A notorious data extortion syndicate, operating under the moniker Scattered Lapsus ShinyHunters (SLSH), has cultivated a disturbingly effective modus operandi designed to coerce payment from victimized corporations. Their playbook extends far beyond mere data theft, encompassing a malicious strategy of harassment, intimidation, and even dangerous "swatting" incidents targeting executives and their families, all while simultaneously broadcasting the extent of their intrusions to journalists and regulatory bodies. Reports indicate that some organizations, perhaps out of a desperate bid to contain the fallout from stolen data or to halt the escalating personal attacks, are succumbing to the demands. However, a leading expert on the group issues a stark warning: any engagement beyond a firm "We are not paying" response only serves to embolden further harassment. This expert emphasizes that SLSH’s history is marked by fractiousness and unreliability, rendering any agreement with them a perilous proposition, and ultimately concluding that the only truly winning strategy is to refuse payment altogether.

Unlike the highly structured and regimented ransomware affiliate groups predominantly based in Russia, SLSH is characterized as an unruly and somewhat fluid English-speaking extortion gang. They appear to lack any inclination towards cultivating a reputation for consistent behavior, a trait that might instill a modicum of trust in victims regarding the criminals’ adherence to promises, particularly if a ransom is paid.

This assessment comes from Allison Nixon, Director of Research at Unit 221B, a cybersecurity consultancy based in New York City. Nixon has been meticulously tracking the movements of this criminal collective and its individual members as they navigate various Telegram channels utilized for extorting and harassing their targets. She highlights that SLSH deviates significantly from traditional data ransom groups in several crucial aspects, all of which underscore the futility of trusting their pronouncements, such as assurances of data deletion.

While many established Russian ransomware syndicates have historically employed high-pressure tactics to secure payments—offering decryption keys or promising the deletion of exfiltrated data—SLSH’s methods escalate far beyond these conventional approaches. These tactics can include public shaming on dark web blogs, featuring data samples alongside countdown clocks, or alerting journalists and board members of the targeted company. However, Nixon explains that SLSH’s extortion campaigns rapidly escalate to direct threats of physical violence against executives and their families, disruptive Distributed Denial of Service (DDoS) attacks against victim websites, and relentless email-flooding campaigns.

SLSH is particularly known for its initial access vector: compromising companies through sophisticated phishing attacks targeting employees over the phone. Once inside, they exfiltrate sensitive internal data. A blog post from Google’s Mandiant, published on January 30th, detailed SLSH’s recent extortion activities, stemming from incidents in early to mid-January 2026. In these attacks, SLSH operatives impersonated IT staff, contacting employees of targeted organizations with claims of an upcoming Multi-Factor Authentication (MFA) settings update. The attackers then directed employees to spoofed, victim-branded credential harvesting sites to capture their Single Sign-On (SSO) credentials and MFA codes, subsequently registering their own devices for MFA.

Victims typically become aware of a breach when their company’s name is mentioned on whatever ephemeral public Telegram channel SLSH is currently using to threaten, extort, and harass its prey. Nixon elaborates that this coordinated harassment, executed across SLSH’s Telegram channels, is a deliberately orchestrated strategy aimed at overwhelming the victim organization through manufactured humiliation, thereby pushing them to concede to the ransom demand.

Nixon has observed that multiple executives within targeted organizations have been subjected to "swatting" attacks. This dangerous tactic involves SLSH fabricating a bomb threat or hostage situation at a target’s residence or workplace, with the malicious intent of provoking a heavily armed police response.

"A significant component of their strategy towards victims is psychological warfare, such as harassing executives’ children and threatening the company’s board," Nixon informed KrebsOnSecurity. "While these victims are grappling with extortion demands, they simultaneously face outreach from media outlets inquiring, ‘Hey, do you have any comments on the negative stories we’re about to publish about you?’"

In a blog post released today, Unit 221B argues vehemently against any negotiation with SLSH, citing the group’s demonstrated willingness to extort victims based on promises they have no intention of keeping. Nixon points out that all known SLSH members originate from "The Com," a colloquial term for a sprawling network of Discord and Telegram communities dedicated to cybercrime. This network functions as a distributed social fabric that facilitates immediate collaboration among its members.

Nixon further explains that extortion groups originating from "The Com" have a propensity for instigating feuds and drama among their members. This internal discord often leads to pervasive dishonesty, betrayals, credibility-destroying actions, backstabbing, and mutual sabotage.

"With this ongoing internal dysfunction, often exacerbated by substance abuse, these threat actors frequently fail to maintain focus on the core objective of executing a successful, strategic ransom operation," Nixon wrote. "They continually lose control through outbursts that jeopardize their strategy and operational security, severely limiting their capacity to build a professional, scalable, and sophisticated criminal organization capable of sustained successful ransoms—unlike more established and professional criminal organizations solely focused on ransomware."

In contrast to intrusions from established ransomware groups, which typically involve encryption/decryption malware confined to the affected machine, Nixon notes that ransoms demanded by "The Com" groups often mirror the structure of violent sextortion schemes targeting minors. Members of "The Com" steal damaging information, threaten its release, and "promise" to delete it if the victim complies, without providing any guarantee or technical proof that they will uphold their word.

Nixon states that a key element of SLSH’s strategy to compel victims to pay involves manipulating the media into amplifying the perceived threat posed by the group. This approach, she observes, borrows directly from the tactics employed in sextortion attacks, which aim to keep targets continuously engaged and anxious about the repercussions of non-compliance.

"On days when SLSH lacked substantial criminal ‘wins’ to announce, they focused on publicizing death threats and harassment to maintain the attention of law enforcement, journalists, and cybersecurity industry professionals on their group," she explained.

Nixon herself has been a target of SLSH’s threats. For several months, the group’s Telegram channels have been rife with pronouncements of physical violence against her, this publication’s author, and other security researchers. Nixon posits that these threats, while serving as another avenue for the group to generate media attention and a semblance of credibility, are also valuable indicators of compromise. This is because SLSH members frequently name-drop and malign security researchers even in their communications with victims.

"Be vigilant for the following behaviors in their communications to you or in their public statements," an advisory from Unit 221B reads. "Repeated abusive mentions of Allison Nixon (or ‘A.N.’), Unit 221B, or cybersecurity journalists—especially Brian Krebs—or any other cybersecurity employee, or cybersecurity company. Any threats of killing, committing terrorism, or violence against internal employees, cybersecurity employees, investigators, and journalists."

Unit 221B asserts that while the pressure campaign during an extortion attempt can be deeply traumatizing for employees, executives, and their family members, engaging in prolonged negotiations with SLSH only incentivizes the group to escalate the level of harm and risk. This escalation can extend to the physical safety of employees and their families.

"The breached data will never revert to its original state, but we can assure you that the harassment will cease," Nixon stated. "Therefore, your decision to pay should be a separate consideration from the harassment. We believe that by disentangling these issues, you will objectively recognize that the most prudent course of action to safeguard your interests, both in the short and long term, is to refuse payment."