The data ransom group known as Scattered Lapsus ShinyHunters (SLSH) employs a unique extortion strategy. This involves harassing, threatening, and even ‘swatting’ executives and their families, while simultaneously informing journalists and regulators about the breach. While some victims reportedly pay, potentially to prevent data leaks or halt personal attacks, a leading SLSH expert advises against any engagement beyond a clear refusal to pay. The group’s inconsistent and unreliable history suggests that non-payment is the most effective response.
In contrast to highly organized, often Russia-based ransomware groups, SLSH operates as a less structured, English-speaking extortion gang. This group does not seem concerned with establishing a reputation for consistent behavior, which means victims cannot rely on their promises, even if payment is made.
This assessment comes from Allison Nixon, director of research at the New York City security consultancy Unit 221B. Nixon, who closely monitors SLSH and its members across their various Telegram channels, highlights that the group’s methods diverge significantly from conventional data ransom operations. This difference makes it ill-advised to trust their claims, such as promises to delete stolen data.
While many established ransomware groups, including some Russian ones, use high-pressure tactics like dark web shaming blogs or notifying media and board members to secure payment or data deletion, SLSH’s extortion escalates further. Their tactics include threats of physical violence against executives and their families, distributed denial-of-service (DDoS) attacks on company websites, and extensive email-flooding campaigns.
SLSH typically infiltrates companies by telephoning employees with phishing attempts, then leveraging the acquired access to steal sensitive internal data. According to a January 30 blog post by Google’s security forensics firm Mandiant, recent SLSH extortion attacks in early to mid-January 2026 involved members impersonating IT staff. They contacted employees at target organizations, falsely claiming to be updating multi-factor authentication (MFA) settings.
Mandiant’s post detailed that the attackers guided employees to fake, victim-branded credential harvesting sites to steal their single sign-on (SSO) credentials and MFA codes, subsequently registering their own devices for MFA access.
Organizations often discover a breach when their name appears in one of SLSH’s temporary public Telegram group chats, where the group threatens and harasses its targets. Nixon explains that this coordinated harassment on Telegram is a deliberate strategy designed to overwhelm victims through manufactured humiliation, compelling them to pay.
Several executives at targeted organizations have experienced ‘swatting’ attacks. In these incidents, SLSH falsely reports bomb threats or hostage situations at the victim’s address, aiming to provoke a heavily armed police response at their home or workplace.
Nixon noted that a significant component of SLSH’s strategy is psychological, involving harassment of executives’ children and threats to company boards. Simultaneously with extortion demands, victims often receive inquiries from media outlets seeking comments on impending negative stories.
In a recent blog post, Unit 221B advises against negotiating with SLSH, citing the group’s history of extorting victims with unkept promises. Nixon highlights that all known SLSH members originate from The Com, a network of cybercrime-focused Discord and Telegram communities that function as a distributed social network for collaboration.
Nixon observes that extortion groups operating within The Com often engage in internal conflicts and drama, characterized by deceit, betrayals, reputation damage, backstabbing, and mutual sabotage.
Nixon’s analysis suggests that such persistent dysfunction, frequently exacerbated by substance abuse, prevents these threat actors from executing successful, strategic ransom operations. Their frequent outbursts compromise their strategy and operational security, hindering their ability to develop a professional, scalable, and sophisticated criminal network for sustained ransom activities, unlike more established ransomware organizations.
While established ransomware groups typically focus on encryption/decryption malware confined to the compromised machine, Nixon notes that extortion by Com groups often mirrors violent sextortion tactics. These groups steal damaging information, threaten its release, and ‘promise’ deletion upon compliance, yet offer no guarantee or technical proof of their word.
Nixon identifies media manipulation as a crucial element in SLSH’s strategy to compel victims to pay. This tactic, similar to those used in sextortion, aims to keep targets constantly engaged and apprehensive about the repercussions of non-compliance.
She explained that when SLSH lacked significant criminal achievements to publicize, they would resort to issuing death threats and harassment. This was done to maintain the focus of law enforcement, journalists, and cybersecurity professionals on their group.
Nixon herself has been a target of SLSH threats; their Telegram channels have contained numerous threats of physical violence against her and other security researchers for months. She views these threats as another method for the group to gain media attention and a semblance of credibility. However, they also serve as useful indicators of compromise, as SLSH members frequently mention and disparage security researchers even in their direct communications with victims.
Unit 221B’s advisory suggests observing specific behaviors in SLSH communications: ‘Repeated abusive mentions of Allison Nixon (or “A.N”), Unit 221B, or cybersecurity journalists—particularly Brian Krebs—or any other cybersecurity employee or company. Also, any threats to kill, commit terrorism, or engage in violence against internal employees, cybersecurity personnel, investigators, and journalists.’
Unit 221B warns that while SLSH’s extortion pressure tactics can be traumatizing for employees, executives, and their families, prolonged negotiations may encourage the group to escalate harm and risk, potentially endangering the physical safety of those involved.
Nixon stated, ‘The compromised data cannot be undone, but the harassment will cease.’ She advises separating the decision to pay from the harassment itself, asserting that an objective view reveals refusing payment as the optimal course of action for both short-term and long-term interests.
