- Scattered Spider, Lapsus$ and ShinyHunters have merged to form SLH, a federated cybercrime brand
- SLH uses Telegram for extortion, leaks and public taunts; works under Extortion-as-a-Service
- The group targets cloud/SaaS companies; Trustwave connects most carriers to ShinyHunters
Three of the world’s biggest cybercrime gangs – Scattered Spider, Lapsus$ and ShinyHunters – appear to have officially joined forces into a “unified cybercrime brand.”
While news of the merger has been popping up around the web for months now, security researchers Trustwave recently released new research making the reports from the Scattered Lapsus$ Hunters (SLH) group somewhat official.
Trustwave said the alliance formed around August 2025 and operates primarily on Telegram, where it runs public channels. Unlike other groups that use a combination of ClearWeb and Onion sites for data leaks, SLH uses Telegram to promote itself, leak data, and intimidate victims. It uses “Extortion-as-a-Service (EaaS),” allowing its affiliates to use its brand to scare targets and demand ransoms.
Act like hacktivists
Trustwave said its analysis showed that SLH didn’t behave like your typical ransomware group, instead mixing financially motivated cybercrime with attention-seeking, more akin to hacktivists.
They use dramatic language, polls and public taunts against law enforcement – particularly the FBI and NCA. However, his main motivation remains money and not ideology.
Technically, the group appears highly competent, Trustwave further explains, as it practices credential theft, social engineering, phishing/vishing, zero-day exploitation, and data exfiltration, often targeting cloud and SaaS providers.
It’s not a particularly large group – it has fewer than five main operators who mostly come from ShinyHunters. Obviously, members use multiple online personas to hide their true identities.
Trustwave concludes that SLH represents a “federated” or networked criminal brand, which is a new model in which cyber gangs share reputations and audiences for greater impact. This is seen as a sign of professionalization in cybercrime, where brand image, visibility and social performance are as important as technical skills.
The group also appears to be gaining momentum, seeking high-profile victims, adding none other than Salesforce to its list of alleged victims.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
