A notorious data extortion gang, known as Scattered Lapsus ShinyHunters (SLSH), has adopted a particularly aggressive and multifaceted strategy to coerce payments from its corporate victims. This group employs a chilling playbook that includes not only the theft and potential leak of sensitive data but also a systematic campaign of harassment, threats, and even "swatting" incidents targeting executives and their families. Simultaneously, SLSH actively notifies journalists and regulatory bodies about the extent of their intrusions, amplifying public pressure on the compromised organizations. Reports suggest that some victim firms are succumbing to these demands, driven by a dual motivation to contain the leaked data and, perhaps more critically, to cease the escalating personal attacks. However, a leading expert on the group warns that any engagement beyond a firm "we are not paying" stance only emboldens SLSH and fuels further harassment. Given the group’s volatile and unreliable history, the most effective strategy, according to this expert, is to refuse payment entirely.

Unlike traditional, highly structured ransomware affiliate groups often originating from Russia, SLSH operates as a more unruly and fluid English-language extortion collective. They appear to have little interest in cultivating a reputation for consistent behavior, a trait that might otherwise foster a degree of trust in their promises, such as the deletion of stolen data. This assessment comes from Allison Nixon, Director of Research at the New York City-based security consultancy Unit 221B. Nixon has been diligently tracking SLSH’s activities, observing their movements across various Telegram channels used for extorting and harassing victims. She highlights several key distinctions between SLSH and more conventional data ransom groups, factors that strongly argue against any reliance on their assurances.

While many established Russian ransomware groups have historically utilized high-pressure tactics to secure payments—offering decryption keys and/or promising to destroy stolen data—SLSH’s approach escalates significantly beyond these measures. Traditional tactics might include publishing data samples on dark web shaming blogs with countdown timers or notifying journalists and company board members. However, Nixon observes that SLSH’s extortion campaigns quickly devolve into direct threats of physical violence against executives and their families, disruptive Distributed Denial of Service (DDoS) attacks on victim websites, and relentless email-flooding campaigns.

SLSH is known for its proficiency in breaching corporate networks through social engineering, primarily via phishing attacks that target employees over the phone. Once they gain unauthorized access, they proceed to exfiltrate sensitive internal data. In a January 30 blog post, Google’s security forensics firm Mandiant detailed SLSH’s most recent extortion attempts, which stemmed from incidents occurring in early to mid-January 2026. During these attacks, SLSH operatives impersonated IT staff, contacting employees of targeted organizations under the pretense of updating Multi-Factor Authentication (MFA) settings. The threat actors then directed employees to convincing, victim-branded credential harvesting sites to capture their Single Sign-On (SSO) credentials and MFA codes. This illicitly obtained information allowed the attackers to register their own devices for MFA, effectively gaining persistent access.

Victims often first become aware of a breach not through technical alerts, but when their organization’s name is publicly mentioned on the ephemeral Telegram channels that SLSH uses to threaten, extort, and harass their targets. According to Nixon, this coordinated harassment on SLSH’s Telegram channels is a deliberate strategy designed to overwhelm the victim organization. By manufacturing public humiliation, the group aims to push compromised companies past their breaking point and compel them to pay.

Nixon reports that multiple executives at targeted organizations have been subjected to "swatting" attacks. This malicious tactic involves SLSH communicating a false bomb threat or hostage situation to the authorities, directed at the target’s home or workplace. The intention is to provoke a heavily armed police response, creating chaos and extreme distress. "A significant part of what they are doing to victims is psychological," Nixon explained to KrebsOnSecurity. "They harass executives’ children and threaten the company’s board. While these victims are receiving extortion demands, they are simultaneously being contacted by media outlets asking for comments on negative stories that are about to be published."

In a blog post published today, Unit 221B argues emphatically that no one should engage in negotiations with SLSH. The group has repeatedly demonstrated a willingness to extort victims based on promises they have no intention of fulfilling. Nixon points out that all known SLSH members originate from "The Com," a loosely connected network of Discord and Telegram communities focused on cybercrime. These platforms serve as a decentralized social network that facilitates rapid collaboration among its members.

Nixon characterizes Com-based extortion groups as prone to instigating internal feuds and drama. This often leads to a cycle of lying, betrayal, credibility destruction, backstabbing, and mutual sabotage. "With this type of ongoing dysfunction, often compounded by substance abuse, these threat actors are frequently unable to focus on the core goal of executing a successful, strategic ransom operation," Nixon wrote. "They continually lose control with outbursts that put their strategy and operational security at risk, which severely limits their ability to build a professional, scalable, and sophisticated criminal organization network for continued successful ransoms—unlike other, more tenured and professional criminal organizations focused solely on ransomware."

Whereas intrusions from more established ransomware groups typically involve encryption/decryption malware that largely remains confined to the affected machine, Nixon explains that ransoms demanded by Com-based groups often mirror the structure of violent sextortion schemes targeting minors. Members of The Com steal damaging information, threaten to release it, and "promise" to delete it if the victim complies. Crucially, there is no guarantee or technical proof provided that they will honor this promise. Nixon elaborated on SLSH’s tactics: "A key component of SLSH’s efforts to convince victims to pay involves manipulating the media into hyping the threat posed by this group. This approach also borrows a page from the playbook of sextortion attacks, encouraging predators to keep targets continuously engaged and worrying about the consequences of non-compliance." She further noted, "On days where SLSH had no substantial criminal ‘win’ to announce, they focused on announcing death threats and harassment to keep law enforcement, journalists, and cybercrime industry professionals focused on this group."

Nixon is intimately familiar with the threats SLSH poses, having been a target herself. For several months, the group’s Telegram channels have been filled with threats of physical violence directed at her, Brian Krebs, and other security researchers. Nixon views these threats not as genuine intentions but as another tactic to generate media attention and achieve a superficial veneer of credibility. However, she acknowledges their utility as indicators of compromise, as SLSH members frequently name-drop and malign security researchers even in their communications with victims.

Unit 221B’s advisory explicitly warns about behaviors to watch for in SLSH communications and public statements. These include "Repeated abusive mentions of Allison Nixon (or ‘A.N.’), Unit 221B, or cybersecurity journalists—especially Brian Krebs—or any other cybersecurity employee, or cybersecurity company. Any threats to kill, or commit terrorism, or violence against internal employees, cybersecurity employees, investigators, and journalists."

Unit 221B stresses that while the pressure campaign during an extortion attempt can be deeply traumatizing for employees, executives, and their family members, entering into prolonged negotiations with SLSH only incentivizes the group to escalate the level of harm and risk. This escalation can extend to the physical safety of employees and their families. "The breached data will never go back to the way it was, but we can assure you that the harassment will end," Nixon stated. "So, your decision to pay should be a separate issue from the harassment. We believe that when you separate these issues, you will objectively see that the best course of action to protect your interests, in both the short and long term, is to refuse payment."