- Scattered Spider, Lapsus$ and ShinyHunters merged into SLH, a federated cybercriminal brand
- SLH uses Telegram for extortion, leaks and public ridicule; operates under Extortion as a Service
- The group targets cloud/SaaS companies; Trustwave links most operators with ShinyHunters
Three of the biggest cybercriminal gangs in existence – Scattered Spider, Lapsus$ and ShinyHunters – appear to have officially joined together into a “federated cybercriminal brand.”
While news of the merger has been surfacing around the web for months, security researchers Trustwave recently published new research that makes reports of the Scattered Lapsus$ Hunters (SLH) group somewhat official.
Trustwave said the alliance was formed around August 2025 and operates primarily on Telegram, where it operates public channels. Unlike other groups that use a combination of clearweb and onion websites for data leaks, SLH uses Telegram to promote itself, leak data, and intimidate victims. It uses “Extortion as a Service (EaaS)”, allowing affiliates to use their branding to scare targets into demanding ransoms.
Acting as hacktivists
Trustwave said its analysis showed that SLH does not behave like the usual ransomware group, but instead mixes financially motivated cybercrime with attention-seeking, more akin to hacktivists.
They are using dramatic language, polls and public ridicule against law enforcement, especially the FBI and NCA. Still, their main motive remains money, not ideology.
Technically, the group appears highly skilled, Trustwave explains, as it carries out credential theft, social engineering, phishing/vishing, zero-day exploitation and data exfiltration, often targeting cloud and SaaS providers.
It’s not a particularly large group: it has five main operators, mostly from ShinyHunters. Obviously, members use multiple personas online to hide their true identities.
Trustwave concludes that SLH represents a “federated” or networked criminal brand, which is a new model in which cyber gangs share reputations and audiences to achieve greater impact. It is seen as a sign of professionalization in cybercrime, where branding, visibility and social performance are as important as technical skills.
The group also appears to be fighting back, targeting high-profile victims, adding none other than Salesforce to its list of alleged victims.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
