SLSH Alliance Emerges as 2026's Most Prolific Threat Actor Coalition
A formidable threat actor coalition known as the SLSH alliance — combining members of Scattered Spider, Lapsus$, and ShinyHunters — has attacked 100+ organizations since the start of 2026, breaching an estimated 60 million records across industries ranging from technology and healthcare to retail and energy.
The alliance represents a convergence of three of the most notorious cybercriminal groups of the past three years, pooling their social engineering expertise, infrastructure, and stolen credential databases into a unified operation of unprecedented scale.
Attack Methodology
Phone Phishing (Vishing) as Primary Vector
The SLSH alliance's signature technique is phone-based phishing (vishing), where operatives call employees directly, posing as internal IT staff or help desk personnel.
The Attack Chain
1. Reconnaissance — Scrape LinkedIn, corporate directories for employee names/roles
2. Vishing Call — Call target posing as IT support, referencing internal systems
3. Credential Theft — Harvest SSO credentials (Microsoft Entra, Okta, Google Workspace)
4. MFA Bypass — Socially engineer MFA codes or exploit MFA fatigue
5. Access & Pivot — Use SSO trust to access connected SaaS and cloud systems
6. Data Exfiltration — Extract customer databases, source code, internal documents
7. Extortion — Demand ransom or publish stolen dataWhy Vishing Works
| Factor | Detail |
|---|---|
| Urgency | Callers claim "urgent security incident" requiring immediate action |
| Authority | Pose as IT department, reference real internal tools and ticket numbers |
| Preparation | Use stolen org charts and Slack/Teams context to appear legitimate |
| MFA Bypass | Ask victims to read back MFA codes or approve push notifications |
| Trust | Phone calls feel more personal and trustworthy than emails |
Known Targets
The SLSH alliance has targeted organizations across multiple sectors. Below is a selection of confirmed and reported targets from public disclosures and security researchers:
| Organization | Sector | Status |
|---|---|---|
| Atlassian | Technology | Confirmed breach |
| Adyen | Financial Services | Confirmed breach |
| Canva | Technology | Confirmed breach |
| Epic Games | Gaming | Confirmed breach |
| HubSpot | Technology | Confirmed breach |
| Moderna | Healthcare / Pharma | Confirmed breach |
| ZoomInfo | Technology | Confirmed breach |
| GameStop | Retail | Confirmed breach |
| WeWork | Real Estate | Confirmed breach |
| Halliburton | Energy | Confirmed breach |
| Sonos | Consumer Electronics | Confirmed breach |
| Telstra | Telecommunications | Confirmed breach |
| Panera Bread | Food / Retail | Confirmed breach |
This list represents only publicly known targets. Researchers at Push Security estimate the true number exceeds 100 organizations across at least 15 countries.
Intimidation and Physical Threats
Beyond digital attacks, the SLSH alliance has escalated to real-world intimidation tactics that distinguish it from traditional cybercriminal groups:
- Swatting executives — Filing false emergency reports to send armed police to executives' homes
- Threatening families — Contacting family members of targeted employees via phone and social media
- Doxxing — Publishing personal information of security staff who resist cooperation
- Physical surveillance threats — Referencing home addresses during vishing calls to intimidate targets
These tactics create enormous psychological pressure on victims and significantly increase the likelihood of compliance.
Group Profile
| Attribute | Details |
|---|---|
| Alliance Name | SLSH (Scattered Spider / Lapsus$ / ShinyHunters) |
| Active Since | Late 2025 (formal coalition), individual groups active since 2020-2022 |
| Primary Tactic | Vishing and social engineering |
| Estimated Members | Dozens of operatives across multiple countries |
| Motivation | Financial (extortion, data sales) |
| Communication | Telegram, Discord, encrypted channels |
| Records Breached (2026) | 60+ million |
| Organizations Hit (2026) | 100+ |
Defense Recommendations
Immediate Actions
- Train employees on vishing attacks — IT staff will never call and ask for passwords or MFA codes over the phone
- Implement phishing-resistant MFA — Deploy hardware security keys (FIDO2/WebAuthn) instead of SMS or push-based MFA
- Establish verbal verification protocols — Require callback procedures using known phone numbers for any credential or access requests
- Monitor SSO logs aggressively — Flag unusual login locations, times, or device fingerprints on Entra, Okta, and Google Workspace
Strategic Measures
- Reduce SSO blast radius — Implement conditional access policies and session controls to limit what a single set of credentials can access
- Deploy SaaS security posture management (SSPM) — Monitor for unauthorized OAuth app grants and excessive permissions
- Conduct red team vishing exercises — Test organizational resilience against phone-based social engineering
- Implement out-of-band identity verification — Use a secondary channel (e.g., Slack DM to a verified account) to confirm any sensitive request received by phone
Sources
- Krebs on Security — SLSH Alliance Hits 100+ Orgs in 2026
- Push Security — The Rise of the SLSH Alliance