Scattered Lapsus Shiny Hunters' harassment-driven extortion operating model
Threat Actor Meta
Summary
Hide ▲
Show ▼
Scattered Lapsus Shiny Hunters (SLSH) is now using a harassment-driven extortion model that pairs stolen data with swatting, threats, and publicity pressure, raising the stakes for victim firms. The group’s loosely organized, English-language structure appears tied to The Com, where rapid collaboration is offset by instability and infighting. That matters because victims cannot verify promises to delete stolen data, so paying can intensify coercion instead of ending it. The model also appears designed to extract information that can support later fraud operations.
Related Happenings
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor Meta
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
**Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
Lucifer DaaS’s evolution into a commission-based drainer service platform
Threat Actor MetaAbout this happening: **Lucifer DaaS** has evolved into a **structured underground drainer platform**, shifting wallet theft from isolated phishing pages to a commission-based service model that scales...
CL-CRI-1116 / BlackFile overlap with The Com
Threat Actor Meta
First: 27.04.2026 11:15
Last: 27.04.2026 11:15
Sources 1
About this happening:
Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...
CL-CRI-1116 / BlackFile overlap with The Com
Threat Actor MetaAbout this happening: Researchers linked **CL-CRI-1116** to overlapping labels including **BlackFile**, **UNC6671**, and **Cordial Spider**, suggesting the extortion cluster sits inside a broader **The...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile victims' Salesforce and SharePoint data leak
Data Leak
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
BlackFile's **stolen documents** were published on a **dark web leak site**, exposing employee and business records taken from **Salesforce** and **SharePoint** environments. The...
BlackFile victims' Salesforce and SharePoint data leak
Data LeakAbout this happening: BlackFile's **stolen documents** were published on a **dark web leak site**, exposing employee and business records taken from **Salesforce** and **SharePoint** environments. The...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
Campaign
First: 20.04.2026 16:33
Last: 20.04.2026 16:33
Sources 1
About this happening:
The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Scattered Spider SMS phishing and SIM-swap crypto theft campaign
CampaignAbout this happening: The **Scattered Spider** campaign used **SMS phishing** and **SIM swap** attacks to steal employee credentials, hijack phone numbers, and take over email and **virtual currency wa...
Timeline
-
02.02.2026 18:15 2 articles · 3mo ago
SLSH harassment-driven extortion model
Technical Analysis UpdateScattered Lapsus Shiny Hunters (SLSH) is described as a harassment-driven extortion gang that pressures victim organizations with phone-based phishing, victim-branded credential harvesting sites, swatting, DDoS, email floods, and threats against executives and their families while amplifying the intrusion in public Telegram channels; Mandiant said the latest attacks traced to incidents spanning early to mid-January 2026 involved operators posing as IT staff, directing employees to credential-harvesting sites to capture SSO credentials and MFA codes, and registering their own device for MFA.
Show sources
- Please Don’t Feed the Scattered Lapsus Shiny Hunters — krebsonsecurity.com — 02.02.2026 18:15
- Please Don’t Feed the Scattered Lapsus Shiny Hunters — krebsonsecurity.com — 02.02.2026 18:15