The Scattered Lapsus$ Hunters (SLSH) cybercrime collective – compriseed primarily of teenagers and twenty-somethings – announced it will go dark until 2026 following the FBI’s seizure of its clearweb site.

In characteristic fashion, the group issued a profanity-laden, xenophobic farewell message via Telegram, urging supporters to continue targeting countries that refuse ransom payments. The message also promised a retaliatory strike against the FBI upon their return.

“As per the exceptional circumstances by which the FBI tried to obliterate our legacy, we’ve exceptionally decided to temporarily renounce to oblivion [sic] and promptly hack them back,” one member wrote on October 11. “We shall now dissolve again in the ether. Good night.”

A follow-up message was more direct: “I promise you, you will feel our wrath.” The group signed off with a vow to have Brett Leatherman, head of the FBI’s cyber division, fired upon their return next year.

Notably, this isn’t SLSH’s first dramatic exit. Just last month, the group declared it was going dark — only to resurface three days later.

SLSH has become one of the most notorious cybercrime groups, distinguished both by the scale of organizations it targets and its unusual demographic composition. Unlike many cybercrime groups, SLSH consists almost exclusively of Westerners and native English speakers.

Formed earlier this year – an amalgamation of key members from Scattered Spider, Lapsus$, and Shiny Hunters – the collective has drawn intense scrutiny from law enforcement, including several landmark arrests of suspected members in recent weeks.

The National Crime Agency arrested and charged two teens in September over the attack on London’s transport authority, Transport for London. Authorities allege Owen Flowers, 18, from Walsall, and Thalha Jubair, 19, from East London, were part of the group known as Scattered Spider – a rare instance of cops publicly linking suspects to the group.

In July, four individuals were arrested in connection with attacks on British retail giants Co-op, M&S, and Harrods. Though Scattered Spider was speculatively linked to at least two of these incidents, authorities stopped short of officially confirming the connection.

SLSH attracted further heat over the weekend after it leaked the data on additional major companies, including Qantas, Vietnam Airlines, Gap, and Fujifilm – although all of the Limewire links it provided were swiftly taken down by the platform.

Qantas, which has been transparent about its security snafu from the outset, updated its website to acknowledge the leak and noted that a Supreme Court injunction prevented access to the compromised data.

The airline said in early July that around 6 million customers had their personal data and frequent flyer numbers compromised, and in its update on Sunday, it once again urged affected individuals to be extra vigilant to scammers potentially targeting them.

Although the other organizations haven’t published breach disclosure pages like Qantas, third parties have verified parts of the criminals’ claims. HaveIBeenPwned said the Vietnam Airlines dataset included similar personal and flyer details of 7.3 million customers, while Atlas Privacy’s databreach.com confirmed Gap’s leaks included 256,200 unique email addresses, 152,100 phone numbers, and 146,100 home addresses.

“The data structure is consistent with Salesforce PersonAccount exports, featuring customer or contact records, system metadata, and loyalty account fields,” it said.

SLSH claims to have also gathered the details on 40 other companies via the attack on Salesloft Drift, a Salesforce plugin. Salesforce has maintained throughout that its own systems were never compromised.

In their Telegram channel, the SSLH crims suggested that organizations which did not have their data leaked had paid a ransom. “A lot of people are asking what else will be leaked. Nothing else will be leaked. Everything that was leaked was leaked, we have nothing else to leak and obviously the things we have cannot be leaked for obvious reasons :D.”

Security experts caution against taking SLSH’s claims at face value. Like most cybercriminals, the group has a documented history of exaggeration and falsehoods.

In one recent example, SLSH claimed it would leak data from Aussie telecoms provider Telstra, alleging 19 million customers were compromised. Telstra debunked the claim, saying:

“We’ve investigated it, and the data has been scraped from public sources, not Telstra systems. No passwords, banking details, or personal identification data like driver’s licence or Medicare numbers are included,” it Xeeted.

SLSH said the attack took place in July 2023, and Telstra previously acknowledged a breach in November 2024, saying affected data was mostly basic personal information related to employees and partners.

Jon Abbott, co-founder and CEO of ThreatAware, characterized the weekend leaks as an intimidation tactic aimed at pressuring future victims into paying extortion demands. “Last week’s extortion attempt and the data leak on Saturday are indicators that the 40 companies did not pay the group.

“Customers of the 40 affected companies will need to be cautious when contacted. Scammers may use the leaked data to launch both mass and personalised social engineering campaigns to steal financial information, or even to commit identity theft.

“This is the usual pattern followed by Scattered Lapsus$ Hunters. However, it has ultimately failed to earn them a payment. If organizations want to avoid such leaks, paying criminals offers no guarantee, but doing the security basics does.

“Scattered Lapsus$ Hunters’ tactics, including vishing and modified data loaders, highlight the need for rigorous password reset verification, hardened service desk processes, and exceptional cyber hygiene.” ®