A volatile and aggressive data extortion syndicate, known as Scattered Lapsus ShinyHunters (SLSH), has adopted a particularly disturbing modus operandi: engaging in relentless harassment, threats, and even "swatting" incidents targeting executives and their families, all while simultaneously alerting journalists and regulatory bodies to the scope of their digital intrusions. This tactic, designed to amplify pressure and induce fear, has reportedly led some victimized companies to pay ransoms, not only to mitigate the fallout of stolen data but also to cease the escalating personal attacks. However, a prominent expert on the group’s activities strongly advises against any engagement beyond a firm refusal to pay, arguing that any form of negotiation only emboldens their aggressive tactics. This expert highlights SLSH’s fractured and untrustworthy history as the ultimate justification for a zero-payment policy, asserting that the only true victory lies in not succumbing to their demands.

Unlike the typically rigid and organized cybercriminal collectives originating from Russia, SLSH operates as a more amorphous, English-speaking extortion ring. They exhibit a distinct lack of interest in cultivating a reputation for reliability or consistency, which would normally foster a degree of confidence in their promises, such as the deletion of stolen data. This assessment comes from Allison Nixon, Director of Research at Unit 221B, a cybersecurity consultancy based in New York City. Nixon has been meticulously tracking SLSH’s movements across various Telegram channels, observing their methods of extorting and harassing victims. She points out that SLSH deviates significantly from conventional data ransom groups in ways that fundamentally undermine any trust in their commitments.

While many traditional Russian ransomware operations employ high-pressure tactics, such as public shaming blogs on the dark web with countdown clocks or direct notifications to journalists and company boards, SLSH’s extortion strategies escalate far beyond these measures. Nixon elaborates that SLSH’s harassment quickly escalates to direct threats of physical violence against executives and their families, coupled with distributed denial-of-service (DDoS) attacks on victim websites and persistent email-flooding campaigns.

SLSH is known for its initial point of entry into corporate networks through sophisticated phishing attacks targeting employees via phone calls. Once access is gained, they proceed to exfiltrate sensitive internal data. A January 30th blog post by Google’s threat intelligence firm, Mandiant, detailed SLSH’s most recent extortion campaigns, which stemmed from incidents in early to mid-January 2026. During these attacks, SLSH operatives impersonated IT staff, contacting employees of targeted organizations with claims that the company was undergoing Multi-Factor Authentication (MFA) settings updates.

The Mandiant report explained, "The threat actor directed the employees to victim-branded credential harvesting sites to capture their SSO credentials and MFA codes, and then registered their own device for MFA." This clever social engineering tactic allows the attackers to gain legitimate access to accounts, bypassing traditional security measures.

Victims often first become aware of a breach when their company’s name is mentioned in the ephemeral public Telegram channels that SLSH uses to intimidate, extort, and harass their targets. According to Nixon, this coordinated barrage of harassment on SLSH’s Telegram channels is a deliberate and well-orchestrated strategy. The goal is to overwhelm the victim organization by manufacturing a sense of humiliation and desperation, thereby pushing them towards paying the ransom.

Nixon further revealed that multiple executives from targeted organizations have been subjected to "swatting" attacks. In these dangerous incidents, SLSH falsely reports a bomb threat or hostage situation at the target’s address, aiming to provoke a heavily armed police response to their home or workplace. This tactic is a clear escalation of their aggressive approach, demonstrating a willingness to endanger individuals and invoke real-world consequences.

"A big part of what they’re doing to victims is the psychological aspect of it, like harassing executives’ kids and threatening the board of the company," Nixon told KrebsOnSecurity. "And while these victims are getting extortion demands, they’re simultaneously getting outreach from media outlets saying, ‘Hey, do you have any comments on the bad things we’re going to write about you.’" This dual-pronged attack of direct extortion and manufactured negative publicity creates an intensely stressful environment for victims.

Nixon’s strong stance against negotiating with SLSH is rooted in the group’s demonstrated history of making promises they have no intention of keeping. She points to the fact that all known SLSH members originate from "The Com," a loose collective of Discord and Telegram communities that function as a distributed social network facilitating rapid collaboration among cybercriminals.

Nixon explains that within these Com-based extortion groups, internal feuds and drama are common, leading to a culture of lying, betrayal, credibility destruction, backstabbing, and mutual sabotage. "With this type of ongoing dysfunction, often compounding by substance abuse, these threat actors often aren’t able to act with the core goal in mind of completing a successful, strategic ransom operation," Nixon stated. "They continually lose control with outbursts that put their strategy and operational security at risk, which severely limits their ability to build a professional, scalable, and sophisticated criminal organization network for continued successful ransoms—unlike other, more tenured and professional criminal organizations focused on ransomware alone." This inherent instability makes them unreliable partners, even for their own criminal endeavors.

In contrast to established ransomware groups, whose intrusions typically involve encryption/decryption malware confined to the affected machine, Nixon characterizes ransom demands from Com groups as akin to violent sextortion schemes targeting minors. Members of The Com steal damaging information, threaten to release it, and "promise" to delete it upon payment, offering no guarantee or technical proof of their compliance. She writes:

"The SLSH group steals a significant amount of corporate data, and on the day of issuing the ransom notification, they line up a number of harassment attacks to be delivered simultaneously with the ransom. This can include swatting, DDOS, email/SMS/call floods, negative PR, complaints sent to authority figures in and above the company, and so on. Then, during the negotiation process, they lay on the pressure with more harassment—never allowing too much time to pass before a new harassment attack."

"What they negotiate for is the promise to not leak the data if you pay the ransom. This promise places a lot of trust in the extorter, because they cannot prove they deleted the data, and we believe they don’t intend to delete the data. Paying provides them vital information about the value of the stolen dataset which we believe will be useful for fraud operations after this wave is complete."

A critical element of SLSH’s strategy to compel payment involves manipulating the media to amplify the perceived threat posed by the group. This tactic, Nixon notes, mirrors that of sextortion attacks, which aim to keep targets perpetually engaged and anxious about the repercussions of non-compliance. "On days where SLSH had no substantial criminal ‘win’ to announce, they focused on announcing death threats and harassment to keep law enforcement, journalists, and cybercrime industry professionals focused on this group," she explained. This creates a feedback loop where sensationalism fuels attention, which in turn lends an air of legitimacy and urgency to their demands.

Nixon herself has been a target of SLSH’s threats. For several months, their Telegram channels have featured explicit threats of physical violence against her, the author of this report, and other cybersecurity researchers. Nixon views these threats not just as intimidation but as a method to generate media attention and establish a false sense of credibility. They also serve as valuable indicators of compromise, as SLSH members frequently name-drop and malign security researchers even in their communications with victims.

"Watch for the following behaviors in their communications to you or their public statements," Nixon advised. "Repeated abusive mentions of Allison Nixon (or ‘A.N.’), Unit 221B, or cybersecurity journalists—especially Brian Krebs—or any other cybersecurity employee, or cybersecurity company. Any threats to kill, or commit terrorism, or violence against internal employees, cybersecurity employees, investigators, and journalists."

Unit 221B emphasizes that while the intense pressure campaigns during an extortion attempt can be deeply traumatizing for employees, executives, and their families, engaging in prolonged negotiations with SLSH only incentivizes the group to escalate the harm and risk. This escalation can extend to the physical safety of employees and their families.

"The breached data will never go back to the way it was, but we can assure you that the harassment will end," Nixon concluded. "So, your decision to pay should be a separate issue from the harassment. We believe that when you separate these issues, you will objectively see that the best course of action to protect your interests, in both the short and long term, is to refuse payment." This advice underscores the strategic imperative for organizations to resist SLSH’s pressure tactics, recognizing that compliance offers no genuine long-term security and only fuels the cycle of criminal activity.