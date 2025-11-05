Scattered Spider, Lapsus$, and ShinyHunters merged into SLH, a federated cybercriminal brand

SLH uses Telegram for extortion, leaks, and public taunts; operates under Extortion-as-a-Service

Group targets cloud/SaaS firms; Trustwave links most operators to ShinyHunters

Three of the biggest cybercrime gangs around - Scattered Spider, Lapsus$, and ShinyHunters, seem to have officially teamed up into a “federated cybercriminal brand”.

While news of the merger has been popping up across the web for months now, security researchers Trustwave recently published new research making the reports of the Scattered Lapsus$ Hunters (SLH) group somewhat official.

Trustwave said that the alliance formed around August 2025, and operates mainly on Telegram, where it runs public-facing channels. Unlike other groups who use a combination of clearweb and onion websites for data leaks, SLH uses Telegram to promote itself, leak data, and intimidate victims. It uses “Extortion-as-a-Service (EaaS)”, allowing affiliates to use its brand name to scare targets and demand ransoms.

Acting like hacktivists

Trustwave said its analysis showed SLH doesn’t behave like your usual ransomware group, instead mixing financially motivated cybercrime with attention-seeking, more akin to hacktivists.

They are using dramatic language, polls, and public taunts against law enforcement - especially the FBI, and the NCA. Still, its main motive remains money, not ideology.

Technically, the group seems highly skilled, Trustwave further explains, as it conducts credential theft, social engineering, phishing/vishing, zero-day exploitation, and data exfiltration, often targeting cloud and SaaS providers.

It’s not a particularly large group - it counts under five core operators who are mostly from ShinyHunters. Obviously, the members are using multiple online personas to hide their true identities.

Trustwave concludes that SLH represents a “federated” or networked criminal brand, which is a new model where cyber gangs share reputations and audiences for greater impact. It’s seen as a sign of professionalization in cybercrime, where branding, visibility, and social performance are as important as technical skill.

The group also seems to be punching up, looking for high-profile victims, adding no less than Salesforce to its list of alleged victims.

