Crimson Collective

Crimson Collective is an emerging cyber extortion group first reported as emerging in September 2025. The group is described as a criminal/extortion actor, not a nation-state actor. It has been linked to data theft and extortion operations against enterprise and telecommunications targets, including Red Hat Consulting, Nissan Fukuoka Sales Co., Ltd. via the Red Hat incident, and Brightspeed. Reported aliases in the provided content are limited to "crimson_collective" / "Crimson Collective." The content also states the group has been associated with adjacent clusters CryptoChameleon and Crimson Collective, and that it announced collaboration with the ShinyHunters-linked Scattered Lapsus$ Hunters collective in extortion activity. The group’s publicly reported tradecraft centers on credential abuse and cloud-native tooling rather than custom malware. In a Cisco Talos engagement attributed to Crimson Collective, the intrusion began after a GitHub Personal Access Token was accidentally exposed on a public-facing website for several months. The actor used TruffleHog to scan GitHub repositories for secrets, leveraged discovered client secrets to access Azure cloud storage, and used Microsoft Graph API calls to authenticate, enumerate, and exfiltrate data. Talos also reported the actor attempted to inject malicious code into multiple GitHub repositories to harvest secrets committed in the future. Separate reporting in the provided content says Crimson Collective has targeted AWS environments, exploiting exposed credentials, creating privileged users, attaching AdministratorAccess policies, enumerating resources via AWS APIs, and exfiltrating data using snapshots, S3, and GetObject operations. Extortion was conducted through public claims and Telegram posts, including auctioning or offering stolen datasets for sale and threatening public release. A major reported operation involved Red Hat Consulting’s self-managed GitLab environment. Crimson Collective claimed it copied about 570 GB of compressed data from Red Hat private repositories and attempted to extort Red Hat. Reporting states the breach affected Nissan Fukuoka Sales Co., Ltd., exposing personal data of about 21,000 customers, including names, addresses, phone numbers, partial email addresses, and sales-related information; no credit card data was reported stolen. The content also states Crimson Collective claimed to have stolen customer engagement reports for Red Hat Consulting clients. The group also claimed a breach of U.S. fiber broadband provider Brightspeed, alleging theft of data on over 1 million customers. According to the provided reporting, the claimed data included names, billing and service addresses, email addresses, phone numbers, account status, payment history, payment methods, service records, order records, session IDs, user IDs, and the last four digits of payment cards. The group advertised the dataset for sale for three bitcoin, posted samples on Telegram, and threatened to dump the data if unsold. Some reports also note unverified claims that the group could disconnect users from service. Overall, the content characterizes Crimson Collective as a new extortion crew focused on stealing data from cloud and code-repository environments, abusing exposed credentials and legitimate cloud services/APIs, exfiltrating sensitive data, and using public extortion pressure via Telegram and leak-style disclosures.