shinyhunters

ShinyHunters

also known as: ShinyCorp UNC6040 UNC6240 Bling Libra Sp1d3rHunters

ShinyHunters is a financially motivated, internationally distributed cybercrime collective active since 2020 with a documented record spanning hundreds of millions of stolen records across more than 60 confirmed breaches. The group has evolved from early bulk data sales on dark web forums into one of the most operationally sophisticated cloud extortion operations in the threat landscape — responsible for breaches at Ticketmaster, Santander, AT&T, Qantas, Google, and, as of March 2026, Crunchyroll via a supply chain compromise through BPO provider Telus International.

attributed origin International — no single country; members confirmed in France, linked to North America, UK, and Eastern Europe

suspected sponsor None — financially motivated criminal enterprise; affiliated with "The Com" cybercrime ecosystem

first observed 2020 (public emergence May 2020 with mass dark web data sales)

primary motivation Financial — data theft, extortion ("pay or leak"), dark web data brokering, emerging RaaS

primary targets E-commerce, ticketing, airlines, luxury retail, telecoms, financial services, SaaS/cloud platforms

known campaigns 20+ confirmed major operations (2020–2026)

mitre att&ck group Unassigned (no formal MITRE G-number as of 2026)

target regions Global — North America, Europe, Asia-Pacific, Australia

threat level CRITICAL

Overview

ShinyHunters emerged in May 2020 with a rapid series of high-volume data sale claims on dark web forums, offering records from more than a dozen organizations within weeks. The group's name is derived from competitive Pokémon players who methodically hunt for rare color-variant "shiny" Pokémon — a nod to its systematic, methodical approach to harvesting and monetizing stolen data.

In its early phase (2020–2023), the group relied primarily on phishing campaigns to harvest employee credentials, which were then used to access corporate systems and exfiltrate customer databases. Stolen data was sold on forums including RaidForums and, later, BreachForums — a platform the group is believed to have administered directly. The group's "pay or leak" model became a defining operational signature: victims received extortion demands, with public data dumps used as enforcement when ransoms went unpaid.

By 2024, ShinyHunters had pivoted to a significantly more sophisticated cloud extortion model. The group shifted focus from direct credential phishing to voice phishing (vishing) campaigns targeting corporate helpdesk and IT support workflows, particularly those managing single sign-on (SSO) environments. This pivot corresponded with the Snowflake campaign — a massive wave of intrusions into Snowflake-hosted customer environments that affected Ticketmaster, Santander Bank, Neiman Marcus, Truist Bank, and dozens of others. Victims were often compromised through credential theft from Snowflake tenant accounts lacking multi-factor authentication.

From mid-2025 onward, the group's operational tempo accelerated dramatically. Tracked by Google Threat Intelligence under the designations UNC6040 and UNC6240, ShinyHunters was linked to a campaign abusing modified versions of the Salesforce Data Loader application to mass-export CRM data from enterprise Salesforce environments. This campaign — affecting Google, Qantas, Adidas, Allianz, LVMH subsidiaries (Louis Vuitton, Dior, Tiffany & Co.), and hundreds of other organizations — represented one of the largest SaaS-focused data exfiltration operations on record, with estimates exceeding 1.5 billion records from approximately 760 companies.

ShinyHunters has demonstrated a persistent pattern of adaptation in the face of law enforcement pressure. Despite the 2024 sentencing of French member Sébastien Raoult (known as "Sezyo Kaizen") and the June 2025 arrest of four additional members in France, operations have continued without apparent disruption, consistent with a loosely networked structure in which no single individual's removal collapses the collective.

As of 2025–2026, ShinyHunters is confirmed to be operating in close collaboration with Scattered Spider and former LAPSUS$ members under a joint brand, sharing Telegram infrastructure and coordinating on data exfiltration and extortion workflows. An emerging Ransomware-as-a-Service offering under the name shinysp1d3r — targeting VMware ESXi environments — signals a further expansion into the traditional ransomware market.

Target Profile

ShinyHunters does not follow a single-sector targeting doctrine. Its victim list spans virtually every major industry vertical, with selection driven primarily by data volume, extortion leverage, and access opportunity. That said, several sectors appear consistently across confirmed operations.

E-commerce and retail: High-volume customer PII databases with payment data create strong extortion leverage. Early breaches included Indonesian platform Tokopedia (91M+ records) and clothing retailer Bonobos. LVMH brand breaches in 2025 extended targeting into luxury retail.
Airlines and travel: Passenger data at scale provides both extortion value and resale potential. Qantas (5.7M+ customers, 2025) is a confirmed victim; WestJet and Hawaiian Airlines are attributed to associated Scattered Spider activity.
Telecommunications: Telcos hold sensitive subscriber, call record, and device data. AT&T (73M customers confirmed 2024), Telus (700TB claimed 2026), and Odido have been targeted. High-volume data theft and extortion are the consistent pattern.
Financial services: Santander Bank, Truist Bank, and insurance providers including Allianz and Farmers Insurance Group have been among confirmed victims. SaaS CRM data (Salesforce) provides rich financial intelligence for follow-on fraud.
SaaS and cloud platforms: Third-party platforms — Snowflake, Salesforce, Salesloft/Drift — have been exploited not as direct targets but as access vectors into downstream enterprise organizations. Compromise of a single SaaS platform can cascade across hundreds of customers.
Entertainment and media: Ticketmaster (500–560M users) and Crunchyroll (6.8M+ users via Telus BPO supply chain) reflect targeting of high-profile consumer brands with large, extortion-worthy user bases.
Education: PowerSchool (December 2024) and the University of Pennsylvania (November 2025) indicate sustained interest in education sector targets, likely for the volume of student and family PII available.

Tactics, Techniques & Procedures

ShinyHunters' TTPs have evolved considerably over the group's operational lifespan. The current 2024–2026 cloud-focused phase relies heavily on social engineering, OAuth abuse, and supply chain intrusion rather than traditional exploitation of software vulnerabilities.

mitre id	technique	description
T1566.002	Phishing — Spearphishing Link	Cloned login pages targeting Okta SSO, Microsoft, and Google authentication flows. Infrastructure includes domains registered through privacy-protected registrars (Njalla) designed to evade attribution.
T1566.004	Phishing — Voice Phishing (Vishing)	IT support impersonation via phone calls targeting corporate helpdesk staff. Operators direct employees to legitimate Salesforce app connection pages and instruct them to enter OAuth "connection codes," granting attacker-controlled apps persistent access to organizational accounts.
T1078	Valid Accounts	Stolen or purchased credentials used to authenticate to Snowflake tenants, Salesforce orgs, and cloud storage. Many early Snowflake intrusions leveraged accounts lacking MFA — no exploitation of platform vulnerabilities required.
T1550.001	Use Alternate Authentication Material — Application Access Token	In the UNC6395 Salesloft/Drift campaign, OAuth refresh tokens stolen from the Drift integration were used to access Salesforce customer orgs at scale. TruffleHog was used to scan source code repositories for exposed token secrets.
T1557	Adversary-in-the-Middle	Cloning of Okta SSO subdomain authentication flows to intercept credentials and session tokens in real time, enabling bypass of MFA controls.
T1195.002	Supply Chain Compromise — Compromise Software Supply Chain	BPO/vendor employee targeting to gain privileged access to downstream enterprise systems. The Crunchyroll breach (March 2026) accessed Zendesk, Slack, Mixpanel, Google Workspace Mail, and other platforms through a compromised Telus International contractor's device.
T1530	Data from Cloud Storage	S3 Browser and WinSCP used to enumerate and exfiltrate data from AWS S3 buckets. Salesforce Data Loader (modified version) used for mass CRM record export from compromised Salesforce environments.
T1657	Financial Theft / Extortion	Post-exfiltration extortion via email using the ShinyHunters identity. Threats to publish or sell data on BreachForums or Telegram channels are used to compel ransom payments. PowerSchool paid a $2.85M ransom (December 2024) that failed to prevent subsequent extortion of individual school districts.
T1588.001	Obtain Capabilities — Malware	Malware deployed on BPO contractor endpoints to capture Okta SSO credentials and gain access to client systems. Reported in the Crunchyroll/Telus intrusion chain (March 2026).
T1583.001	Acquire Infrastructure — Domains	Phishing domains registered through privacy-protecting registrars. Ticket-themed domains and Salesforce-spoofing pages documented in ReliaQuest and EclecticIQ research. FBI header spoofing observed in HTTP infrastructure, consistent with the group's practice of publicly mocking law enforcement.

Known Campaigns

The following represent confirmed or highly attributed operations linked to ShinyHunters across its operational lifespan.

Crunchyroll Supply Chain Breach (Telus BPO) March 2026

A threat actor linked to ShinyHunters gained access to Crunchyroll's internal systems via a compromised Telus International BPO employee. The attacker deployed malware on the contractor's device to capture Okta SSO credentials, then pivoted laterally into Crunchyroll applications including Zendesk, Slack, Mixpanel, Google Workspace Mail, Jira Service Management, MaestroQA, and Wizer. Approximately 100GB of data was exfiltrated — including ~6.8 million unique email addresses from 8 million Zendesk support tickets, plus IP addresses, user analytics, and alleged payment data. Crunchyroll confirmed the incident and described it as primarily limited to customer service ticket data from a third-party vendor. A $5M extortion demand went unanswered. Telus confirmed a separate incident on the same day; investigators treat the two intrusions as related but distinct.

Read full briefing

Salesloft/Drift OAuth Token Campaign (UNC6395) August–September 2025

TruffleHog was used to locate OAuth tokens for the Salesloft Drift and Drift Email integrations from exposed source code. Those tokens were then used to access Salesforce environments for approximately 760 organizations between August 8–18, 2025, systematically exporting Account, Contact, Case, Opportunity, and User objects — an estimated 1.5 billion records total. Confirmed public disclosures include Cloudflare, Zscaler, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Palo Alto Networks, and others. Described by researchers as the largest SaaS compromise in history. ShinyHunters claimed responsibility to BleepingComputer; the FBI issued a FLASH alert on September 12, 2025.

Salesforce Vishing Campaign (UNC6040) June–August 2025

Google Threat Intelligence Group identified UNC6040 conducting coordinated voice phishing operations against Salesforce users. Attackers impersonated IT support staff, directing employees to approve attacker-controlled OAuth applications — modified versions of the Salesforce Data Loader — which granted persistent CRM data access. Confirmed victims include Google (SMB customer contact data), Qantas (5.7M+ customers), Adidas, Allianz Life, Pandora, Chanel, Workday, TransUnion, and LVMH brands (Dior, Louis Vuitton, Tiffany & Co.). Initial Google report published June 4, 2025.

Snowflake Credential Extortion Campaign 2024

Large-scale unauthorized access to Snowflake customer tenants using stolen credentials — many belonging to accounts without MFA enforcement. Confirmed victims include Ticketmaster (500–560M records; ShinyHunters demanded approximately $500K), Santander Bank, Neiman Marcus, Truist Bank, and AT&T (73M customers confirmed in a formal disclosure that reversed years of denial). Data from multiple victims was listed on BreachForums. Snowflake was not itself compromised — all intrusions leveraged valid customer credentials obtained through prior phishing or credential markets.

PowerSchool Ransomware / Extortion December 2024 – May 2025

Education software vendor PowerSchool was breached in December 2024; the attacker demanded $2.85M and the company paid. Despite payment, by May 2025, threat actors — claiming to be ShinyHunters — began sending extortion emails to individual school districts, threatening to release student and teacher data. The publication DataBreaches.net could not authenticate the sender's identity with certainty, but the pattern is consistent with the group's documented practices.

2020–2021 Mass Data Breach Spree 2020–2021

ShinyHunters' initial operational phase produced rapid, high-volume data theft across more than 60 organizations in a roughly 15-month period. Documented victims include Tokopedia (Indonesia; 91M+ records), Wattpad (271M accounts), Unacademy (India; 22M users), Mathway, Home Chef, Dave, Bonobos, Pixlr, and others. Member Sébastien Raoult built phishing infrastructure to harvest employee credentials across victim organizations. DOJ documented damages exceeding $6M during this period from Raoult's activities alone.

Tools & Malware

ShinyHunters primarily leverages commercial tools, stolen credentials, and legitimate platform features rather than custom-developed malware — a characteristic shared with several other financially motivated cloud threat actors.

Modified Salesforce Data Loader: The group's primary exfiltration tool in 2025 Salesforce campaigns. A manipulated version of Salesforce's legitimate Data Loader OAuth application was used to gain persistent access to organizational CRM data after victims were socially engineered into approving the connection.
TruffleHog: Open-source secrets scanner used to identify OAuth tokens and API keys embedded in source code repositories. Used to identify Salesloft/Drift tokens exploited in the UNC6395 campaign.
S3 Browser / WinSCP: Standard tools used for AWS S3 bucket enumeration and data exfiltration in campaigns targeting cloud storage environments. Documented in Palo Alto Unit 42 Bling Libra research.
Okta SSO phishing infrastructure: Cloned Okta subdomain authentication flows used to intercept credentials and MFA tokens. Infrastructure registered through Njalla with privacy protection; at least one confirmed IP (196.251.83[.]162) observed hosting phishing domains.
shinysp1d3r (RaaS — in development): A Ransomware-as-a-Service offering targeting VMware ESXi environments, announced in 2025. Represents a deliberate attempt to fill market share vacated by the LockBit disruption in February 2024. Operational maturity and affiliate uptake remain unclear as of early 2026.
Endpoint malware (BPO targeting): In the Crunchyroll/Telus intrusion chain, an unspecified malware payload was delivered to a contractor's device to capture Okta SSO session credentials. The specific malware family has not been publicly identified.
Telegram channels: Primary coordination and operational announcement infrastructure. The group has operated numerous Telegram channels, including several combining ShinyHunters, Scattered Spider, and LAPSUS$ branding. Channels have been banned and replaced repeatedly.

Indicators of Compromise

Publicly available IOCs from attributed ShinyHunters infrastructure. Verify currency before operational use — indicators from the Salesforce phishing campaigns are subject to rapid rotation.

warning

IOCs may be stale or burned after public disclosure. Cross-reference with live threat intel feeds (Google GTIG, EclecticIQ, ReliaQuest, SOCRadar) before blocking. ShinyHunters rotates infrastructure aggressively following public reporting.

indicators of compromise — publicly documented infrastructure

ip 196.251.83[.]162 — observed hosting Okta SSO phishing domain BLESS-INVITE[.]COM (EclecticIQ research)

domain BLESS-INVITE[.]COM — phishing infrastructure; registered April 5, 2025, through Tucows/Njalla

domain pattern Salesforce-themed phishing domains and ticket-themed credential harvesting pages (see ReliaQuest reporting August 2025); specific domains rotate frequently

tactic Modified Salesforce Data Loader OAuth app connection — unusual or unrecognized "connection code" prompts from IT support callers should be treated as a social engineering indicator

infrastructure tell HTTP headers spoofing FBI.gov domain — observed in ShinyHunters phishing infrastructure (EclecticIQ); consistent with group's practice of mocking law enforcement

Mitigation & Defense

The majority of ShinyHunters intrusions exploit human trust and authentication gaps rather than unpatched software vulnerabilities. Defensive posture should prioritize identity controls, helpdesk procedure hardening, and SaaS configuration auditing.

Enforce MFA on all SaaS and cloud platform accounts: The Snowflake campaign succeeded almost entirely against accounts lacking MFA. Mandatory phishing-resistant MFA (FIDO2/passkeys preferred) should be enforced across Snowflake, Salesforce, Okta, and any SSO-integrated platform.
Restrict OAuth connected app approvals: Limit which users can approve OAuth-connected applications in Salesforce, and require IT change management review for any new Data Loader or bulk export app authorization. Audit existing connected apps for unexpected access grants.
Implement helpdesk identity verification procedures: Establish out-of-band identity verification for any helpdesk request involving SSO re-authentication, OAuth authorization, or credential reset. Scripts from unverified callers claiming to be IT support should always trigger an independent callback to a known number.
Harden BPO and vendor access controls: Third-party BPO employees with access to customer systems represent a consistent vector. Require BPO contractors to operate on managed, monitored endpoints. Apply least-privilege access; contractors accessing Zendesk or ticketing systems should not have lateral access to communication or analytics platforms.
Audit Salesforce Experience Sites and CRM data exports: ShinyHunters has exploited misconfigured Salesforce Experience Sites to expose guest-accessible data. Review sharing settings, guest user permissions, and audit logs for bulk data export activity.
Monitor for secrets in source code repositories: TruffleHog and similar tools were used against the Salesloft/Drift integration. Implement pre-commit and CI/CD pipeline scanning for embedded OAuth tokens, API keys, and credentials. Rotate any secrets that may have been exposed in repository history.
Enroll in threat intelligence feeds covering BreachForums activity: ShinyHunters lists stolen data on dark web forums before or in parallel with extortion. Early warning via SOCRadar, Recorded Future, or similar services can shorten the window between exfiltration and organizational awareness.

note

ShinyHunters has demonstrated that paying a ransom does not guarantee data deletion or prevent subsequent extortion. PowerSchool paid $2.85M in December 2024; by May 2025 individual school districts were receiving new extortion demands based on the same stolen data. Organizations should treat payment as a compliance or reputational decision rather than a security outcome.

Law Enforcement Actions

Several confirmed or attributed ShinyHunters members have been arrested and prosecuted, though enforcement actions have not materially disrupted group operations.

Sébastien Raoult ("Sezyo Kaizen") — France: Arrested in Morocco in May 2022 while attempting to board a flight to Brussels; extradited to the United States in January 2023. Pleaded guilty to conspiracy to commit wire fraud and aggravated identity theft. Sentenced in January 2024 by the U.S. District Court in Seattle to three years in federal prison and ordered to pay $5M in restitution. Raoult was described by DOJ as a participant in ShinyHunters' operations for over two years, primarily building phishing infrastructure.
Four unnamed members — France: French authorities arrested four individuals linked to the aliases "ShinyHunters," "Hollow," "Noct," and "Depressed" in June 2025 in a coordinated multi-region operation. Assessed by researchers as affiliates rather than core leadership; operations continued uninterrupted following the arrests.
Connor "Judische" Moucka — Snowflake campaign: Arrested in 2024 in connection with the Snowflake credential campaign attributed to ShinyHunters-associated actors. Charged in the Western District of Washington. Proceedings ongoing as of early 2026.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile