ShinyHunters is a prolific data extortion group specializing in cloud-native attacks against SaaS platforms and cloud infrastructure. The group gained access to 160+ Snowflake customer environments in 2024, exfiltrating over 560 million records from Ticketmaster alone. They maintain formal alliances with Scattered Spider and LAPSUS$.
| Attribute | Detail |
|---|---|
| Names | ShinyHunters / UNC5537 / ShinyCorp |
| Attribution | Cloud-Native Data Extortion Group |
| Active Since | 2020 |
| Primary Focus | 560M+ records stolen. 160+ Snowflake victims. Formal alliance with Scattered Spider and LAPSUS$. |
Overview
ShinyHunters is a prolific data extortion group specializing in cloud-native attacks against SaaS platforms and cloud infrastructure. The group gained access to 160+ Snowflake customer environments in 2024, exfiltrating over 560 million records from Ticketmaster alone. They maintain formal alliances with Scattered Spider and LAPSUS$.
Attribution
ShinyHunters / UNC5537 / ShinyCorp is attributed to Cloud-Native Data Extortion Group, active since at least 2020. 560M+ records stolen. 160+ Snowflake victims. Formal alliance with Scattered Spider and LAPSUS$.
Notable Campaigns
- Snowflake customer campaign — 160+ victims (2024)
- Ticketmaster — 560M+ customer records
- AT&T — call detail records for ~110M customers
- Tokopedia — 91M user records
- Microsoft private GitHub repositories
- Mashable, Bonobos, Pixlr data breaches
- Wattpad — 271M records
MITRE ATT&CK Mapping
| Technique ID | Technique | Confidence |
|---|---|---|
T1078 | Valid Accounts | High |
T1530 | Data from Cloud Storage Object | High |
T1567 | Exfiltration Over Web Service | High |
T1657 | Financial Theft | High |
T1213 | Data from Information Repositories | High |
Detection & Defense
Monitor for the TTPs listed above using your SIEM and EDR platforms. Prioritize patching of internet-facing applications and enforce MFA on all remote access. Mjolnir Security provides continuous threat hunting and monitoring for ShinyHunters activity patterns.
Mjolnir Security — Threat Intelligence & Response
Mjolnir Security provides 24/7 threat monitoring, incident response, and threat intelligence services. Contact us for threat hunting specifically targeting ShinyHunters TTPs in your environment.
mjolnirsecurity.com — 24/7 Incident Response Hotline: +1 833 403 5875