HomeNewsBreachesAbout
Account

Fear and Loathing in the Comm - Scattered LAPSUS$ Hunters Turn Extortion Into a Service

DataBreach.com Team · · October 13th 2025, 4:26 am EDT

Fear and Loathing in the Comm - Scattered LAPSUS$ Hunters Turn Extortion Into a Service

The crime syndicate calling itself Scattered LAPSUS$ Hunters (SLH) says it’s finished leaking Salesforce-related data-for now. In a final statement ending what it described as a year-long campaign, the group promised to “see you all in 2026.” Hours earlier, its operators announced a new "business venture": the world’s first “Extortion-as-a-Service” platform.

Over the same weekend, SLH released or listed six corporate datasets from its Salesforce campaign, making good on its October 10 deadline. The biggest confirmed dump came from Qantas Airways, with roughly five to six million customer records-names, email addresses, dates of birth, phone numbers, and frequent-flyer IDs-mirroring the structure of Salesforce CRM exports. Vietnam Airlines followed with a cache of about 7.3 million unique emails (and more than eight million phone numbers in parsed copies). Smaller sets appeared for Albertsons, Fujifilm, GAP Inc., and ENGIE Resources.


A Brand-Leasing Scheme for Cybercrime

According to a Telegram post shared that same weekend, SLH plans to launch “our very own first public EaaS program … similar to how a RaaS program works but with no locking/encryption.” Instead of licensing malware, SLH will license its name.

The post outlines a simple proposition: for a fee, anyone can borrow the group’s brand to pressure a company or government. “You can use our name to extort your target,” the message reads, claiming that negotiators are more likely to respond when they recognize the actor. In short, SLH wants to monetize its reputation for mayhem.

This marks an evolution of an idea that’s been brewing since ransomware went mainstream. Developers of encryption tools discovered that reputation sells: affiliates earned credibility by flying the flag of a well-known outfit such as LockBit or BlackCat. SLH is applying the same logic to pure data extortion-where no malware is needed and the product is fear itself.

The group argues that most would-be blackmailers lack “credibility/reputation/trust/history.” By offering a ready-made identity, SLH turns extortion into a franchise model. Participants supply the victim list and social-engineering work; SLH supplies the brand, the playbook, and a veneer of legitimacy in the underworld.


From Data Dumps to Marketplaces

The announcement follows the group’s sprawling farewell communiqué, a profanity-laced rant that taunted police, mocked Mandiant analysts, and urged governments to “drop your ego and comply.” Beneath the theatrics was a consistent message: extortion is just business.

That worldview carries into the EaaS program. SLH frames the portal as a professional service-complete with instructions, support, and a promise of “significant success.” They position themselves as middlemen maintaining “market stability,” casting ransom negotiation as a form of regulated commerce rather than crime.

It’s a deliberate rebranding effort. By shedding the ransomware component, SLH distances itself from the technical artifacts that make traditional campaigns traceable: encryption keys, decryptors, or malware signatures. All that remains is the threat of publication-and the leverage of a name people recognize.


Why “No Encryption” Makes It Worse

For investigators, the absence of encryption removes a crucial evidentiary trail. Without code to analyze, attribution hinges on communication style and metadata-both easily forged. Meanwhile, the psychological impact on victims remains identical: pay up or face exposure.

That dynamic is ripe for abuse. Opportunists can now impersonate SLH, contact companies claiming to possess stolen data, and cite the group’s long history of leaks to appear credible. Even a baseless threat can succeed if the victim fears public embarrassment more than the cost of paying.

Security responders already describe a rise in fake breach emails referencing real leak sites. A sanctioned EaaS platform would blur the line between genuine and fabricated threats even further, effectively industrializing hoaxes.


A New Business of Fear

Extortion-as-a-Service formalizes what the criminal underground has hinted at for years: the emergence of a reputation economy. In ransomware’s first wave, the commodity was encryption software. In the second, it was stolen access credentials. SLH’s model suggests the third wave sells something far more abstract - trust.

“Crisis management firms or negotiators usually want to know who they are speaking to,” the post explains. That’s a striking admission that ransom dynamics rely on interpersonal credibility. SLH’s operators are turning that psychological currency into cash flow.

It’s easy to dismiss the announcement as bravado; after all, the same group declared itself “appointed by President DJT and Elon Musk Head of DOGE.” But theatrics aside, the economics make sense. Reputation can’t be seized by the FBI or patched by Salesforce. It survives platform takedowns and even arrests, as long as the brand continues to inspire dread.


The Road Ahead

If SLH follows through, investigators should expect a flood of extortion claims bearing the group’s signature, some real and others opportunistic. The resulting noise will make genuine breaches harder to triage and insurance negotiations harder to manage.

For companies, the practical guidance doesn’t change: verify every claim before responding, involve counsel and law enforcement early, and assume that paying one actor invites others. The more that victims treat extortion as routine business, the closer SLH comes to achieving its stated goal of market normalization.

Governments, meanwhile, face a communications challenge of their own. When criminals start branding themselves as “stabilizers of the market,” public deterrence strategies lose rhetorical ground. The best counter, experts argue, is transparency-acknowledging breaches quickly and undercutting the leverage of secrecy.


Reputation for Rent

Whether the promised EaaS portal ever materializes, the concept alone illustrates how far the cyber-extortion economy has evolved. What began as opportunistic data theft has become a service industry-complete with portals, customer onboarding, and brand management.

In the end, Scattered LAPSUS$ Hunters may not need to hack anything at all. Their real product is fear, and now they’ve found a way to sell it wholesale. In 2025, the currency of cybercrime isn’t data or code-it’s credibility. And SLH just put a price tag on theirs.

For media inquiries, contact us at contact@databreach.com