A notorious data ransom gang, operating under the moniker Scattered Lapsus ShinyHunters (SLSH), employs a disturbingly aggressive and unconventional playbook to extort victim firms, a strategy that experts warn is best countered by outright refusal to pay. Their modus operandi involves a relentless barrage of harassment, threats, and even the dangerous tactic of "swatting" against executives and their families, all while simultaneously alerting journalists and regulatory bodies to the extent of their digital intrusions. While some victims reportedly succumb to the pressure and pay, potentially to contain stolen data and halt the escalating personal attacks, a leading expert on the group strongly advises against any engagement beyond a firm "we are not paying." This expert, Allison Nixon, director of research at the New York City-based security consultancy Unit 221B, emphasizes that engaging with SLSH only fuels their harassment, and their demonstrably fractious and unreliable history makes any agreement with them a fool’s errand.

Unlike the highly structured and regimented ransomware affiliate groups often associated with Russia, SLSH is characterized as an unruly and fluid English-language extortion collective. They appear to have little interest in cultivating a reputation for consistent behavior, a trait that would typically instill a degree of confidence in victims regarding the criminals’ adherence to any payment agreements. Nixon, who has meticulously tracked the group and its individual members across various Telegram channels used for extortion and harassment, highlights these crucial differences. She asserts that SLSH’s unpredictable nature makes trusting their promises, such as the destruction of stolen data, highly inadvisable.

While many traditional Russian ransomware operations have employed high-pressure tactics, such as dark web shaming blogs with countdown clocks or notifying journalists and board members, SLSH’s extortion methods escalate far beyond these conventional approaches. Nixon notes that SLSH’s tactics extend to direct threats of physical violence against executives and their families, disruptive DDoS attacks against victim websites, and persistent email-flooding campaigns.

SLSH’s initial point of entry into victim networks is often through sophisticated phishing attacks that target employees via phone calls. Once access is gained, they proceed to exfiltrate sensitive internal data. Google’s security forensics firm, Mandiant, detailed in a January 30 blog post that SLSH’s most recent extortion attacks, spanning early to mid-January 2026, involved members impersonating IT staff. They contacted employees of targeted organizations under the pretense of updating Multi-Factor Authentication (MFA) settings. The threat actors then guided these employees to victim-branded credential harvesting sites to capture their Single Sign-On (SSO) credentials and MFA codes, subsequently registering their own devices for MFA.

Victims often become aware of a breach not through direct notification, but when their company’s name is publicly mentioned on the ephemeral Telegram group chats that SLSH utilizes for its threats and harassment campaigns. According to Nixon, this coordinated harassment on SLSH’s Telegram channels is a deliberate strategy designed to overwhelm the victim organization by manufacturing a sense of humiliation, thereby pushing them towards compliance with the ransom demand.

Nixon has reported that multiple executives at targeted organizations have been subjected to "swatting" attacks. This dangerous tactic involves SLSH fabricating a bomb threat or hostage situation at a target’s home or workplace address, aiming to provoke a heavy-handed police response. "A significant portion of their strategy against victims is psychological," Nixon explained to KrebsOnSecurity. "This includes harassing executives’ children and threatening company boards. While victims are simultaneously receiving extortion demands, they are also being contacted by media outlets seeking comments on impending negative coverage."

In a blog post published concurrently with this report, Unit 221B argues forcefully against any negotiation with SLSH. The group has consistently demonstrated a willingness to extort victims based on promises they have no intention of keeping. Nixon points to SLSH’s origins within The Com, a vast constellation of Discord and Telegram communities focused on cybercrime. These platforms serve as a decentralized social network that facilitates rapid collaboration among malicious actors.

Nixon further elaborates that extortion groups originating from "The Com" are prone to instigating feuds and internal drama among their members. This often leads to a cycle of lying, betrayal, credibility destruction, backstabbing, and mutual sabotage. "With this ongoing dysfunction, often compounded by substance abuse, these threat actors are frequently unable to focus on the primary goal of executing a successful, strategic ransom operation," Nixon wrote. "They continually lose control due to outbursts that jeopardize their strategy and operational security, severely limiting their ability to build a professional, scalable, and sophisticated criminal organization capable of sustained successful ransoms—unlike more established and professional criminal organizations solely focused on ransomware."

In stark contrast to intrusions by established ransomware groups, which typically center on encryption/decryption malware confined to the affected machine, Nixon explains that ransom demands from "Com" groups often mirror the structure of violent sextortion schemes targeting minors. Members of "The Com" steal damaging information, threaten its release, and "promise" to delete it upon compliance, all without any guarantee or technical verification of their word.

A key element of SLSH’s strategy to coerce victims into paying involves manipulating the media to amplify the perceived threat posed by the group. This approach, Nixon notes, also borrows from the tactics of sextortion attacks, designed to keep targets continuously engaged and anxious about the consequences of non-compliance. "On days where SLSH lacked substantial criminal ‘wins’ to announce, they focused on publicizing death threats and harassment to maintain the attention of law enforcement, journalists, and cybersecurity professionals," she stated.

Nixon herself has been a target of SLSH’s threats for months, with their Telegram channels frequently featuring explicit threats of physical violence against her, this publication’s author, and other security researchers. While these threats are a deliberate attempt to generate media attention and an illusion of credibility, they also serve as valuable indicators of compromise, as SLSH members often name-drop and malign security researchers even in their communications with victims.

Unit 221B’s advisory outlines specific behaviors to watch for in SLSH’s communications and public statements. These include repeated abusive mentions of Allison Nixon (or "A.N."), Unit 221B, cybersecurity journalists (particularly Brian Krebs), or any other cybersecurity employee or company. Any threats of killing, terrorism, or violence directed at internal employees, cybersecurity personnel, investigators, and journalists should be considered significant red flags.

The consultancy emphasizes that while the pressure campaign during an extortion attempt can be profoundly traumatizing for employees, executives, and their family members, engaging in protracted negotiations with SLSH only incentivizes the group to escalate their harmful actions and risks, potentially impacting the physical safety of employees and their families. "The breached data will never revert to its original state, but we can assure you that the harassment will cease," Nixon stated. "Therefore, your decision to pay should be a separate consideration from the harassment itself. We believe that by disentangling these issues, you will objectively recognize that the most prudent course of action to safeguard your interests, both in the short and long term, is to refuse payment."