A prolific data ransom gang that calls itself Scattered Lapsus ShinyHunters (SLSH) has a distinctive playbook when it seeks to extort payment from victim firms: Harassing, threatening and even swatting executives and their families, all while notifying journalists and regulators about the extent of the intrusion. Some victims reportedly are paying — perhaps as much to contain the stolen data as to stop the escalating personal attacks. But a top SLSH expert warns that engaging at all beyond a “We’re not paying” response only encourages further harassment, noting that the group’s fractious and unreliable history means the only winning move is not to pay.
Image: Shutterstock.com, @Mungujakisa
Unlike traditional, highly regimented Russia-based ransomware affiliate groups, SLSH is an unruly and somewhat fluid English-language extortion gang that appears uninterested in building a reputation of consistent behavior whereby victims might have some measure of confidence that the criminals will keep their word if paid.
That’s according to Allison Nixon, director of research at the New York City based security consultancy Unit 221B. Nixon has been closely tracking the criminal group and individual members as they bounce between various Telegram channels used to extort and harass victims, and she said SLSH differs from traditional data ransom groups in other important ways that argue against trusting them to do anything they say they’ll do — such as destroying stolen data.
Like SLSH, many traditional Russian ransomware groups have employed high-pressure tactics to force payment in exchange for a decryption key and/or a promise to delete stolen data, such as publishing a dark web shaming blog with samples of stolen data next to a countdown clock, or notifying journalists and board members of the victim company. But Nixon said the extortion from SLSH quickly escalates way beyond that — to threats of physical violence against executives and their families, DDoS attacks on the victim’s website, and repeated email-flooding campaigns.
SLSH is known for breaking into companies by phishing employees over the phone, and using the purloined access to steal sensitive internal data. In a January 30 blog post, Google’s security forensics firm Mandiant said SLSH’s most recent extortion attacks stem from incidents spanning early to mid-January 2026, when SLSH members pretended to be IT staff and called employees at targeted victim organizations claiming that the company was updating MFA settings.
“The threat actor directed the employees to victim-branded credential harvesting sites to capture their SSO credentials and MFA codes, and then registered their own device for MFA,” the blog post explained.
Victims often first learn of the breach when their brand name is uttered on whatever ephemeral new public Telegram group chat SLSH is using to threaten, extort and harass their prey. According to Nixon, the coordinated harassment on the SLSH Telegram channels is part of a well-orchestrated strategy to overwhelm the victim organization by manufacturing humiliation that pushes them over the threshold to pay.
Nixon said multiple executives at targeted organizations have been subject to “swatting” attacks, wherein SLSH communicated a phony bomb threat or hostage situation at the target’s address in the hopes of eliciting a heavily armed police response at their home or place of work.
“A big part of what they’re doing to victims is the psychological aspect of it, like harassing executives’ kids and threatening the board of the company,” Nixon told KrebsOnSecurity. “And while these victims are getting extortion demands, they’re simultaneously getting outreach from media outlets saying, ‘Hey, do you have any comments on the bad things we’re going to write about you.”
In a blog post today, Unit 221B argues that no one should negotiate with SLSH because the group has demonstrated a willingness to extort victims based on promises that it has no intention to keep. Nixon points out that all of SLSH’s known members hail from The Com, shorthand for a constellation of cybercrime-focused Discord and Telegram communities which serve as a kind of distributed social network that facilitates instant collaboration.
Nixon said Com-based extortion groups tend to instigate feuds and drama between group members, leading to lying, betrayals, credibility destroying behavior, backstabbing, and sabotaging each other.
“With this type of ongoing dysfunction, often compounding by substance abuse, these threat actors often aren’t able to act with the core goal in mind of completing a successful, strategic ransom operation,” Nixon wrote. “They continually lose control with outbursts that put their strategy and operational security at risk, which severely limits their ability to build a professional, scalable, and sophisticated criminal organization network for continued successful ransoms – unlike other, more tenured and professional criminal organizations focused on ransomware alone.”
Intrusions from established ransomware groups typically center around encryption/decryption malware that mostly stays on the affected machine. In contrast, Nixon said, ransom from a Com group is often structured the same as violent sextortion schemes against minors, wherein members of The Com will steal damaging information, threaten to release it, and “promise” to delete it if the victim complies without any guarantee or technical proof point that they will keep their word. She writes:
A key component of SLSH’s efforts to convince victims to pay, Nixon said, involves manipulating the media into hyping the threat posed by this group. This approach also borrows a page from the playbook of sextortion attacks, she said, which encourages predators to keep targets continuously engaged and worrying about the consequences of non-compliance.
“On days where SLSH had no substantial criminal ‘win’ to announce, they focused on announcing death threats and harassment to keep law enforcement, journalists, and cybercrime industry professionals focused on this group,” she said.
An excerpt from a sextortion tutorial from a Com-based Telegram channel. Image: Unit 221B.
Nixon knows a thing or two about being threatened by SLSH: For the past several months, the group’s Telegram channels have been replete with threats of physical violence against her, against Yours Truly, and against other security researchers. These threats, she said, are just another way the group seeks to generate media attention and achieve a veneer of credibility, but they are useful as indicators of compromise because SLSH members tend to name drop and malign security researchers even in their communications with victims.
“Watch for the following behaviors in their communications to you or their public statements,” Unit 221B’s advisory reads. “Repeated abusive mentions of Allison Nixon (or “A.N”), Unit 221B, or cybersecurity journalists—especially Brian Krebs—or any other cybersecurity employee, or cybersecurity company. Any threats to kill, or commit terrorism, or violence against internal employees, cybersecurity employees, investigators, and journalists.”
Unit 221B says that while the pressure campaign during an extortion attempt may be traumatizing to employees, executives, and their family members, entering into drawn-out negotiations with SLSH incentivizes the group to increase the level of harm and risk, which could include the physical safety of employees and their families.
“The breached data will never go back to the way it was, but we can assure you that the harassment will end,” Nixon said. “So, your decision to pay should be a separate issue from the harassment. We believe that when you separate these issues, you will objectively see that the best course of action to protect your interests, in both the short and long term, is to refuse payment.”
Re: :…all while notifying journalists and regulators about the extent of the intrusion”,
The article does not name any journalist or media entity which has published any of of the attack data. Nor have the researchers recommended in the article any cautions that should be going to such media so the media can be schooled in how to exercise restraint against being co-opted into furthering these attacks.
This is another fascinating article by Mr. Krebs, conflating an actual extortion attempt by a large, quasi-organized group of executives and fine ‘business institutions’ (some of the very same upstanding people involved in the Ashley Madison, Panama papers and Paradise papers ‘leaks’, among others) with these folks.
But Mr. Krebs and his ilk do not like actual rabbit holes (I am averse to the term ‘warren’), only things that fit his/their narrative(s). It is kind of a pity; for a short while, about a year and a half or so ago, I thought maybe he had turned a new leaf.
Folks like Phineas and myself know better.
This was an interesting read. Although I would like to say a few things because it doesn’t seem like you know how this works.
Advising victims not to pay is reasonable. Everyone has done this historically, even law enforcement. But we know a lot of companies give in, or they used to, not as much anymore.
Asserting or implying that this specific group (SLSH/SLH or ShinyHunters, ShinyHunters seems like a completely different group btw) habitually breaks agreements requires evidence that hasn’t been publicly shown.
As a piece of genuine advice, before you make articles like these the best way to do it is provide evidence, back up your claims.
Do you remember when the NCA and FBI shut down Lockbit in 2024? Do you remember how they did it? They clearly showed that Lockbit is not trustable. Look at Lockbit now… dead… and they probably don’t make any money.
What you are doing here isn’t wrong but rather incorrect. I sincerely hope you don’t take this critism the wrong way, just my two cents.
Like 5 vents, imo
yeah, five venti raspberry mochas in 2010 coukd be great fifteen years ago soon.
are they ddos-ing your site?
The winning move isn’t to ‘not play’, because that just encourages further attacks just as much as responding in the first place. Life isn’t wargames unfortunately.
Articles like THIS, which continue to mention them by name are their fuel. Because the articles don’t stop, the ransom, extortion, beatings, underage children being groomed into becoming callers, etc, won’t stop, it’s a parasitic relationship.
To continue the silly chess analogies, journalists are used as pawns (a tale as old as time). The winning move is to remove all coverage and refuse all coverage, but journalists don’t want that, they want clicks, that’s what their livelihood depends on, and there’s no sense with one independent journalist refusing to cover when 25 other massive publications will write about the weekly ransom, even if it’s a mom and pop shop ISP servicing 350 customers.
Even if by some miracle, every single cybersecurity journalist stopped, all it takes is one or a few “independents” or twitter accounts to tweet it, get a few thousand likes, and it’s back to the beginning. These groups don’t care WHO writes, just as long as it gets written.
It seems to me that ‘these groups’ (or, anyway, only quasi-organized groups of people barely loosely in communication, from what I can make out) aren’t that interested in being written about (this isn’t a decade or two ago). It is conceivable, though, that articles like this do encourage some people to seek ‘people like this’ out.
I haven’t really figured out the exact motive for these guys. It doesn’t seem to be fame, or money (despite whatever requests they make; they don’t seem to be spending it, or fleeing), or political. The people that have been arrested and are awaiting whatever the justice department decides to do with their cases, however loosely related they are to one another or this ‘group’, had the means to flee, and yet did not.
Maybe they are merely young, simply bored, and just wanted to see what they could get away with.
The single largest goad to making companies secure PII is being revealed publicly to have not protected it. Otherwise many companies would only bother to secure operations against encryption ransoming (and then would probably get encrypted anyway because of allowing easier access, more persistence and more lateral movement).
Its massively advantageous to the consumer that the companies get named and shamed.
Incidentally these articles are extremely helpful for me to explain to my execs how someone that has access to your inside data will probably not go away until they extract as much value as they can, ie its not a mastercard expense, its as much money as they can extract.
I don’t think it is ever advantageous to any given consumer for a company they want to trust to be named and shamed by a ‘breach’ or leak unless the goal is to expose actual, unethical, illegal and/or illicit activity that affects the consumer.
Perhaps some of the companies being ‘named and shamed’ are really guilty of other, actual, deliberate crimes (or perhaps totally other companies are guilty of those malfeasances and the ‘leakers’ are merely frustrated and attempting to encourage someone with the proper access to expose a deeper corporate malfeasance, who knows?).
What is it about the impropriety of people exposing the possibility of doing large extractions of personally identifying data is so difficult for people to accept or understand? Are they all just seeking some sorta schafefreude for making everyone as vulnerable as people in something like the old breaches like RockYou and whatever that are included in every Kali DVD? Do you wanna be a member of a ‘club’ like that?
schadenfreude, that is.
I don’t follow your reasoning.
Without public attention companies don’t act, and historically many don’t even detect breaches and without disclosure law or publication they don’t disclose them. Furthermore just because the breach is publicised doesn’t stop the data being sold, exfiltrated data is just like that naked video you took of your ex girlfriend on your phone, no matter how many times you say you’ve deleted it, there is a copy somewhere.
Using the breach as leverage for a ransom just exchanges some of the long term value extracted from consumer data (because some consumers will take steps to reduce the value of the data or otherwise be aware of the scam potential) for upfront value extracted from the company who has been breached, which also from a criminal perspective moves the value to the people that do access and exfiltration and away from thieves who resell data after buying it.
I am not sure why you believe that someone accessing and utilizing (or selling) data in a closed transaction is worse than enabling anyone to learn that data is accessible, know who is in it, and enable anyone to access that data. Data is brokered all the time, with little regard for the consumer (and most have no clue where their spam originates from).
The danger is clearly the emergence of crossover events, where actors with enough information to access databases then combine that with a ransomware ‘event’ oriented to specific consumers.
I suspect you, I, and most other people, just don’t hear about much of little individual blackmails, only the ‘mass leaks’. Kind of interesting, if you think about it.
Last I checked, reselling data, itself, doesn’t net quite the fortune most people probably think it does… and I suspect most people probably don’t care about a bit of extra spam.
They probably would, however, care if someone seeking ‘lolz’ and money found either outcome sufficient, as long as one of them ‘took’… Which is what the ‘out and shame’ breach culture caused and still encourages.
What makes you (or anyone that replies to a blog post, including myself) the arbiter of deciding what companies (or companies’ clients) deserve shame over something like a poorly configured software option? Better to not encourage shaming mistakes in general and focus on deliberate acts of malice.
You never know when it might come back and bite you in the ass.
I doubt it is like a naked photo or video I personally would never take or store on a phone or laptop of my own (or send, for that matter). Mindfulness and prevention are pretty useful things, yeah?
Some things deserve legal action (I mean, certain medical stuff can be brutal and prone to the sorts of multiforked attacks I mentioned)… The publicizing of the rest often cause more issues for everyone involved than the software misconfiguration in the first place.
“What makes you (or anyone that replies to a blog post, including myself) the arbiter of deciding what companies (or companies’ clients) deserve shame over something like a poorly configured software option?”
It’s about the breach disclosure promptness and specificity. Every company has software vulns, a subset of them are exploited despite forewarning and because of a lack of concern generally for closing (known!) vulns out, and a further subset will choose to take a devil may care attitude about disclosure notifications to all potentially affected clients and users – with the real shame reserved for those who don’t disclose at all, or lie about it, obviously. I think calling that out for public shaming doesn’t require ‘arbiters’ once such facts are known. Shaming behaviors is not an all-or-nothing concern, it is nuanced in ways that most people probably agree once they’ve considered it for a first time. It’s a tiny percent of all users who ever do consider it in this regard. Indiscriminate shaming isn’t helpful but accurate shaming sometimes can be, and as public knowledge of these risky choices / actions / lies grows beyond those actually discovering the real facts to a larger subset of the market that is considering such services, they are better informed thus. Shaming has upsides.
I am honestly sort of surprised by the lack of legal action against CrowdStrike after the outage over a year ago.
I find it odd, sometimes, what courts (or lawyers, or corporations) will NOT pursue legally, sometimes, though rarely as much as I find it odd when people get millions of dollars for, like, not having ‘caliente’ on a paper cup.
I find it difficult to believe people have sympathy for mistakes that lead to large outages but lack the common sense to not reward people for having the incapacity to recognize hot things are hot, I guess (yet be able to navigate the bizarre and often byzantine, scammy legal system that America seems to have).
This said, I still disagree about shaming about misconfiguration. Shaming should be reserved for active cover-ups (not just ignorance or ignoring). Once you shame, you have passed a point of no return (and created a blueprint for someone else after that to profit from it — and yes, this happens… all the time).
“Shaming should be reserved for active cover-ups”
I was agreeing with you but ‘shaming’ has levels of intensity.
If it’s accurate and proportional that meets your criterions’es.
This post does a great job explaining how fragmented groups like Scattered Lapsus ShinyHunters thrive on attention and panic. The reminder not to amplify unverified claims or reward extortion tactics is important, especially as these actors rely more on noise than real impact.
job where?
I found this article eye‑opening — it’s scary how groups like Scattered Lapsus ShinyHunters use harassment and threats in addition to data extortion
i agree! astounding the lengths people will go to assert their perceived ‘winningness’, exercise their knowledge in 1960s psychological experiments for personal ‘gain’ (cool song, Doechii Harris),, and encourage human ‘trafficking’.
I am curious to see if the current ‘kidnappers’ in this ongoing Guthrie abduction case will touch the bitcoin if they get it.
But, then, it is interesting how many people don’t understand cryptocurrency is the very antithesis of anonymous currency.
Which do you find more scary? I actually used to find the old SWATting stuff scarier than the folks this article is about.
A little late, but very relavent. Me sees the comments in here, and I can see the pimply faced children in here who know how to use that doohickeycalled the telephone and call people. What may have happened to a company I know of who had their HR VP get their O365 account phished, but when said youngster tried to talk to a co worker though hacked Teams to do a password reset on that account you were shutdown by a simple “can you call me please”. Just saying, play stupid games win stupid prizes.
Bum Cheese is tasty
Yup, the bed all you ‘us’ made sure seems to be, buddy.
Phishing resistance MFA existed as far back as 2018. Idiot CISOs who never did security engineering don’t get this. Cybersecurity in USA is filled with dumbest people who never wrote code in their lives. Most of you don’t even get it because you just outsource your work and go to beach: https://ironliberty.substack.com/p/the-ciso-fraud-is-compromising-america