- Scattered Spider, Lapsus$ and ShinyHunters merged into SLH, a federated cybercriminal brand
- SLH uses Telegram for extortion, leaks and public mockery; operating under Blackmail-as-a-Service
- The group targets cloud/SaaS companies; Trustwave connects most operators to ShinyHunters
Three of the biggest cybercrime gangs around – Scattered Spider, Lapsus$ and ShinyHunters, appear to have officially merged into a “connected cybercrime brand”.
While news of the merger has been surfacing online for months now, security researchers Trustwave recently published new research that makes the reports from the Scattered Lapsus$ Hunters (SLH) group somewhat official.
Trustwave said the alliance was formed around August 2025 and mainly operates on Telegram, where it runs public-facing channels. Unlike other groups that use a combination of clearweb and onion sites for data leaks, SLH uses Telegram to promote itself, leak data, and intimidate victims. It uses “Extortion-as-a-Service (EaaS)”, which allows affiliates to use its trademark to intimidate targets and demand ransoms.
Behaving like hacktivists
Trustwave said their analysis showed that SLH does not behave like your usual ransomware group, instead mixing financially motivated cybercrime with attention-seeking, more akin to hacktivists.
They use dramatic language, opinion polls and public mockery of law enforcement – especially the FBI and NCA. Yet its main motive is money, not ideology.
Technically, the group appears highly skilled, Trustwave further explains, as it performs credential theft, social engineering, phishing/vishing, zero-day exploits and data exfiltration, often targeting cloud and SaaS providers.
It’s not a very large group – it counts under five core operators who are mainly from ShinyHunters. It is clear that the members use multiple online personas to hide their true identity.
Trustwave concludes that SLH represents a “federated” or networked criminal brand, which is a new model where cyber gangs share reputations and audiences for greater impact. It is seen as a sign of professionalization in cybercrime, where branding, visibility and social performance are as important as technical skills.
The group also appears to be looking for high-profile victims, adding no less than Salesforce to its list of alleged victims.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
