A notorious and highly aggressive data ransom gang, known as Scattered Lapsus ShinyHunters (SLSH), has adopted a particularly sinister and escalating playbook to extort payments from its victimized corporations. This group doesn’t just exfiltrate data; it systematically harasses, threatens, and even orchestrates "swatting" incidents against executives and their families, all while simultaneously broadcasting the extent of their intrusions to journalists and regulatory bodies. Reports indicate that some victimized companies are indeed succumbing to demands, potentially motivated as much by a desire to contain the fallout of stolen data as by the urgent need to halt the relentless personal attacks. However, a leading expert on SLSH warns that any engagement beyond a stark and unequivocal "We’re not paying" only serves to embolden further harassment. The group’s inherently fractious and unreliable history, characterized by internal betrayals and a lack of consistent behavior, strongly suggests that the only truly effective strategy is outright refusal to pay.

Unlike the more traditional, highly regimented, and often Russia-based ransomware affiliate groups, SLSH operates as an unruly and somewhat fluid collective. Their communication style is primarily in English, and they appear to lack any discernible interest in cultivating a reputation for consistent behavior. This unreliability means that potential victims cannot entertain any measure of confidence that the criminals will uphold their end of any bargain, even if payment is rendered. This assessment comes from Allison Nixon, the director of research at Unit 221B, a cybersecurity consultancy based in New York City. Nixon has been meticulously tracking the activities of this criminal group and its individual members as they migrate between various Telegram channels, which they utilize as platforms for extorting and harassing their targets. She elaborates that SLSH distinguishes itself from conventional data ransom groups in several critical ways, all of which underscore the inherent danger of trusting their promises, such as the purported deletion of stolen data.

While many traditional Russian ransomware groups have employed high-pressure tactics to coerce payment, often in exchange for a decryption key or a promise to erase pilfered data, SLSH’s methods extend far beyond these established norms. These traditional tactics might include the publication of data samples on a dark web "shaming" blog accompanied by a countdown clock, or direct notifications to journalists and board members of the victimized company. However, Nixon highlights that SLSH’s extortion quickly escalates to a far more alarming level. Their tactics now encompass direct threats of physical violence against executives and their families, debilitating Distributed Denial of Service (DDoS) attacks against the victim’s website, and relentless email-flooding campaigns designed to overwhelm and incapacitate.

SLSH is known to gain initial access to corporate networks through sophisticated phishing operations, often targeting employees over the phone. Once access is secured, they proceed to steal sensitive internal data. In a recent blog post, Google’s security forensics firm, Mandiant, detailed how SLSH’s most recent extortion attacks, which occurred in early to mid-January 2026, originated from incidents where SLSH members impersonated IT staff. They contacted employees of targeted victim organizations, falsely claiming that the company was undergoing an update to its Multi-Factor Authentication (MFA) settings. The attackers then directed unsuspecting employees to victim-branded credential harvesting sites, effectively capturing their Single Sign-On (SSO) credentials and MFA codes. Subsequently, they registered their own devices for MFA, gaining persistent and privileged access.

Victims typically first become aware of a breach when their company’s name is explicitly mentioned within whatever ephemeral public Telegram group chat SLSH is currently using to threaten, extort, and harass its prey. According to Nixon, this coordinated harassment, orchestrated across SLSH’s Telegram channels, is a deliberate and well-planned strategy aimed at overwhelming the victim organization. The goal is to manufacture a climate of humiliation and distress that ultimately pushes them to concede to the ransom demands.

Nixon further reveals that multiple executives from targeted organizations have been subjected to "swatting" attacks. This malicious tactic involves SLSH fabricating a bomb threat or reporting a hostage situation at the target’s home or workplace address. The objective is to provoke a heavily armed and forceful police response, causing immense psychological distress and potentially dangerous situations for the victims. "A significant component of what they are doing to victims is psychological warfare," Nixon explained to KrebsOnSecurity. "This includes harassing executives’ children and issuing threats to the company’s board of directors. Simultaneously, while these victims are receiving extortion demands, they are also being contacted by media outlets seeking comments on impending negative press."

In a recent blog post, Unit 221B strongly argues that no entity should engage in negotiations with SLSH. The group has repeatedly demonstrated a willingness to extort victims based on promises that they have no intention of honoring. Nixon points out that all known members of SLSH originate from "The Com," a shorthand term for a vast network of Discord and Telegram communities heavily focused on cybercrime. This network functions as a decentralized social hub that facilitates rapid collaboration among its members.

Nixon characterizes Com-based extortion groups as being prone to instigating feuds and internal drama. This often leads to widespread lying, betrayals, credibility-destroying behavior, backstabbing, and mutual sabotage. "With this kind of ongoing dysfunction, often compounded by substance abuse, these threat actors are frequently unable to maintain focus on the core objective of completing a successful, strategic ransom operation," Nixon wrote. "They continually lose control through outbursts that jeopardize their strategy and operational security. This severely limits their ability to build a professional, scalable, and sophisticated criminal organization capable of sustained successful ransoms—unlike other, more established and professional criminal organizations solely focused on ransomware."

Intrusions by established ransomware groups typically involve encryption/decryption malware that largely remains confined to the affected machine. In stark contrast, Nixon observes that ransoms demanded by Com-based groups often mirror the structure of violent sextortion schemes targeting minors. Members of The Com steal damaging information, threaten its release, and then "promise" to delete it if the victim complies, all without providing any guarantee or technical proof that they will uphold their word.

A crucial element of SLSH’s strategy to coerce victims into paying, according to Nixon, involves manipulating the media into amplifying the perceived threat posed by the group. This approach also borrows heavily from the tactics employed in sextortion attacks, which aim to keep targets continuously engaged and anxious about the repercussions of non-compliance. "On days when SLSH lacked any substantial criminal ‘win’ to announce, they focused on publicizing death threats and harassment to keep law enforcement, journalists, and cybersecurity industry professionals fixated on this group," she stated.

Nixon herself has direct experience with SLSH’s threats. For several months, the group’s Telegram channels have been replete with explicit threats of physical violence directed at her, the author of this report (Brian Krebs), and other security researchers. While these threats are another method the group employs to generate media attention and an illusion of credibility, they also serve as valuable indicators of compromise. This is because SLSH members frequently name-drop and malign security researchers even in their communications with victims.

"Watch for the following behaviors in their communications to you or their public statements," an advisory from Unit 221B reads. "Repeated abusive mentions of Allison Nixon (or ‘A.N.’), Unit 221B, or cybersecurity journalists—especially Brian Krebs—or any other cybersecurity employee, or cybersecurity company. Any threats to kill, commit terrorism, or inflict violence against internal employees, cybersecurity employees, investigators, and journalists."

Unit 221B emphasizes that while the pressure campaign during an extortion attempt can be deeply traumatizing for employees, executives, and their family members, engaging in prolonged negotiations with SLSH only incentivizes the group to escalate the level of harm and risk. This escalation can extend to the physical safety of employees and their families. "The breached data will never revert to its original state, but we can assure you that the harassment will cease," Nixon stated. "Therefore, your decision to pay should be a separate consideration from the harassment. We believe that by decoupling these issues, you will objectively recognize that the most prudent course of action to safeguard your interests, both in the short and long term, is to refuse payment."