A prolific knowledge ransom gang that calls itself Scattered Lapsus ShinyHunters<\/strong> (SLSH) has a particular playbook when it seeks to extort fee from sufferer companies: Harassing, threatening and even swatting executives and their households, all whereas notifying journalists and regulators in regards to the extent of the intrusion. Some victims reportedly are paying \u2014 maybe as a lot to include the stolen knowledge as to cease the escalating private assaults. However a prime SLSH professional warns that partaking in any respect past a \u201cWe\u2019re not paying\u201d response solely encourages additional harassment, noting that the group\u2019s fractious and unreliable historical past means the one profitable transfer is to not pay.<\/p>\n Picture: Shutterstock.com, @Mungujakisa<\/p>\n<\/div>\n Not like conventional, extremely regimented Russia-based ransomware affiliate teams, SLSH is an unruly and considerably fluid English-language extortion gang that seems tired of constructing a status of constant habits whereby victims might need some measure of confidence that the criminals will hold their phrase if paid.<\/p>\n That\u2019s in keeping with Allison Nixon<\/strong>, director of analysis on the New York Metropolis based mostly safety consultancy Unit 221B<\/a>. Nixon has been intently monitoring the prison group and particular person members as they bounce between numerous Telegram channels used to extort and harass victims, and he or she mentioned SLSH differs from conventional knowledge ransom teams in different vital ways in which argue towards trusting them to do something they are saying they\u2019ll do \u2014 comparable to destroying stolen knowledge.<\/p>\n Like SLSH, many conventional Russian ransomware teams have employed high-pressure ways to power fee in alternate for a decryption key and\/or a promise to delete stolen knowledge, comparable to publishing a darkish net shaming weblog with samples of stolen knowledge subsequent to a countdown clock, or notifying journalists and board members of the sufferer firm. However Nixon mentioned the extortion from SLSH shortly escalates method past that \u2014 to threats of bodily violence towards executives and their households, DDoS assaults on the sufferer\u2019s web site, and repeated email-flooding campaigns.<\/p>\n SLSH is thought for breaking into corporations by phishing workers over the telephone, and utilizing the purloined entry to steal delicate inner knowledge. In a January 30 weblog publish<\/a>, Google\u2019s safety forensics agency Mandiant<\/strong> mentioned SLSH\u2019s most up-to-date extortion assaults stem from incidents spanning early to mid-January 2026, when SLSH members pretended to be IT workers and referred to as workers at focused sufferer organizations claiming that the corporate was updating MFA settings.<\/p>\n \u201cThe risk actor directed the workers to victim-branded credential harvesting websites to seize their SSO credentials and MFA codes, after which registered their very own gadget for MFA,\u201d the weblog publish defined.<\/p>\n Victims usually first study of the breach when their model title is uttered on no matter ephemeral new public Telegram group chat SLSH is utilizing to threaten, extort and harass their prey. In response to Nixon, the coordinated harassment on the SLSH Telegram channels is a part of a well-orchestrated technique to overwhelm the sufferer group by manufacturing humiliation that pushes them over the edge to pay.<\/p>\n Nixon mentioned a number of executives at focused organizations have been topic to \u201cswatting\u201d assaults, whereby SLSH communicated a phony bomb risk or hostage state of affairs on the goal\u2019s deal with within the hopes of eliciting a closely armed police response at their dwelling or workplace.<\/p>\n \u201cAn enormous a part of what they\u2019re doing to victims is the psychological side of it, like harassing executives\u2019 youngsters and threatening the board of the corporate,\u201d Nixon informed KrebsOnSecurity. \u201cAnd whereas these victims are getting extortion calls for, they\u2019re concurrently getting outreach from media shops saying, \u2018Hey, do you have got any feedback on the unhealthy issues we\u2019re going to put in writing about you.\u201d<\/p>\n In a weblog publish at present<\/a>, Unit 221B argues that nobody ought to negotiate with SLSH as a result of the group has demonstrated a willingness to extort victims based mostly on guarantees that it has no intention to maintain. Nixon factors out that every one of SLSH\u2019s recognized members hail from The Com<\/strong>, shorthand for a constellation of cybercrime-focused Discord and Telegram communities which function a type of distributed social community that facilitates prompt collaboration<\/a>.<\/p>\n Nixon mentioned Com-based extortion teams are inclined to instigate feuds and drama between group members, resulting in mendacity, betrayals, credibility destroying habits, backstabbing, and sabotaging one another.<\/p>\n \u201cWith any such ongoing dysfunction, usually compounding by substance abuse, these risk actors usually aren\u2019t capable of act with the core objective in thoughts of finishing a profitable, strategic ransom operation,\u201d Nixon wrote. \u201cThey frequently lose management with outbursts that put their technique and operational safety in danger, which severely limits their skill to construct an expert, scalable, and complicated prison group community for continued profitable ransoms \u2013 in contrast to different, extra tenured {and professional} prison organizations targeted on ransomware alone.\u201d<\/p>\n Intrusions from established ransomware teams sometimes focus on encryption\/decryption malware that principally stays on the affected machine. In distinction, Nixon mentioned, ransom from a Com group is usually structured the identical as violent sextortion schemes towards minors, whereby members of The Com will steal damaging info, threaten to launch it, and \u201cpromise\u201d to delete it if the sufferer complies with none assure or technical proof level that they’ll hold their phrase. She writes:<\/p>\n A key part of SLSH\u2019s efforts to persuade victims to pay, Nixon mentioned, entails manipulating the media into hyping the risk posed by this group. This strategy additionally borrows a web page from the playbook of sextortion assaults, she mentioned, which inspires predators to maintain targets repeatedly engaged and worrying in regards to the penalties of non-compliance.<\/p>\n \u201cOn days the place SLSH had no substantial prison \u2018win\u2019 to announce, they targeted on asserting demise threats and harassment to maintain regulation enforcement, journalists, and cybercrime business professionals targeted on this group,\u201d she mentioned.<\/p>\n![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/02\/dontfeed.png\")
<\/p>\n
![\"\"](\"https:\/\/krebsonsecurity.com\/wp-content\/uploads\/2026\/02\/comtutsh.png\")
<\/a><\/p>\n