Groups like Scattered Spider, LAPSUS$, and ShinyHunters have captured global attention for their high-profile, devastating data breaches. However, data extortion hasn’t always been a professionalized, human-operated tradecraft. Just a decade ago, this landscape was defined by fragmented, low-sophistication threat actors committing digital smash-and-grabs. The focus was simple: steal as much data as possible and exfiltrate it fast. So, what has changed?

Flashpoint intelligence is observing an undeniable and fundamental evolution taking place: Extortion groups have strategically moved away from technical exploits to attack the most critical layer of the modern enterprise—human trust and identity. They recognize that firewalls are getting stronger, but the human element offers the path of least resistance.

Rather than attacking an organization’s code or security tools, threat actors now focus on its people. By leveraging a dangerous combination of identity-centric intrusion, social engineering, and supply-chain interdependence, attackers seek to gain the maximum psychological and reputational leverage.

Four Eras of Data Extortion

The evolution of digital extortion is not a series of isolated events, but a clear progression driven by two core factors: cloud adoption by organizations and the increasing difficulty of bypassing technical controls at the perimeter.

Flashpoint’s analysis of data extortion tactics, techniques, and procedures (TTPs) reveals a distinct four-stage process of maturation. Each “era” saw criminal groups abandoning obsolete tactics of the past for the high-leverage techniques of the present. By examining the primary attack vectors and monetization methods of each period, a clear strategic pivot can be seen from network compromise to human compromise.

Era 1 (2015 – 2018): The Pursuit of Volume

Activity in 2015 to 2018 laid the groundwork for a scalable, data-centric criminal economy. A wave of credential sellers and low-sophistication actors emerged across Dark Web forums and marketplaces, primarily focused on monetizing stolen data at scale. The primary objective for these actors was volume, acquiring as many records as possible and reselling them for a flat fee. The threat landscape was fragmented, with many different aliases and groups operating in a largely uncoordinated fashion across multiple platforms.

The attack vectors of this period were primarily technical and relied on publicly known vulnerabilities or poor security hygiene. Actors frequently exploited a lack of input sanitization to perform SQL injection (SQLi) attacks, a common method for exfiltrating entire databases from exposed web applications. Frequent TTPs included:

• SQL Injection (T1210.001): Exploiting weak input sanitization to extract entire databases—a foundational attack vector of the time.
• Exposed Databases (T1530): Scanning for and leveraging publicly accessible, unprotected data repositories.
• Credential Dumping (T1003): Threat actors stole and resold millions of records, providing the foundational inventory for the credential stuffing economy.

Era 2 (2018 – 2020): The Weaponization of Public Pressure

From 2018 to 2020, there was a critical shift in the data extortion model, moving from pure-play data sales to targeted, high-profile campaigns to maximize public pressure. This model of double-extortion—data theft plus public shaming—set a new standard for professionalized cybercrime that focused on reputation and legal exposure.

Instead of simply selling stolen data, attackers fueled media headlines to pressure victims to pay higher ransoms. They would leak small fragments of stolen data to news outlets to prove the legitimacy of their claims and maintain public attention. This shift in tactics marked a significant step in the professionalization of the cybercriminal business model, proving that the leverage afforded by a breach was often more valuable than the data itself.

Significant TTPs of this era included:

• Controlled Drip Leaks (T1074 / T1048.003): Threat actor groups strategically leaked small, escalating fragments of data to the press, while publicizing aggressive ransom demands to create a PR and legal crisis.
• Initial Access via Third Parties (T1195): Attackers in this era were the first to demonstrate an understanding of third-party risk, breaching major firms indirectly by compromising a smaller, less-resourced vendor.

Era 3 (2020 – 2023): The Cloud Professionalization

Often characterized as the late RaidForums era, from 2020 to 2023, consolidated the cybercriminal community around credential reuse and data sales-as-a-service. Success stemmed from a strategic shift from legacy attack vectors to focus on the modern enterprise’s cloud footprint, with TTPs being a direct response to the mass migration of businesses to cloud-native platforms:

• API Token Abuse (T1528): Instead of traditional network intrusion, groups stole and reused OAuth tokens issued to third-party integrators. This exploited the trusted connections within the SaaS supply chain to gain access to private source code and internal data.
• SaaS Supply Chain Exploitation (T1190): The focus was on abusing insecure configurations in cloud platforms, exploiting the interconnected trust between services.

This period also saw a significant consolidation of the criminal community around a single platform: BreachForums, which succeeded the defunct RaidForums. This allowed cybercriminals to control the entire illicit value chain, from initial access and exfiltration to the marketing and resale of stolen data. This made operations far more resilient to law enforcement disruption and marked the maturation of the ecosystem—transitioning from a collection of freelancers to a more structured and interconnected criminal enterprise.

Era 4 (2024 – 2025): The Identity and Human Frontier

The latest evolution of data extortion is defined not by advanced technical exploits but by exploiting human behavior and identity systems. The focus has decisively shifted from breaching network perimeters to socially engineering employees to gain access to corporate systems at scale. This strategic pivot is clearly demonstrated by the TTPs of groups like LAPSUS$ and the collective operating under various Scattered Spider aliases, such as Sp1d3rHunters, scattered lapsu$ hunters, and The COM HQ SCATTERED SP1D3R HUNTERS.

LAPSUS$

LAPSUS$ is the prime example of the human-centric threat model, eschewing traditional ransomware for a pure-play extortion model driven by social engineering. This group focuses purely on human exploitation to gain initial access:

• MFA Fatigue Attacks: LAPSUS$ pioneered the tactic of spamming a targeted employee’s device with repeated Multi-Factor Authentication (MFA) prompts at inconvenient times until the employee approves a request out of sheer frustration or confusion (T1621).
• Vishing and Smishing: The group leveraged voice phishing (vishing) and fraudulent SMS messages (smishing) to trick employees into divulging credentials or granting initial access.

Scattered Spider

Scattered Spider represents the professionalized, scaled evolution of this social engineering model, blending effective initial access with enterprise-grade monetization. The group’s TTPs highlight the dangers of the SaaS and identity trust chain:

• Identity Abuse Chain: The group gains access through credentials stolen by infostealer malware from third-party contractors that often lack MFA. They then use this access to target SaaS interdependencies.
• Social Engineering Refinement: They leverage the stolen identity to conduct sophisticated vishing attacks targeting platforms like Salesforce and Workday, tricking employees into granting access to a malicious OAuth application for direct API-level data exfiltration.

Digital-Physical Convergence

The most alarming aspect of the current evolution of digital extortion is the convergence of online criminal activity with real-world violence. This elevates threats from a corporate liability to a physical safety issue. This is exemplified by the group subset, IRL Com, which uses its criminal network to execute real-world violence. Their tools for extortion and retribution against rivals include kidnapping, armed robbery, and swatting.

Empower the Human Element Using Flashpoint

The evolution of data extortion is a powerful reminder that as security tools improve, threat actors will find a path of least resistance. In this scenario, it is the very humans behind those tools protecting organizational data and assets. Future illicit campaigns will likely continue to focus on SaaS interdependencies and abusing identity federation mechanisms like Single Sign-On.

Therefore, defending against this newly turned highly sophisticated threat requires a strategic pivot from security teams. Organizations need to adopt a proactive, threat intelligence-led defense to stay ahead of modern threat actor groups. Using Flashpoint, security leaders can empower their teams by helping them to prioritize risk by anticipating known tactics before they are deployed against you.

To understand how Flashpoint intelligence can enable a proactive defense by monitoring illicit communities for compromised credentials and emerging TTPs, schedule a demo today.