ShinyHunters
ShinyHunters is an international cybercrime group specializing in data breaches and extortion, which emerged in 2020 and has since targeted numerous high-profile organizations through phishing, social engineering, and exploitation of vulnerabilities in cloud services.[1][2] Known also as ShinyCorp or UNC6040, the group operates primarily on underground forums like Telegram, BreachForums, and Discord, where they leak stolen data to pressure victims into paying ransoms.[3][2] The group's activities began with early breaches such as the claimed theft of 91 million user records from Tokopedia in May 2020 and 271 million records from Wattpad in 2020, often involving the exploitation of unsecured cloud storage and GitHub repositories.[1] Over time, ShinyHunters expanded to more sophisticated tactics, including voice phishing (vishing) to impersonate IT staff and gain credentials, as seen in their 2022 claim of breaching AT&T for 70 million records and the 2023 Pizza Hut Australia incident affecting 30 million customers.[1][4] Their operations have focused on enterprise cloud applications, particularly Salesforce, leading to major extortion campaigns against sectors like airlines, retail, and finance.[2] In 2025, ShinyHunters escalated their attacks, stealing over 1 billion records from Salesforce customers in May through vishing and social engineering, and breaching platforms like Discord and Red Hat's GitLab server in September, exposing thousands of repositories and customer reports.[3][4] They have also targeted companies such as Qantas, Adidas, LVMH, and Allianz Life, sometimes in loose collaboration with groups like Scattered Spider and LAPSUS$, using a victim-shaming website to publicize threats and demand payments.[1][3] As of November 2025, the group continued its activities, including breaching legacy cloud storage at Checkout.com.[5] These incidents highlight their evolution into a financially motivated threat actor, prompting responses from affected firms like Salesforce, which has refused to negotiate ransoms.[3]Background
Name and aliases
ShinyHunters is the primary moniker adopted by this cybercriminal group, which first emerged in 2020 on underground forums like RaidForums, where they began publicizing stolen data from high-profile targets. The name draws inspiration from the Pokémon franchise, specifically the practice of "shiny hunting," where players pursue rare, visually distinctive variants of creatures—a metaphor the group uses to describe their pursuit of valuable, "shiny" corporate data assets such as customer records and intellectual property.[6][1] An alias for the group is ShinyCorp, reflecting a corporate branding twist on their operations amid extortion schemes targeting enterprise environments. On dark web platforms, the collective has operated under the "ShinyHunters" handle, notably as administrators on BreachForums following the 2022 seizure of RaidForums; this handle was used to announce breaches and auction data. In June 2024, ShinyHunters announced their retirement on BreachForums.[1][6] The naming has remained consistent since their initial 2020 appearances, evolving only in platform usage from RaidForums to BreachForums, where they maintained a prominent presence in the cybercrime ecosystem, including loose ties to groups like Scattered Spider. Individual members have used pseudonyms such as Pompompurin and Baphomet in forum interactions, but these are not collective aliases.[1][6]Formation and key members
ShinyHunters emerged in May 2020 as a loose collective of black-hat hackers on dark web forums, initially focusing on stealing and monetizing large datasets through extortion schemes.[1][7] The group's name draws inspiration from the "shiny hunting" practice in the Pokémon gaming community, where players seek rare variants of creatures, reflecting their pursuit of valuable data troves.[8] This formation marked the beginning of their operations as a financially motivated entity, distinct from state-sponsored actors, with early activities centered on breaching e-commerce and tech firms to extract user records for sale or leverage.[9] The group operates as a decentralized, international network without a rigid hierarchy, relying on collaboration among members scattered across countries including France, Canada, the UK, and others.[1][8] They coordinate primarily through online hacker forums such as BreachForums, which ShinyHunters affiliates have administered and revived multiple times since 2023, using these platforms for recruitment, data distribution, and extortion negotiations.[10] This fluid structure allows for opportunistic alliances, including loose ties to other cybercrime outfits like Scattered Spider and remnants of LAPSUS$, particularly through shared forum ecosystems and joint operations observed by 2025.[11][12] Among publicly identified key members, Sebastien Raoult, known online as Sezyo Kaizen, stands out as a core figure. Born around 2002 in Épinal, eastern France, Raoult was a young self-taught hacker who joined ShinyHunters early in its activities, contributing to phishing and access operations targeting corporate networks.[13][14] He was arrested in July 2022 in Morocco during a vacation, extradited to the United States in January 2023, and later pleaded guilty in September 2023 to conspiracy to commit wire fraud and aggravated identity theft; he received a three-year prison sentence in January 2024.[15][16] By 2025, additional affiliates linked to ShinyHunters were identified through law enforcement actions. In June 2025, French authorities arrested four individuals in their twenties using the online aliases "ShinyHunters," "Hollow," "Noct," and "Depressed," who were administrators of BreachForums and suspected of supporting the group's broader ecosystem, though their exact roles within ShinyHunters remain under investigation.[17][18] These arrests highlight the group's reliance on pseudonymous operators across Europe, but no full names for these individuals have been publicly disclosed as of November 2025.[19]Methods and tactics
Initial access techniques
ShinyHunters primarily relies on social engineering tactics to achieve initial access to target systems, with a heavy emphasis on voice phishing (vishing) campaigns that impersonate trusted IT support personnel. In these attacks, threat actors contact employees via phone, using scripted conversations to build urgency and legitimacy, often directing victims to approve malicious applications or connected apps within platforms like Salesforce. This method exploits human vulnerabilities rather than technical flaws, allowing attackers to gain legitimate entry points without deploying malware directly on the target network. Starting in late 2024 and intensifying through 2025, the group incorporated AI-enhanced impersonation tools to generate realistic voices and accents, making vishing calls more convincing and scalable against enterprise targets.[2][4][20] The group frequently exploits weaknesses in multi-factor authentication (MFA) implementations to bypass additional security layers during initial compromise. Through vishing, attackers trick users into sharing one-time MFA codes or approving unauthorized login prompts in real-time, effectively enabling session hijacking where the attacker assumes control of an active user session. In cases where MFA is absent or weakly enforced—such as on legacy accounts—stolen credentials alone suffice for access, as observed in breaches targeting cloud services without mandatory MFA enforcement. While direct evidence of SIM swapping is limited to affiliated tactics from merged groups like Scattered Spider, ShinyHunters' vishing operations consistently focus on real-time MFA evasion to maintain stealthy entry.[4][20][21] ShinyHunters also acquires initial access by purchasing or utilizing stolen credentials harvested from infostealer malware infections on third-party systems. These credentials, often unrotated and exposed via malware like Lumma or RedLine, are sourced from dark web marketplaces and applied to high-value targets such as cloud databases. For instance, in the 2024 Snowflake incident, the group used such credentials from compromised employee devices at partners like EPAM Systems to enter unprotected customer instances. This approach allows opportunistic access to multiple victims sharing similar credential exposures, amplifying the group's reach without custom exploits. The group has also exploited misconfigured legacy cloud storage systems for unauthorized access, as demonstrated in their November 2025 activities.[21][22][23]Data exfiltration and extortion
ShinyHunters specialized in bulk data theft from cloud environments, leveraging compromised credentials to access databases without detection. In operations targeting platforms like Snowflake, the group exploited accounts lacking multi-factor authentication (MFA), using credentials stolen via infostealer malware such as VIDAR and REDLINE.[22][21] Once authenticated, attackers performed SQL-based reconnaissance with commands likeSHOW TABLES to enumerate databases and tables, mimicking legitimate queries to evade alerting mechanisms.[22] For exfiltration, they created temporary stages using CREATE TEMPORARY STAGE and COPY INTO to compress data into GZIP files, then downloaded bulk datasets via GET commands to external VPS servers, often extracting terabytes without triggering network or behavioral anomalies.[22] Custom tools automated these processes, enabling efficient querying and staging across multiple instances.[22]
In parallel campaigns against SaaS platforms like Salesforce, ShinyHunters abused OAuth mechanisms by installing malicious applications with broad permissions, granting persistent read access to customer records.[24] They deployed modified versions of official tools, such as the Salesforce Data Loader, alongside Python scripts to systematically harvest and process large datasets from APIs and databases.[24] These techniques allowed for stealthy, high-volume extractions that bypassed rate limits and audit logs, focusing on sensitive customer information like personal identifiers and financial details.
The group's extortion strategy centered on monetizing stolen data through threats of public disclosure unless ransoms were paid in cryptocurrency, typically Bitcoin, to ensure untraceable transactions.[3][21] Attackers posted verifiable data samples on forums like BreachForums to demonstrate possession and intensify pressure, often auctioning datasets if demands went unmet.[3] By 2025, operations expanded in scale, with ShinyHunters aggregating exfiltrated data from dozens to hundreds of victims across sectors, enabling consolidated extortion waves against major corporations via dedicated leak sites and coordinated campaigns.[3][24] This model, evolving from earlier vishing-based accesses to incorporate AI-enhanced social engineering, underscored their focus on post-compromise profit maximization.[20]