Scattered Lapsus Shiny Hunters: A New Threat in Cyber Extortion
A notorious cyber extortion group known as Scattered Lapsus Shiny Hunters (SLSH) has been making headlines for its aggressive tactics in seeking ransoms from compromised organizations. This group employs a unique and harrowing approach that goes beyond conventional ransomware schemes, often involving direct harassment of company executives and their families. Reports indicate that some victimized firms have felt compelled to comply with the group’s demands, driven not only by the need to protect sensitive data but also to mitigate escalating personal threats. Experts caution, however, that engagement beyond a simple refusal can lead to further harassment; the prevailing advice is to avoid paying the ransom altogether.
Unlike traditional Russian-based ransomware gangs, which often adhere to structured operational protocols, SLSH operates in a more chaotic manner. The group frequently shifts between various platforms, predominantly utilizing English-language channels to conduct their nefarious activities. According to Allison Nixon, director of research at the cybersecurity consultancy Unit 221, SLSH’s unpredictable tactics compromise their reliability as extortionists. Unlike established groups that may honor their promises to delete stolen data upon payment, SLSH’s internal disputes and lack of professionalism make any agreements suspect.
SLSH primarily gains access to their targets through phishing attacks, often impersonating IT staff and urging employees to provide sensitive information. A recent report from Mandiant, a Google security subsidiary, highlighted incidents in January 2026, when SLSH members posed as company IT representatives to trick employees into divulging their Multi-Factor Authentication (MFA) credentials. By directing victims to fraudulent sites, these attackers can secure access to valuable internal data, amplifying the risk posed to their targets.
As part of their harassment strategy, SLSH has utilized alarming tactics such as swatting, which includes sending fake bomb threats to provoke an armed police response at executives’ homes or workplaces. This psychological warfare aims to coerce compliance from targeted organizations by not only emphasizing the risk of reputational damage but also instilling fear for personal safety. Nixon noted that as executives face escalating harassment, they often receive parallel outreach from journalists regarding the situation, heightening the pressure to respond.
The SLSH group belongs to a network identified as The Com, a collection of cybercriminal communities operating over Discord and Telegram. Group dynamics can be unstable, often leading to infighting and betrayal, which hinders their capacity for a cohesive operational strategy. This fractious environment, compounded by substance abuse among members, diminishes their ability to conduct sustained and professional cyber extortion. Consequently, their methods may mirror violent sextortion schemes, leveraging damaging stolen information to extort victims with untraceable promises of deleting the data in exchange for payment.
The criminal tactics employed by SLSH can be contextualized through the MITRE ATT&CK framework. Their methods likely include initial access through pretexting, collection of credentials via phishing schemes, and harassment tactics that fall under psychological manipulation. The escalation of threats can involve denial-of-service attacks and targeted campaigns to manage public perception amid extortion negotiations. These tactics illustrate a calculated approach not only to acquire financial gain but also to maintain control over their targets.
Experts warn that while the immediate fallout from a breach may be distressing for affected employees and their families, engaging in drawn-out negotiations with SLSH can exacerbate the risks involved. As highlighted by Nixon, organizations should view the decision to pay ransom separately from the harassment they face. Ultimately, maintaining a zero-tolerance stance against extortion appears to be the most prudent strategy for businesses aiming to protect their interests both in the short and long term. Given the group’s history of unreliability, the advice remains: maintain resilience and refrain from feeding the extortionist’s demands.