A self-proclaimed talking gang of data Scattered Lapsus ShinyHunters (SLSH) has a different playbook when it wants to get payment from companies that are harassed: Harassing, intimidating officials and their families, when we inform journalists and regulators about the level of penetration. Some victims are reportedly paying – perhaps large sums containing stolen information to stop the increasingly personal attacks. But a senior SLSH expert warns that engaging in anything beyond a “We don’t pay” response only encourages further abuse, noting that the group’s troubled and unreliable history means the only winning move is not to pay.
Photo: Shutterstock.com, @Mungujakisa
Unlike traditional Russian ransomware groups that are highly organized, SLSH is an unruly and somewhat powerful criminal group that seems unconcerned about building a reputation for consistent behavior where victims may have some confidence that the criminals will keep their word if they are paid.
That being said Allison Nixondirector of research at the New York City-based security unit Unit 221B. Nixon has been closely tracking the gang and individual members as they bounce between Telegram channels used to scam and harass victims, and said SLSH differs from typical data recovery groups in some key ways that defy trust that they will do whatever they say they will – such as destroying stolen information.
Like SLSH, many traditional Russian ransomware groups have used high-pressure tactics to force payment in exchange for a decryption key and/or a promise to delete stolen data, such as publishing a dark web blog with samples of stolen data around a countdown clock, or informing journalists and board members of the victimized company. But Nixon said the SLSH scam quickly escalated beyond that — into threats of violence against executives and their families, DDoS attacks on victims’ websites, and repeated email campaigns.
SLSH is known for hacking into companies via phone phishing, and using innocuous access to steal sensitive internal data. In a January 30 blog post, Google’s security firm reviewed the investigation The Mandiant said SLSH’s latest phishing attacks stemmed from incidents that occurred in early January 2026, when SLSH members posed as IT employees and called employees at the target organizations claiming the company was updating MFA settings.
“The threat actor directed employees to harvest sites bearing the victim’s name to capture their SSO credentials and MFA codes, then enroll their own MFA device,” the blog explained.
Victims often first hear of infringement when their brand name is mentioned in any new Telegram group chat used by SLSH to intimidate, defraud and harass their prey. According to Nixon, the coordinated harassment on the SLSH Telegram channels is part of a well-planned strategy to frustrate the victim organization by generating embarrassment that pushes them to the threshold of payment.
Nixon said many managers in targeted organizations had experienced “swatting” attacks, where SLSH communicated a fake bomb threat or hostage situation to the target’s address in the hope that they would respond with armed police at their home or workplace.
“A large part of what they do to victims is your psychological brand, like abusing the children of executives and threatening the company’s board,” Nixon told KrebsOnSecurity. “And while these victims are getting demands for fraud, at the same time they’re getting contact from the media saying, ‘Hey, do you have any negative comments to write about.'”
In a blog post today, Unit 221B says no one should negotiate with SLSH because the group has shown a willingness to swindle victims based on promises they have no intention of keeping. Nixon points out that all known members of SLSH are from it Comshorthand for the constellation of Discord and Telegram communities focused on cybercrime that serve as a kind of distributed social network that facilitates instant collaboration.
Nixon said that Com-based fraud groups often create conflict and drama among group members, which leads to lies, betrayal, destruction of credibility, backstabbing and sabotage.
“With this kind of ongoing dysfunction, which often includes drug abuse, these terror actors are often unable to keep the primary goal in mind of completing a successful, strategic rescue mission,” Nixon wrote. “They are constantly losing control over outbreaks that put their strategy and operational security at risk, which severely limits their ability to build a sophisticated, sophisticated and sophisticated criminal organization network to achieve sustained successful ransoms – unlike other, highly-recruited and professional criminal organizations that focus solely on ransomware.”
Interventions from established ransomware groups often focus on encrypting/decrypting the malware residing on the affected machine. In contrast, Nixon said, the ransom from the Com group is often structured in the same way as violent child sexual abuse programs, where members of The Com will steal damaging information, threaten to release it, and “promise” to remove it if the victim complies without any guarantee or technical point that they will keep their word. You write:
A key part of SLSH’s efforts to convince victims to pay, Nixon said, involves manipulating the media into talking about the threat posed by the group. The approach also borrows a page from the playbook for sextortion attacks, he said, encouraging attackers to keep targets busy and worried about the consequences of not following through.
“In the days when SLSH didn’t have any major criminal ‘successes’ to announce, they focused on publicizing death threats and harassment to keep law enforcement, journalists, and cybercrime industry workers focused on the group,” he said.
Excerpt from sextortion tutorial on Telegram channel based on Com. Photo: Unit 221B.
Nixon knows a thing or two about SLSH threats: For the past few months, the group’s Telegram channels have been flooded with threats of violence against him, yours truly, and other security researchers. These threats, he said, are just another way the group seeks media attention and gain credibility, but they are useful as indicators of backsliding because SLSH members often use bad names and embarrass security researchers even in their communication with victims.
“Be aware of the following behaviors in their communications with you or their public statements,” Unit 221B’s advice reads. “Repeated defamation of Allison Nixon (or “AN”), Unit 221B, or cybersecurity journalists—especially Brian Krebs—or any other cybersecurity employee, or cybersecurity company. Any threats to kill, or commit terrorism, or violence against insiders, cybersecurity personnel, investigators, and journalists.”
Unit 221B states that although the pressure campaign during the extortion attempt may harm workers, managers, and their family members, entering into drawn-out negotiations with SLSH encourages the group to increase the level of harm and danger, which may include the physical safety of workers and their families.
“The data breach will never go back to the way it was, but we can assure you that the abuse will end,” Nixon said. “Therefore, your decision to pay should be different from harassment. We believe that if you separate these issues, you will clearly see that the best course of action to protect your interests, in the short and long term, is to refuse payment.”
