Two of the most disruptive cyber-extortion gangs, ShinyHunters and Scattered Spider, appear to be coordinating attacks that began by harvesting credentials from Salesforce customers and now threaten to spread to banks, insurers and other financial-services firms, according to threat-intelligence company ReliaQuest. ReliaQuest’s report says the groups are running a joint phishing and voice-phishing campaign that deploys fake single-sign-on pages, Okta-themed lures and VPN obfuscation to seize user accounts and then demand payment not to leak data. Domain-registration patterns that match Scattered Spider’s past infrastructure show a 12% increase in finance-focused targets since July 2025, while registrations aimed at technology firms fell 5%, suggesting the alliance is shifting its sights. Researchers add that overlapping infrastructure, a BreachForums user alias “Sp1d3rHunters,” and synchronized attacks on retail, insurance and aviation companies point to collaboration that may have been under way for more than a year. Security analysts warn financial institutions to tighten multi-factor authentication, monitor for ticket-themed phishing domains and prepare incident-response plans in case the campaign expands.