I’m thrilled to sit down with Oscar Vail, a renowned technology expert whose insights into emerging fields like quantum computing, robotics, and open-source projects have positioned him at the forefront of the industry. Today, we’re diving into a darker corner of tech—cybercrime—and specifically, the rise of a new cybercriminal alliance known as SLH, or Scattered Lapsus$ Hunters. In this conversation, we’ll explore how this group formed, what sets them apart from other cyber gangs, their unique tactics, and the broader implications of their activities for businesses and individuals alike.
How did the SLH group come into existence, and what brought these major cybercrime gangs together?
SLH, or Scattered Lapsus$ Hunters, is a fascinating yet troubling development in the cybercrime world. It’s essentially a merger of three notorious groups—Scattered Spider, Lapsus$, and ShinyHunters—into what’s been described as a federated cybercriminal brand. This alliance didn’t happen overnight; whispers of their collaboration started circulating online months ago, but it was around August 2025 when security researchers confirmed the formation. The driving force behind this union seems to be a shared desire for greater impact—by pooling their resources, reputations, and audiences, they’ve created a more formidable entity. It’s like a criminal syndicate adopting a corporate merger strategy to maximize reach and intimidation.
What is it about SLH that makes them stand out from other cybercrime organizations?
What’s really striking about SLH is how they deviate from the typical ransomware gang playbook. Most ransomware groups are stealthy, focusing purely on financial gain through quiet extortion. SLH, on the other hand, blends that profit motive with a flair for attention-seeking behavior, almost like hacktivists. They’re loud—using dramatic language and public taunts to mock their victims and even law enforcement agencies like the FBI. But don’t be fooled; at the end of the day, money is still their primary goal. This mix of showmanship and greed sets them apart as a group that’s as much about branding as it is about crime.
Can you walk us through how SLH operates and interacts with the public?
SLH has carved out a unique space for itself by heavily relying on Telegram as their main platform for operations. They use it for everything—extortion demands, leaking stolen data, and even taunting their targets publicly. Telegram’s accessibility and relative anonymity make it a perfect fit for their needs compared to traditional clearweb or darknet sites. They’ve also pioneered an “Extortion-as-a-Service” model, where affiliates can leverage the SLH brand to intimidate victims and demand ransoms, amplifying their reach. And then there’s their use of public polls and taunts—it’s psychological warfare, designed to humiliate victims and frustrate authorities while keeping their audience engaged.
What kinds of attacks does SLH specialize in, and why do they choose their specific targets?
SLH is incredibly versatile in their attack methods. They’re adept at credential theft, social engineering, phishing, and even exploiting zero-day vulnerabilities—basically, flaws in software that haven’t been patched yet. They also focus heavily on data exfiltration, stealing sensitive information to use as leverage. Their target preference for cloud and Software-as-a-Service (SaaS) companies isn’t random; these firms often hold vast amounts of valuable data and have complex systems that can be harder to secure, making them prime targets for exploitation. It’s a calculated choice to hit where the payoff is high and the defenses can be tricky.
How skilled is SLH compared to other cybercrime groups out there?
From a technical standpoint, SLH is top-tier. Their ability to pull off sophisticated attacks—like using zero-day exploits or intricate social engineering schemes—puts them among the elite in the cybercrime world. They’re not just script kiddies relying on off-the-shelf malware; they’ve got the know-how to adapt and innovate. Compared to other groups, their blend of technical prowess with a knack for public performance makes them particularly dangerous. They’re not just breaking into systems; they’re playing a broader game of influence and intimidation.
What do we know about the people behind SLH and the structure of their group?
SLH isn’t a massive operation in terms of numbers. Reports suggest they have fewer than five core operators, with most of them reportedly tied to the original ShinyHunters group. They’re incredibly cautious about their identities, using multiple online personas to obscure who they really are. As for their location or personal details, that’s still largely a mystery—cybercriminals at this level are experts at covering their tracks. Their small size doesn’t diminish their threat, though; it just means they’re a tight-knit, highly skilled crew with a big impact.
Why do you think SLH is going after high-profile targets like Salesforce, and what does this say about their ambitions?
Targeting a giant like Salesforce shows that SLH isn’t content with small fry—they’re aiming for the big leagues. High-profile victims bring them two things: massive potential payouts due to the scale of data or systems at stake, and a huge boost to their notoriety. It’s a statement of power, saying they can hit even the most well-defended companies. This ambition reflects a broader trend in cybercrime toward professionalization, where reputation and visibility are becoming just as critical as the money they extort. They’re building a brand as much as they’re building a criminal empire.
What’s your forecast for the future of groups like SLH in the evolving landscape of cybercrime?
I think we’re going to see more groups like SLH emerge—federated, networked brands that prioritize visibility and psychological impact alongside traditional financial motives. Cybercrime is evolving into a more organized, almost corporate-like structure, where collaboration between gangs could become the norm rather than the exception. As technology advances, especially with cloud and SaaS platforms becoming even more integral to business, the attack surface for these groups will only grow. My forecast is that without stronger international cooperation and innovative defense strategies, groups like SLH will continue to thrive, exploiting both technical vulnerabilities and human psychology to devastating effect.
