Google Law Enforcement Portal Breached; Access Claimed by Hackers

Google has confirmed that a novel threat actor group, Scattered Lapsus$ Hunters, compromised its Law Enforcement Request System (LERS). Investigators discovered a fraudulent account within the portal, which is used worldwide by law enforcement and government agencies.

This system provides a secure and auditable way to handle formal legal requests, such as subpoenas and court orders, for the legal acquisition of user or account data. LERS also allows them to track their status and, when appropriate, deliver responsive data.

The creation of this fraudulent account was confirmed when investigators discovered a threat actor group, identifying themselves as Scattered Lapsus$ Hunters, who gloated about accessing LERS on Telegram and had uploaded screenshots as proof of the attack.

While Google did not publicly disclose how the group gained access to the system, whether through social engineering, stolen credentials, or an undisclosed vulnerability, it confirmed that no requests were made with the account and no data was accessed.

This unauthorized access to Google’s highly sensitive LERS portal was a significant security incident. However, Google responded quickly by removing the account and mitigating any further abuse by the attackers.

Unauthorized access to LERS could allow threat actors to impersonate law enforcement or government officials, without worrying about additional identity verification, since it would be assumed that anyone issuing requests, such as subpoenas for user data, would be legitimate.

In the geopolitical context, access to such a highly sensitive system for the purpose of fraudulently requesting data on journalists, government personnel, or political figures would amount to a weapon in the wrong hands.

Furthermore, Scattered Lapsus$ Hunters claimed to have breached the FBI’s National Instant Criminal Background Check System (NICS) eCheck portal, which federally licensed firearms dealers (FFLs) use to run mandatory background checks when someone attempts to purchase a gun or certain explosives after completing ATF Form 4473. Despite the screenshot, the intrusion has not been independently confirmed.

Who are Scattered Lapsus$ Hunters

Scattered Lapsus$ Hunters is a relatively new threat actor group, which landed on the radar in mid- 2025. Researchers believe the group operates as a network of members drawn from high-profile cybercrime groups, including Lapsus$, ShinyHunters, and Scattered Spider, a connection hinted at by its name, Scattered Lapsus$ Hunters.

Researchers speculate that the group does not seem to follow any rigid organizational structure and believe that its members likely overlap with parent groups. Still, some researchers suggest that many of the actors involved are young, English-speaking teenagers or in their early 20s. Attribution places them in the U.S. or U.K., which follows the pattern of some of the founding groups, such as Scattered Spider.

The group’s modus operandi is primarily focused on public extortion and data dumps, and appears to favor causing public spectacle, which are all hallmarks of juvenile posturing.