On September 2, a hacker group calling itself the Scattered LapSus Hunters threatened Google with a data leak unless two of its top security experts, namely Austin Larsen and Charles Carmakal, were fired.
The demand, made through the messaging app Telegram, is unusual. Hackers typically threaten companies, not individuals. By naming names, the group has shifted the battle from a corporate fight to a personal one.
Google has not confirmed whether its systems were breached, but the threat alone points to a troubling change in how cybercrime is carried out.
Mr. Larsen and Mr. Carmakal are well-known inside Google’s security ranks. Both work in the Threat Analysis Group, a team that investigates major hacking operations.
Mr. Carmakal, once the chief technology officer at the cybersecurity firm Mandiant before Google bought it, has helped companies respond to some of the most significant data breaches of the last decade.
On the other hand, Mr. Larsen is recognized for his work tracking groups like Scattered Spider, a collective blamed for attacks on airlines, video game makers, and technology firms.
For the hackers, targeting these two men is about more than removing obstacles. It is about making the fight personal, and in doing so, undermining the confidence of the very people responsible for exposing their methods.
The coalition behind the threat appears to be a mix of three groups: Scattered Spider, Lapsu$, and ShinyHunters. Each has a history of bold attacks.
Scattered Spider is known for tricking employees into giving up login details, sometimes by hijacking phone numbers through a technique called SIM swapping. Lapsu$, which gained attention in 2022, broke into companies including Microsoft, Nvidia, and Okta, and often bragged about its successes online. ShinyHunters was behind a 2023 breach of the cloud company Snowflake, which exposed data from hundreds of corporate clients.
In early August, members of these groups began posting under the joint name Scattered LapSus Hunters. On Telegram, they shared stolen information, issued taunts, and made demands.
The channel was later banned, but not before showing how hackers now combine technical skills with intimidation tactics meant to pressure companies into compliance.
The personal targeting of Larsen and Carmakal illustrates how the fight has shifted. Cyberattacks are no longer only about stealing information or disrupting services.
They are now about weakening the people who protect against them, raising the risk of harassment, reputational damage, and personal stress for those on the front lines.
Experts say this new phase of cybercrime means companies must do more than secure their networks. They must also protect their staff.
That could mean limiting how much personal information about employees is publicly available, using stronger authentication for logins, monitoring for leaked data, and offering legal and emotional support when threats arise.
For Google, the demand tests its willingness to stand by its security team. For the wider industry, it marks a turning point. Hackers are no longer only attacking companies. They are naming individuals, bringing a corporate struggle into the personal lives of the people sworn to defend it.
