Scattered Lapsus$ Hunters has launched an unusual crowdsourced extortion scheme, offering $10 in Bitcoin to anyone willing to help pressure their alleged victims into paying ransoms.

The cybercrime collective is encouraging followers to email senior executives at organizations it claims to have breached, urging them to pay up and avoid publicity about the group’s new data leak site.

Those who contact executives through personal email accounts will receive higher rewards, and participants who perform “an exceptionally well job” [sic] may be considered for “a much larger sum,” according to the group’s announcement.

The poor grammar and spelling errors throughout their communications —including misspelling “negotiate” as “negociate” — cast doubt on claims that the group comprises native English speakers.

The crime group announced the initiative via Telegram, complete with an instructions document that contained the contact details of executives they would like their audience to pressure on its behalf.

The method of outsourcing extortion attempts is novel for cybercriminals, and perhaps necessary, given the number of organizations allegedly caught up in a breach, which stands at 39. With entire C-suites to contact, that’s a lot of emailing.

“You have permission to endlessly harass these executives till they comply with us,” the group wrote. “When we tell you stop emailing a company or number of executives emails, you are to stop emailing them. This will be centralized and well operated.”

On its new data leak site, Scattered Lapsus$ Hunters listed the alleged victims – all supposedly having their data stolen via an intrusion at Salesforce – and gave the CRM giant a deadline of October 10 to come up with the money the criminals are after.

“If Salesforce does not engage with us to resolve this, we will completely target each and every indiviual [sic] customers of theirs listed below, failure to comply will result in massive consequences,” its data leak site reads.

“If you are listed below we advise you to take every action to protect yourselves and reach out to us to resolve this. Do not be mistaken that your SaaS provider will protect all of you, they won’t. Don’t be the next headline, make the correct decision and reach out.”

When The Register asked Salesforce about the alleged intrusion on October 3, we were directed to its advisory published the day before, which stated that it believes the alleged victims it posted online related to either past attacks or “unsubstantiated incidents.”

“At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.”

It sounds like a classic case of cybercriminals misattributing their attacks to intensify the notoriety they so often crave.

As confirmed by Google Threat Intelligence Group, the attack stemmed from Salesloft Drift, a Salesforce integration that had its OAuth tokens abused, allowing attackers to access victims’ CRM setups.

Google and Salesforce notified potentially affected organizations before Scattered Lapsus$ Hunters’ data leak site went live on Friday.

The Register contacted Scattered Lapsus$ Hunters about the $10 idea and how many people had taken them up on it thus far.

It told us on Monday that it had “practically paid out over $1,000 at this point,” but by now, Reg readers should know not to trust the word of a cybercriminal.

For one, just days before launching their new website, the group claimed to be retiring, but appears to be doing nothing of the sort.

The group also keeps reviving Telegram channels to maintain their audience, despite these channels being rapidly shut down due to the “gobbledygook and often racist bile” for which members are known.

It comes amid a backdrop of law enforcement cuffing alleged members of the crime gang, both in the UK and US, which by Scattered Lapsus$ Hunters’ own admission led to the decision to “retire,” albeit only for a few days. ®