ShinyHunters
ShinyHunters is a financially motivated criminal extortion group that emerged on dark web forums in May 2020, offering millions of stolen user records from more than a dozen companies in a single two-week burst. Believed to have formed as early as 2019, the group operates under a pay-or-leak model: breach an organization, issue a private ransom demand, and publish or auction the stolen data if payment is refused. That model, refined over six years, has made ShinyHunters one of the most prolific data theft operations on record, with attributed breaches spanning retail, finance, aviation, education, defense contracting, telecommunications, and sovereign government infrastructure.
The group operates under the leadership of a persona known as ShinyCorp, also referenced across Telegram channels as sp1d3rhunters and shinyc0rp. Its composition is fluid and contested. Researchers believe it shares overlapping membership with Scattered Spider — also tracked as 0ktapus, Muddled Libra, and Starfraud — and with LAPSUS$, forming a loose criminal supergroup sometimes designated Scattered Lapsus ShinyHunters (SLSH). All three groups share roots in a youth cybercrime subculture known as The Com and employ identical social engineering methodology. Ties to GnosticPlayers, an earlier hacking group credited with leaking over a billion user records, have also been noted. Multiple arrests across Canada, France, Turkey, and Finland have failed to disrupt operations. Researchers have raised the possibility that the ShinyHunters name is now used by successor actors to confuse attribution.
The only publicly confirmed arrest of a member with verified group affiliation is Sébastien Raoult, a French programmer detained in Morocco in May 2022 and extradited to the United States. Raoult was sentenced in January 2024 to three years in prison and ordered to return five million dollars. The US Attorney for the Western District of Washington noted that Raoult had worked for the group for over two years but was not a central figure in its operations.
Tradecraft
ShinyHunters does not rely on novel exploits. Its attack surface is the SaaS layer — misconfigured cloud environments, overly permissive OAuth tokens, exposed Salesforce Experience Cloud guest profiles, and enterprise Google Workspace deployments where employees can connect third-party applications without administrator approval. When configuration gaps are unavailable, the group uses voice phishing: members impersonate IT staff over the phone, instruct employees to visit credential-harvesting sites disguised as corporate portals, and capture SSO credentials and MFA codes in real time before registering their own device for multi-factor authentication. This vishing methodology, documented in a January 2026 Mandiant analysis, was confirmed in the group’s breach of ADT and in repeated incursions against Salesforce-connected enterprise environments. After exfiltrating data, ransom demands ranging from $400,000 to $2.3 million are typically issued weeks after the breach. Companies that have paid have in some cases later found their data leaked regardless.
Breach Record
The group’s confirmed and attributed operations span hundreds of organizations. Among the most significant:
Tokopedia (2020): 91 million user records stolen from the Indonesian e-commerce platform and sold on dark web markets, establishing ShinyHunters’ opening reputation. Microsoft GitHub (2020): private source code repositories accessed, with select material offered for sale. Wattpad (2020): 270 million accounts. Neiman Marcus (2021): 4.6 million customer records including partial payment data. AT&T (2024): approximately 110 million customer records, including call and text metadata, stolen via a third-party cloud data platform. Snowflake (2024): a campaign targeting organizations whose Snowflake environments lacked multi-factor authentication yielded breaches at Ticketmaster, Santander Bank, and others.
In 2025 the operational pace accelerated. Qantas confirmed in July 2025 that a ShinyHunters-attributed breach exposed data on approximately 5.7 million customers, including frequent-flyer records and travel details; Qantas executives took voluntary pay cuts in recognition of the incident’s scale. Harvard University systems were compromised in November 2025. SoundCloud was breached in December 2025, with data from roughly 29.8 million accounts — approximately 20 percent of its user base — exposed after extortion attempts failed.
The 2026 campaign has been the most aggressive on record. In January, combined extortion actions targeted Grubhub and Panera Bread, the latter involving approximately 5 million individuals. In February, Wynn Resorts (800,000 customer and employee records), Figure Technology Solutions (approximately 1 million records), and the Dutch telecommunications operator Odido (21 million records across 6 million individuals) were all hit. Coinbase was breached in early 2026 via a contractor who improperly accessed internal support tools; ShinyHunters demanded a $20 million ransom. Coinbase refused and posted a $20 million reward for information leading to arrests. In March, Telus and Telus Digital were claimed as targets in a $65 million ransom demand backed by an alleged theft of over one petabyte of data, including call records, FBI background check information, financial data, Salesforce data, and source code. Also in March, ShinyHunters breached the European Commission, exfiltrating over 350 gigabytes of data encompassing personally identifiable information, email communications, sensitive documents, and data belonging to at least 42 internal clients and 29 EU entities. In April, ADT lost the personal information of 5.5 million individuals via a vishing-enabled Okta compromise, and Rockstar Games confirmed a breach through a third-party analytics service, with internal GTA Online and Red Dead Online performance data subsequently published after a ransom deadline expired.
Canvas — May 2026
On May 1, 2026, ShinyHunters claimed responsibility for exfiltrating 3.65 terabytes of data from Instructure’s Canvas learning management system, used daily by students and educators at educational institutions worldwide. The group listed approximately 9,000 affected institutions and claimed the breach reached as many as 275 million individuals — students, teachers, and institutional staff. On May 7, a second takeover event placed a ransom message directly on Canvas pages visible to logged-in users across thousands of campuses, with a deadline of May 12 to negotiate a settlement or face total data release. ShinyHunters warned that the stolen dataset includes billions of private messages exchanged on the platform — communications routinely used to disclose medical conditions, request academic accommodations, and contact Title IX advocates. Instructure confirmed that names, email addresses, student ID numbers, and platform messages were involved, while stating passwords, financial information, and government identifiers were not compromised. This was Instructure’s second confirmed breach by ShinyHunters in under eight months; the first, in September 2025, had been enabled by a social engineering attack on the company’s Salesforce environment. The University of Illinois postponed final examinations for the weekend. Dozens of other institutions, including members of the University of California system, Harvard, MIT, Oxford, and Duke, issued advisories.
Assessment
ShinyHunters demonstrates that perimeter-focused security models are operationally obsolete against a threat actor that enters through trusted SaaS integrations and human social engineering rather than network intrusion. The group’s consistent targeting of Salesforce environments, OAuth misconfigurations, and cloud data platforms reflects a deliberate strategy built around the vulnerabilities endemic to enterprise SaaS adoption. Its ability to reconstitute operations after multiple arrests, and to strike the same target twice within eight months, suggests a resilient cell structure and an attacker pool that law enforcement has not yet mapped in full. The Canvas breach, executed at peak academic stress during the end of spring semester, is consistent with the group’s documented practice of timing extortion for maximum institutional pressure. Whether the group has a functional ceiling — a ransom large enough, or a target sensitive enough, to invite a decisive law enforcement response — remains unanswered.