Open-source giant Red Hat confirmed that a previously unknown extortion group calling itself “Crimson Collective” had stolen sensitive documentation and source code related to its Red Hat Consulting practice.
The group first announced the hack on September 13, 2025, long before its public disclosure.
Initial indicators emerged from Telegram, where Crimson Collective, then numbering only 22 followers, posted screenshots implicating major telco Claro and Vodafone, both earlier victims of LAPSUS$ extortion campaigns in 2021 and 2022, respectively.
Red Hat immediately began notifying impacted clients, warning that stolen files included Consultancy Engagement Reports and private certificates in .pfx format belonging to organisations such as ING Bank and Delta Airlines.
Linking Crimson Collective to LAPSUS$ Affiliates
Security researcher Brian Krebs noted that the Telegram handle “Miku,” attributed to Crimson Collective’s administrator, appears to belong to Thalha Jubair, the UK teenager charged in connection with the Scattered Spider group and remanded in custody pending trial.
Jubair’s alleged involvement with high-profile attacks against Transport for London lends credibility to this attribution.
Further fuel was added when a newly formed site called “Scattered LAPSUS$ Hunters” published a Red Hat entry bearing trademark LAPSUS$ signatures, typos previously made by that group, casual racist comments in HTML comments, and even a looping Pokémon theme tune.
This overlap of tactics and personas suggests Crimson Collective is either an evolution of LAPSUS$ or an affiliate leveraging its notoriety.
Crimson Collective’s proof included a file tree enumeration listing over 370,000 directories and 3.4 million files in an initial data dump.
A subsequent 2.2 GB ZIP revealed an astonishing 32 million files stolen from Red Hat Consulting repositories.
Analysis of the directory structure indicates that more than 5,000 enterprise organisations are affected.
Sample Consultancy Engagement Reports were released for seven global companies, including Air Products (AIR), American Express Global Business Travel (AMEX_GBT), Atos (NHS Scotland), BOC, HSBC, and Walmart.
Equally concerning were exposed .pfx files containing private SSL certificates for ING Bank and Delta Airlines, putting these organisations at acute risk of impersonation attacks and unauthorized decryption of internal traffic.
Red Hat has publicly stated it will not negotiate with the extortionists, emphasizing that payment only perpetuates further attacks.
Impacted organisations are urged to contact Red Hat Consulting support to obtain forensic copies of stolen files and immediately rotate all compromised certificates and stored credentials.
Customers should assume that all data will eventually become public and develop mitigation plans accordingly.
Regulatory bodies may also open investigations into the breach, given the involvement of private citizen data and protected healthcare systems.
As Crimson Collective continues trading sensitive files online, the incident underscores the growing sophistication of extortion groups and the need for enterprises to reinforce zero-trust architectures and rapid incident response protocols.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA’s Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=Open-source giant Red Hat confirmed that a previously unknown extortion group calling itself “Crimson Collective” had stolen sensitive documentation){kind=link}