'Pink' Adopts Lapsus$ Tactics in Fake Help Desk Attacks
New extortion group 'Pink' uses voice phishing via fake help desk calls to steal corporate credentials, following social engineering methods established by Lapsus$ and Scattered Spider, threatening data leaks with a 72-hour response deadline.
A new extortion group (not ransomware) named “Pink” has emerged. First identified by Palo Alto Networks’ threat intelligence unit Unit 42, this group uses voice phishing (vishing) and fake help desk calls to gain initial access to corporate IT environments, steal sensitive data, and extort money under the threat of public exposure.
According to The Register’s report, Pink’s data leak site went live on May 31. Unit 42 tracks this group as cluster “CL-CRI-1147.” “Pink uses vishing and IT impersonation to phish credentials and MFA (multi-factor authentication), then steals corporate cloud storage and productivity data to extort victims,” the threat intelligence firm stated in a LinkedIn post.
Well-Known Tactics
Many readers will recognize this attack method. Pink is directly following the playbook popularized by the chaotic criminal group Lapsus$ during their extortion spree from 2021 to 2022. At that time, Lapsus$ established phone-based intrusion techniques targeting companies like Nvidia, Microsoft, and Okta.
Scattered Spider later took over that role. Best known for the 2023 digital heist at Las Vegas casinos, Scattered Spider reportedly needed only a 10-minute help desk call to infiltrate MGM’s network.
Most recently, ShinyHunters employed the same method, stealing sensitive data from Ticketmaster, AT&T, other Salesforce customers, and thousands of schools and universities using the Canvas digital learning platform.
Despite multiple arrests across all three gangs, they continue to resurface and victimize new organizations.
The Com Connection
Most incident response organizations, including Google’s Mandiant and Unit 42, associate many of these criminal groups with “The Com.” The Com is a loose network of primarily English-speaking members, an interconnected collection of hackers, SIM swappers, and extortionists, some of whose subgroups also contract for violent real-world crimes.
According to Unit 42, Pink is “likely associated with threat actors linked to The Com.” After investigating “multiple” extortion attacks over several months, Unit 42 discovered new activity on June 1 in an existing extortion negotiation.
“On June 1, 2026, an existing extortion negotiation that had never received a response (attributed to a The Com-related cluster) received communication from a new threat actor via a free webmail account,” said Unit 42 analysts Richard Emerson and Cuong Dinh in a Wednesday threat intelligence post. “The actor provided a new qTox ID and a leak site associated with the Pink brand, but referenced the theft of nearly identical information from the original extortion notice.”
Pink’s data theft group gives victims a 72-hour deadline to respond. If no response is received within that time, they threaten to publish the stolen data.
Evolution of Social Engineering
This method, established by Lapsus$ and Scattered Spider, is highly effective not because of technical difficulty but because it exploits human psychological vulnerabilities. Unlike traditional phishing emails, voice phishing over the phone is more likely to be mistaken by IT staff as a legitimate support request, leading to MFA bypass.
Specifically, attackers present employee information gathered in advance (names, job titles, department, manager’s name, etc.) over the phone, lowering the help desk agent’s guard and coaxing them into password resets or MFA token reissuance. Scattered Spider’s successful 10-minute penetration of MGM vividly demonstrates the danger of this technique.
The intrusion pattern Unit 42 confirmed for Pink in this investigation closely mirrors these precedents. Attackers first collect publicly available information about the target organization, then call the help desk impersonating an employee. After having credentials reset, they access VPNs or cloud consoles and exfiltrate large amounts of data.
Why Attacks Continue
Despite multiple arrests, this type of attack persists due to the loose network structure of groups like The Com. Even if central leaders are arrested, their knowledge and tools are passed on to other members, leading to the continuous emergence of new groups.
Pink’s appearance as a new brand reflects this structure. Unit 42 discovered that Pink referenced “nearly identical information from the original extortion notice,” suggesting that the same attacker group may have reappeared under a different name.
Corporate defenses are also lagging. Identity verification processes over the phone in help desks remain weak in many organizations. Even if MFA is adopted, if help desks have the authority to bypass MFA over the phone, that pathway becomes an entry point for attackers.
Editorial Perspective
Short-term Impact: Over the next 3 to 6 months, it is highly likely that more new groups using similar methods will emerge. Extortion groups, particularly spinning off from The Com network, will likely open leak sites under rebranded names. Corporate help desk departments must immediately review their phone-based credential reset processes. Establishing operational flows that do not allow MFA resets or password changes to be completed solely via phone is urgent. Voice ID and callback confirmation are expected to emerge as effective countermeasures.
Long-term Perspective: Over a 1 to 3 year span, we anticipate automation and standardization of social engineering defenses. AI-powered real-time suspicious call detection and enhanced integration of identity management systems with help desks will likely appear as products and services. Additionally, cyber insurance underwriting may impose stricter audits of help desk authentication processes. Fundamentally, the architecture of handling credentials over the phone will be questioned, and zero-trust principles are expected to permeate help desk operations.
Questions for Readers: The fact that emerging extortion groups like Pink use exactly the same methods as Lapsus$ and Scattered Spider should be seen as evidence of the “templating” of cybercrime. Since defenders can anticipate attack patterns, countermeasures are theoretically possible. So why do corporate help desks still fall for this trick? Is the problem not technical but rather rooted in an organization’s security culture and the quality of incident response training? We recommend readers simulate whether their own help desks could be breached by a 10-minute phone call.
References
Frequently Asked Questions
- What is the cybercriminal group Pink?
- Pink is a new extortion group confirmed by Unit 42 in late May 2026. It uses voice phishing (vishing) and fake help desk calls to steal corporate credentials, take cloud storage and productivity data, and extort money under threat of publication. A notable characteristic is setting a 72-hour response deadline, employing methods similar to Lapsus$ and Scattered Spider.
- How can one protect against this attack?
- Immediately review help desk processes for credential resets over the phone. Do not allow password changes or MFA resets to be completed solely via phone; implement callback verification, Voice ID, or approval flows requiring a second authorizer. Training employees on social engineering attacks and establishing clear procedures for reporting suspicious calls are also important.
Comments