Why Paying Ransoms to Scattered Spider and ShinyHunters Only Makes Things Worse

When cybercriminals steal your data and demand payment, the temptation to pay can be overwhelming. The breach is real, the data is sensitive, and the threat of public exposure feels existential. But security researchers who track the Scattered Spider, ShinyHunters, and LAPSUS$ alliance are delivering a clear message: paying only makes things worse.

This loose confederation of primarily young hackers has infiltrated companies worth over $1 trillion combined since 2022. Their tactics are uniquely aggressive, their promises are unreliable, and their victims who pay frequently face continued harassment anyway.

The only winning move, experts say, is not to play.

A Merger Like No Other

In August 2025, a Telegram channel explicitly combined the brands and memberships of three notorious hacking groups: Scattered Spider, ShinyHunters, and LAPSUS$. This alliance, sometimes called "Scattered LAPSUS$ Hunters" or "The Com," represents approximately 1,000 individuals operating across multiple crews.

The groups share tactics, targets, and infrastructure. Their combined experience includes the MGM Resorts attack, the Caesars Entertainment breach, Twitch data leaks, Microsoft source code theft, and dozens of other high profile intrusions.

What makes this alliance particularly dangerous is not just their technical capabilities but their willingness to escalate beyond typical cybercriminal behavior.

Escalation Is the Point

Traditional ransomware groups operate like businesses. They encrypt data, demand payment, provide decryption keys, and move on. There's a perverse professionalism to their operations because their business model depends on victims believing payment will end the problem.

The Scattered Spider alliance operates differently. Their extortion tactics include:

• Swatting attacks, filing false bomb threats or hostage reports to send armed police to executives' homes
• Harassment campaigns targeting executives and their family members
• DDoS attacks against victim websites during negotiations
• Email flooding campaigns that overwhelm corporate communications
• Death threats against security researchers and journalists covering their activities
• Proactively notifying regulators and journalists about breaches to increase pressure

This harassment is not a fallback when negotiations fail. It's an integral part of their playbook, designed to create maximum psychological pressure on decision makers.

Why Payment Does Not Work

According to researcher Allison Nixon, who has tracked these groups extensively, the alliance demonstrates "a willingness to extort victims based on promises that it has no intention to keep."

The fundamental problem is verification. When a traditional ransomware group provides decryption keys, you can verify the data is restored. When an extortion group promises to delete stolen data, there is no way to confirm compliance. They could keep copies, sell the data privately, or simply return months later with new demands.

The group's fractured leadership structure makes this worse. With roughly 1,000 loosely affiliated members, any promise from one faction may not bind another. Even if one group deletes your data, another might retain copies or decide your willingness to pay makes you an attractive target for future attacks.

Caesars Entertainment reportedly paid $15 million after being breached by Scattered Spider. This payment, rather than ending the threat, may have signaled to the criminal ecosystem that the group's tactics work, encouraging more attacks using the same methods.

How They Get In

Understanding their attack methods helps explain why prevention is more effective than negotiation. The alliance primarily uses social engineering, specifically voice phishing, to compromise targets.

Attackers impersonate IT helpdesk personnel and call employees directly. They claim MFA settings need updating and direct victims to convincing fake login portals. The phishing infrastructure uses domains that closely mimic legitimate corporate services:

• [companyname]sso.com for SSO portal impersonation
• [companyname]internal.com for internal access
• [companyname]okta.com for identity provider impersonation

Once they capture credentials and MFA codes, attackers enroll their own devices in MFA systems, establishing persistent access. They then systematically harvest data from cloud services, targeting Salesforce, Microsoft 365, SharePoint, DocuSign, Slack, and similar platforms.

The Expert Recommendation

Nixon's advice to victims is unequivocal: refuse payment entirely and avoid negotiations beyond communicating that position. "The breached data will never go back to the way it was," she notes, "but we can assure you that the harassment will end."

Salesforce, whose data represents a primary target for the group, has publicly stated they "will not engage, negotiate with, or pay any extortion demand." This position removes the leverage that extortionists depend on.

The logic is straightforward: engaging with extortionists only encourages escalation. Every response, every negotiation, every payment reinforces that their tactics work. The harassment continues until victims stop responding entirely.

What Victims Should Do Instead

When facing extortion from this alliance, organizations should focus on containment, transparency, and resilience rather than negotiation:

1. Engage law enforcement immediately. The FBI has made prosecuting these groups a priority, with several arrests already made.
2. Contain the breach by revoking compromised credentials, reviewing MFA enrollments, and auditing cloud service access.
3. Notify affected parties proactively rather than waiting for criminals to leak data.
4. Document harassment for potential prosecution but do not respond to threats.
5. Prepare executives and their families for potential swatting or harassment by coordinating with local law enforcement.

Prevention Over Negotiation

The best defense against this threat is preventing initial compromise. Since the alliance relies heavily on voice phishing, organizations should:

• Train employees to verify IT requests through established channels, never through callback numbers provided by callers
• Implement phishing resistant MFA like hardware security keys rather than SMS or app based codes
• Monitor for suspicious MFA enrollments and credential changes
• Limit cloud service permissions to what users actually need
• Register defensive domains that could be used for impersonation

The Scattered Spider alliance represents a new breed of cybercriminal that combines technical sophistication with willingness to engage in harassment and intimidation. Traditional ransomware playbooks do not apply. The only effective response is to deny them the engagement they seek and focus resources on preventing the next attack rather than negotiating with the current one.