisclosed data from earlier breaches. Experts believe this tactic is a strategic maneuver to compel affected companies into negotiations before the full scale of the data exposure is made public.
The movement marks a shift from opportunistic breaches to a more organized ransomware business model, echoing the operational frameworks of infamous groups like Conti and BlackCat. For instance, reports have surfaced regarding exploitation of Salesforce instances, with attackers threatening to leak a “massive number of records” unless their demands are met. In response, Salesforce has publicly denied the emergence of new vulnerabilities, yet indicated that prior breaches involving customer instances could have paved the way for these leaks.
Negotiations, Threats, and Regulatory Pressure
The Trinity of Chaos claims that efforts to communicate with Salesforce for negotiation were unsuccessful. Adding an intriguing layer to their strategy, the attackers threatened to cite “criminal negligence” in reporting the data breach to European Union regulators under GDPR provisions, a tactic clearly aimed at ramping up pressure on the victims.
In a statement released under the guise of “Scattered LAPSUS & Hunters,” the group framed their operations in corporate jargon: “Specializing in high-value corporate data acquisition and strategic breach operations. Our expertise spans automotive, financial, insurance, technology, telecommunications, and various other sectors worldwide. We help you regain control.”
Resecurity notes that the group’s activities may date back to at least 2019, indicating a well-entrenched and sophisticated campaign that has evolved alongside leading cybercrime syndicates.
Fortune 100 Firms Among Victims
The leaked DLS catalog reads like a list of global giants, with 39 firms exposed, including high-profile names like Toyota, FedEx, Disney/Hulu, UPS, and more. Other notable victims include Adidas, Chanel, Google Adsense, Cisco, and Air France-KLM.
All the organizations involved have reportedly been given until October 10, 2025, to engage in negotiations before facing potential public exposure of their complete datasets.
How the Breach Happened: Salesforce Exploitation Suspected
Current investigations suggest that the exploitation stems from Salesloft’s integration of Drift AI within Salesforce environments, with the attackers likely leveraging stolen OAuth tokens and vishing campaigns to infiltrate corporate networks and extract sensitive data. Resecurity’s analysis of leaked materials reveals extensive Personally Identifiable Information (PII), though no passwords appear to be compromised, reinforcing the hypothesis of Salesforce instance breaches rather than direct database attacks.
In response, the FBI has issued a flash alert, urging organizations to scrutinize their Salesforce configurations for atypical activities linked to known cybercrime groups UNC6040 and UNC6395.
From Airlines to Tech Titans: Global Fallout
The repercussions of this breach span continents and various sectors. Airlines like Air France-KLM, Qantas, and Aeroméxico have been identified among the primary victims, with leaked data likely including passenger PII, loyalty program records, internal communications, and booking information.
- Vietnam Airlines was targeted as early as 2023 and potentially under surveillance for almost three years before detection.
- The group, once known as “1973cn,” may have also compromised airport systems in Vietnam.
On the tech frontier, data linked to Cisco and Google AdWords has also been referenced, indicating a breach of their Salesforce instances. In June 2025, Google acknowledged its Salesforce environment had been affected, prompting a comprehensive global security review, while leaked data from Cisco included sensitive information tied to law enforcement and defense agencies across several countries.
A Perfect Storm: Cybercrime Meets Geopolitics
Cybersecurity experts have noted that the timing of the DLS’s launch coincides with the U.S. government shutdown, raising alarms about potential vulnerabilities in national cyber defenses during a critical period. The leak could also instigate regulatory and legal challenges globally, especially under stringent data protection statutes like GDPR and India’s DPDP Act.
Industry analysts caution that even a small fraction of the stolen data could be weaponized for mass phishing schemes, identity theft, and AI-driven fraud, with attackers potentially misusing the context of the leaks to create synthetic identities and elaborate social engineering tactics.
Inside the Numbers: What the Trio Claims to Hold
The group has vowed that if negotiations do not progress before the October deadline, the next set of leaks could contain staggering figures:
- 56 billion records
- 760 companies
- 254 million accounts
- 579 million contacts
- 458 million case records
These figures underline the remarkably organized nature of this cyber-extortion network, which possesses the capability to compromise extensive cloud-based CRM platforms on an enterprise scale.
What Comes Next
As Resecurity’s HUNTER team monitors the situation, reports indicate that DDoS attacks have already been launched against the new DLS, possibly an attempt by affected companies to disable it or delay data publication. However, given the group’s history, experts warn that further revelations are likely on the horizon.
If the attackers carry out their threats, corporate legal teams and cybersecurity professionals worldwide will likely enter a period of intense crisis management, regulatory reviews, and potential class-action lawsuits.
The Trinity of Chaos incident serves as a potent reminder of the serious risks associated with cloud security misconfigurations and third-party application links. As businesses increasingly rely on SaaS platforms like Salesforce, even a single breached integration can lead to massive data breaches that ripple across industries and geographical borders.
