Between January 26 and April 16, 2026, Mjolnir Threat Analytics Center (MTAC) proprietary sensor telemetry recorded 650 discrete events attributable to the ShinyHunters data extortion ecosystem. This campaign encompassed active extortion servers hosting stolen databases, a sprawling phishing infrastructure of credential-harvesting domains, 429 0ktapus adversary-in-the-middle (AitM) MFA-bypass events, and at least 9 named corporate victims whose data appeared on pay-or-leak extortion portals. This report provides a comprehensive deep dive into ShinyHunters' evolution from a data broker collective into a full-spectrum extortion empire, mapping the group's infrastructure, tactics, tooling, and connections to Scattered Spider and Lapsus$.
This advisory is classified TLP:GREEN. Recipients may share this advisory freely within their organization and with peer organizations within the cybersecurity community. No restrictions on distribution.
- Salesforce Aura Campaign: ShinyHunters has automated exploitation of misconfigured Salesforce Experience Cloud sites. They claim to have breached over 400 organizations using a modified “AuraInspector” tool targeting
/s/sfsites/auraendpoints. - European Commission Intrusion: In late March/early April 2026, the group exfiltrated 350 GB of data from the European Commission’s AWS infrastructure, including military funding documents and DKIM signature keys.
- SLH Triad Formation: Technical evidence confirms a “federated alliance” between Scattered Spider, Lapsus$, and ShinyHunters — operating as a unified extortion engine with specialized roles.
- Victim count revised to 12 with the addition of European Commission, Rockstar Games, and LastPass/AMD (Salesforce Aura campaign).
Campaign Statistics
The following statistics summarize MTAC sensor telemetry from the ShinyHunters campaign observation window (January 26 – April 16, 2026).
Event Category Breakdown
| Category | Events | Percentage | Description |
|---|---|---|---|
| 0ktapus Kit | 429 | 66.0% | Real-time AitM MFA interception & credential harvesting via 0ktapus phishing kit |
| SSO Phishing Domains | 118 | 18.2% | Credential harvesting domains spoofing SSO login portals |
| Extortion Server (pay_or_leak) | 44 | 6.8% | Active extortion portals hosting stolen databases with victim-taunting filenames |
| Recruitment Scam Domains | 32 | 4.9% | Fake career/recruitment sites used for social engineering initial access |
| Lapsus$ Infrastructure | 16 | 2.5% | Active Lapsus$-branded domains with operational overlap |
| C2 / Misc | 11 | 1.7% | Command-and-control endpoints and uncategorized infrastructure |
Monthly Event Breakdown
| Month | Events | Context |
|---|---|---|
| January 2026 | 22 | Initial sensor detections |
| February 2026 | 397 | Spike coinciding with Wynn Resorts breach (800K records) and Brian Krebs article “Please Don’t Feed the Scattered Lapsus ShinyHunters” |
| March 2026 | 175 | Continued activity |
| April 2026 | 56 | Salesforce Aura campaign begins |
Who Are ShinyHunters?
ShinyHunters — named after the Pokemon practice of hunting for rare "shiny" variants — emerged in 2020 as a loosely organized collective of data brokers specializing in breaching cloud databases and selling stolen records on dark web forums. Over five years, the group has undergone a dramatic evolution from opportunistic data theft into a full-spectrum extortion empire that combines SSO phishing, AitM MFA bypass, cloud exploitation, and direct victim extortion.
Evolution Timeline
| Period | Phase | Key Events |
|---|---|---|
| 2020 | Data Broker Origins | Tokopedia (91M records), Wattpad (270M records) — data sold on RaidForums and dark web marketplaces |
| 2021–2023 | Cloud Exploitation | Targeted misconfigured cloud storage, exposed Git repos, and API keys. Expanded to dozens of victims across tech, retail, and healthcare |
| 2024 | Snowflake Campaign | Breached AT&T (110M customer records), Ticketmaster (560M records), and 160+ other Snowflake tenants using stolen credentials. Shifted from data sales to direct extortion |
| 2025 | Extortion Escalation | Grubhub data breach, Wynn Resorts, Telus ($65M ransom demand), Zara, Carnival Cruise, 7-Eleven. Increasingly aggressive extortion with public shaming |
| 2026 | Full-Spectrum Operations | 650 events observed via MTAC. 0ktapus kit deployment, 9 named extortion victims, dedicated pay_or_leak infrastructure, Lapsus$ crossover |
Operator Profiles and Arrests
In January 2024, French national Sebastien Raoult (alias "Sezyo Kaizen") was sentenced to 3 years in US federal prison and ordered to pay $5 million in restitution for his role in ShinyHunters operations. Raoult was extradited from Morocco to the United States after being identified through operational security failures in ShinyHunters' early campaigns. His arrest demonstrated that Western law enforcement can reach into the group's operational structure — but did nothing to slow the collective's activities, which accelerated through 2024 and into 2026.
The group maintains significant personnel overlap with both Scattered Spider (UNC3944) and Lapsus$. As cybercrime researcher Brian Krebs has documented, these groups share operators, tooling, and targeting patterns. The convergence is not coincidental — it represents a new model of cybercriminal organization where fluid, loosely affiliated operators move between branded operations based on opportunity and capability. Our earlier analysis in Convergence of Chaos explored this interconnected ecosystem in detail.
For a detailed technical profile of ShinyHunters including TTPs, known aliases, and attribution confidence levels, see our ShinyHunters APT Profile page. For the earlier campaign analysis, see ShinyHunters: Anatomy of a Cloud-Native Extortion Empire.
The “Scattered Lapsus Hunters” (SLH) Merger
The 2026 threat landscape is dominated by what MTAC has designated the SLH Triad. This is not a loose collaboration but a federated alliance of three specialized operations, each contributing distinct expertise to a unified extortion engine:
| Group | Specialization | Role in SLH |
|---|---|---|
| Scattered Spider | Social Engineering | Vishing (voice phishing) and help-desk social engineering expertise. Gen-Z operators with high-fidelity social engineering scripts. |
| Lapsus$ | Lateral Movement | Rapid internal lateral movement and “brand destruction” via Slack/Teams channel infiltration to suppress incident response. |
| ShinyHunters | Data Exfiltration | Industrial-scale data exfiltration and darknet “Pay or Leak” extortion infrastructure. |
The “Identity-First” Attack Chain
The SLH Triad has abandoned traditional malware. MTAC assesses that 90% of observed intrusions follow this identity-based path:
- Reconnaissance: Scraping LinkedIn for IT Help Desk names and employee lists
- Vishing: A Scattered Spider operator calls an employee, claiming to be from IT, using a social engineering script to “verify” MFA settings
- AitM Phishing: The victim is sent to a branded 0ktapus 2.0 site (e.g.,
company-okta[.]com) that intercepts the MFA token in real time - Device Enrollment: The attacker registers a Genymobile-emulated Android device (often named “Passkey”) as a new MFA factor to ensure persistence
The SLH Triad does not need malware. They need your identity. Once they have a valid SSO session with a persistent MFA device enrolled, they are indistinguishable from a legitimate employee to every system in your environment.
The Extortion Machine: pay_or_leak
MTAC sensors recorded 44 events associated with two dedicated extortion servers hosting stolen databases with a distinctive taunting filename convention. The infrastructure is deliberately minimalist — no Tor hidden services, no elaborate leak sites. Instead, the operators use direct-access servers with victim-specific filenames designed to maximize psychological pressure on targets.
Extortion Infrastructure
37.72.140[.]17— Primary extortion server (37 events)91.215.85[.]22— Secondary extortion server (7 events)
Files are hosted with a deliberate naming convention: [victim]_pay_or_leak_[date].7z or [victim]_[MM]_[YYYY].sql.7z. This is not mere file organization — it is a psychological tactic. The filenames are designed to be discovered by security researchers, indexed by threat intelligence platforms, and ultimately communicated back to the victim, amplifying pressure to pay.
Named Extortion Victims
| # | Victim | Sector | Description | Server |
|---|---|---|---|---|
| 1 | Odido | Telecom (Netherlands) | Major Dutch telecommunications provider (formerly T-Mobile Netherlands) | 37.72.140[.]17 |
| 2 | Kemper Corporation | Insurance ($5B) | $5 billion US property & casualty insurance conglomerate | 37.72.140[.]17 |
| 3 | McGraw-Hill | Education / Publishing | Major educational publishing and assessment company | 37.72.140[.]17 |
| 4 | Canada Goose | Luxury Retail | Canadian luxury outerwear manufacturer ($CAD 1.2B revenue) | 37.72.140[.]17 |
| 5 | CarMax | Automotive Retail | Largest used-car retailer in the United States | 37.72.140[.]17 |
| 6 | Harvard University | Higher Education | Ivy League university with $50B+ endowment | 91.215.85[.]22 |
| 7 | Panera Bread | Restaurant / QSR | US fast-casual restaurant chain with 2,100+ locations | 91.215.85[.]22 |
| 8 | Bumble | Technology / Dating | Dating and social networking platform ($700M+ revenue) | 91.215.85[.]22 |
| 9 | Beacon Pointe Advisors | Financial Services | Wealth management firm with $30B+ AUM | 91.215.85[.]22 |
| 10 | European Commission | Government (EU) | 350 GB exfiltrated from AWS infrastructure incl. military funding documents and DKIM keys | 37.72.140[.]17 |
| 11 | Rockstar Games | Entertainment / Gaming | Financial data and marketing timelines (post-Anodot breach vector) | 91.215.85[.]22 |
| 12 | LastPass / AMD | Technology | Corporate contact lists and CRM records exfiltrated via Salesforce Aura campaign | 91.215.85[.]22 |
The Salesforce “Aura” Automation
In a significant escalation of capability, ShinyHunters has repurposed the AuraInspector tool to automate exploitation of misconfigured Salesforce Experience Cloud sites. The tool scans for /s/sfsites/aura endpoints and exploits guest user profile misconfigurations to exfiltrate CRM data at scale. Even after Salesforce patched the sortBy bypass that allowed bulk data export, the group claims to have developed a “configuration-agnostic” method to query guest user profiles, bypassing the 2,000-record limit entirely. MTAC assesses that over 400 organizations may have been affected.
MTAC also observed an unidentified database file bf_03_2026.sql.7z hosted on the primary extortion server. The “bf” prefix does not match any of the 12 named victims. This may represent an additional undisclosed victim.
The Phishing Arsenal
ShinyHunters operates an extensive network of SSO credential-harvesting domains designed to impersonate enterprise login portals. These domains are registered with high visual fidelity to legitimate SSO pages and are typically deployed for 72-96 hours before rotation. MTAC identified the following active phishing domains during the observation window.
SSO Credential Harvesting Domains
| Target | Phishing Domain | Type | Status |
|---|---|---|---|
| HubSpot | dev.hubspot-sso[.]com | SSO Clone | Active |
| Rogers Communications | rogers-rci[.]com | Employee SSO | Active |
| Telus | telus-sso[.]com | Employee SSO | Active |
| Sutherland Global | sutheriandgiobal[.]com | Typosquat SSO | Active |
| UK Government (HMRC) | login-hmgov[.]com | Gov Portal Clone | Intermittent |
| Wells Fargo | quicklogin-w3lls[.]top | Banking Portal | Active |
| Microsoft | updatemssoft[.]com | M365 Login | Active |
| Okta | hunters-okta[.]com | Okta SSO Clone | Active |
| Coinbase | managerewards-cbexchange[.]com | Exchange Portal | Intermittent |
| FortiCloud | staging.contact.login.forticloud[.]online | Admin Portal | Active |
| Yahoo | login-myyahoo[.]com | Webmail Clone | Intermittent |
Additionally, MTAC identified an Okta phishing campaign targeting Goldin Auctions, a high-value collectibles auction house. The campaign used a cloned Okta SSO page to harvest credentials from Goldin employees and consignors, likely targeting access to auction management systems and high-net-worth customer data.
The 0ktapus Kit
The 0ktapus phishing kit is the single most significant tool in ShinyHunters' arsenal, accounting for 429 of 650 events (66%) observed during the campaign window. Unlike traditional credential phishing, 0ktapus operates as a real-time adversary-in-the-middle (AitM) proxy that intercepts both credentials and MFA tokens simultaneously, rendering time-based one-time passwords (TOTP) and push notification MFA completely ineffective.
How 0ktapus Defeats MFA
The kit sits between the victim and the legitimate authentication server, transparently proxying the login flow. When the victim enters their username, password, and MFA token, the kit captures all three values and replays them to the real server in real time. The authenticated session cookie is then intercepted and passed back to the attacker, who gains full access to the victim's account. The entire process takes under 2 seconds and is invisible to the victim.
The 0ktapus kit defeats all forms of TOTP and push-notification MFA. Only FIDO2/WebAuthn hardware keys are resistant to this attack because they cryptographically bind the authentication response to the legitimate server’s origin, making proxy-based interception impossible. As an immediate stop-gap, transition from “Push” to “Number Matching” — but this does not fully defeat AitM interception.
0ktapus 2.0 Forensic Markers
MTAC has identified specific forensic artifacts left by the 0ktapus 2.0 kit during the MFA bypass phase that defenders should hunt for immediately:
| Indicator | What to Look For | Significance |
|---|---|---|
| User-Agent | com.okta.android.auth appearing within seconds of a login from a non-standard ASN (Mullvad, generic datacenter) | Genymobile Android emulator used for persistent MFA device enrollment |
| Device Name | New MFA enrollments with device name Passkey on the Genymobile platform | Default naming convention used by attackers when enrolling rogue MFA factor |
| Slack Behaviour | Account immediately leaves “Security” or “Incident Response” Slack channels upon takeover | Suppresses internal alerting — attacker removes themselves from channels that would detect the compromise |
| Session Anomaly | SSO session originating from one IP, then MFA device enrollment from a different IP/ASN within 60 seconds | AitM proxy relays the session; device enrollment happens from attacker infrastructure |
Recruitment Scam Domains
ShinyHunters also operates a network of fake recruitment and career domains used for social engineering initial access. These domains lure victims with fake job offers, directing them to credential-harvesting pages or malware downloads.
ytcareersteam[.]comgteamrecruiters[.]comjointeamyt[.]comteamsrecruiter[.]comyt-careers[.]comytcareershire[.]comytcareersjobs[.]comytjobsadvance[.]comytjobsapplynow[.]comgrecruitjobs[.]comgrecruitingapply[.]comgcareersplan[.]comgcareershiringform[.]comgcareersworks[.]comaquent-recruiting[.]com— Impersonates Aquent staffing agency
Canadian Targeting — Supply Chain Escalation
MTAC observed a notable concentration of activity targeting Canadian telecommunications and retail companies. The campaign against Canada has shifted from simple data theft to supply chain extortion — the breach of Telus and Rogers appears linked to the compromise of Anodot, a third-party analytics provider. ShinyHunters stole Anodot service account tokens to silently export PII without triggering standard login alerts.
MTAC assesses that the high density of high-net-worth individuals in Canadian telecommunications customer bases makes these targets ideal for secondary “VIP” extortion and SIM-swapping operations. The Anodot compromise provided a trusted third-party access path that bypassed direct security controls.
Rogers Communications
The domain rogers-rci[.]com impersonates Rogers Communications Inc. (RCI), Canada's largest wireless provider. The domain is designed to harvest employee SSO credentials for internal Rogers systems. Rogers was also targeted in the broader Scattered Spider campaigns of 2023-2024.
Telus Corporation
The domain telus-sso[.]com targets Telus, Canada's second-largest telecom. ShinyHunters previously demanded $65 million CAD from Telus after breaching employee and customer data in 2023. The continued presence of Telus-targeting infrastructure in 2026 suggests either ongoing access or renewed targeting of the company.
Canada Goose
Canadian luxury outerwear manufacturer Canada Goose appeared on the primary extortion server (37.72.140[.]17), indicating that ShinyHunters obtained and staged data for extortion from this high-profile Canadian brand.
Lapsus$ Infrastructure
MTAC sensors detected 16 events associated with active Lapsus$-branded domains that share operational infrastructure with the ShinyHunters ecosystem. While Lapsus$ was widely believed to have been disrupted by arrests in 2022-2023, the presence of active infrastructure suggests that the brand and tooling remain in operational use within the broader data extortion ecosystem.
lapsus[.]czlapsus[.]bylapsus[.]shsf.lapsus[.]sh
The infrastructure overlap between Lapsus$ and ShinyHunters domains — including shared hosting providers, registration patterns, and SSL certificate configurations — confirms the operational convergence documented in our Convergence of Chaos analysis. These are not separate groups maintaining independent operations; they are overlapping operators sharing a common infrastructure ecosystem. For a full Lapsus$ profile, see our Lapsus$ threat profile.
MITRE ATT&CK Mapping
| Technique ID | Name | Tactic | Relevance |
|---|---|---|---|
| T1566.001 | Phishing: Spearphishing Attachment | Initial Access | Targeted phishing emails delivering credential harvesting links to specific employees |
| T1566.003 | Phishing: Spearphishing via Service | Initial Access | Recruitment scam domains (ytcareersteam[.]com, gteamrecruiters[.]com) for social engineering |
| T1078 | Valid Accounts | Defense Evasion / Persistence | Harvested SSO credentials used to access victim environments with legitimate accounts |
| T1556.006 | Modify Authentication Process: Multi-Factor Authentication | Credential Access | 0ktapus AitM proxy intercepts and replays MFA tokens in real time |
| T1583.001 | Acquire Infrastructure: Domains | Resource Development | Registration of lookalike SSO domains (hubspot-sso[.]com, telus-sso[.]com, etc.) |
| T1583.003 | Acquire Infrastructure: Virtual Private Server | Resource Development | Extortion servers at 37.72.140[.]17 and 91.215.85[.]22 |
| T1584.001 | Compromise Infrastructure: Domains | Resource Development | Compromised domains repurposed for phishing and C2 |
| T1036.005 | Masquerading: Match Legitimate Name or Location | Defense Evasion | Typosquat domains designed to pass visual inspection (sutheriandgiobal[.]com) |
| T1598.003 | Phishing for Information: Spearphishing Link | Reconnaissance | SSO phishing pages designed to harvest credentials and session tokens |
| T1567 | Exfiltration Over Web Service | Exfiltration | Stolen databases exfiltrated and staged on extortion servers |
| T1486 | Data Encrypted for Impact | Impact | Some victims report data encryption alongside exfiltration (double extortion) |
| T1491.002 | Defacement: External Defacement | Impact | Public-facing extortion with victim-naming filenames on accessible servers |
| T1657 | Financial Theft | Impact | Extortion demands ranging from $100K to $65M CAD |
| T1204.001 | User Execution: Malicious Link | Execution | Victims click phishing links to SSO clones and recruitment scam pages |
Indicators of Compromise
The following indicators were observed through MTAC sensor telemetry between January 26 and April 16, 2026. All domains are defanged. Organizations should implement blocking at DNS, proxy, and email gateway layers.
Extortion Server IPs
37.72.140[.]17— Primary extortion server91.215.85[.]22— Secondary extortion server
Primary Phishing Domains
dev.hubspot-sso[.]comrogers-rci[.]comtelus-sso[.]comsutheriandgiobal[.]comlogin-hmgov[.]comquicklogin-w3lls[.]topupdatemssoft[.]comhunters-okta[.]commanagerewards-cbexchange[.]comstaging.contact.login.forticloud[.]onlinelogin-myyahoo[.]comgoldin.prod-okta[.]com— Targets Goldin Auctions (high-value collectibles)
Recruitment Scam Domains
ytcareersteam[.]comgteamrecruiters[.]comjointeamyt[.]comteamsrecruiter[.]comyt-careers[.]comytcareershire[.]comytcareersjobs[.]comytjobsadvance[.]comytjobsapplynow[.]comgrecruitjobs[.]comgrecruitingapply[.]comgcareersplan[.]comgcareershiringform[.]comgcareersworks[.]comaquent-recruiting[.]com— Impersonates Aquent staffing agency
Additional Phishing & C2 Infrastructure
portaltobltcoin[.]comportal-infoapp[.]comportal-bridge[.]appportal-goldendragon[.]onlineshiny-shrill.dvrlists[.]com
ShinyHunters Own Infrastructure
shinyhunte[.]rsshinyhunt[.]rs
Lapsus$ Domains
lapsus[.]czlapsus[.]bylapsus[.]shsf.lapsus[.]sh
Extortion Server URLs
37.72.140[.]17/odido_pay_or_leak_2026.7z37.72.140[.]17/kemper_pay_or_leak_2026.7z37.72.140[.]17/mcgrawhill_pay_or_leak_2026.7z37.72.140[.]17/canadagoose_pay_or_leak_2026.7z37.72.140[.]17/carmax_pay_or_leak_2026.7z91.215.85[.]22/harvard_pay_or_leak_2026.7z91.215.85[.]22/panera_pay_or_leak_2026.7z91.215.85[.]22/bumble_pay_or_leak_2026.7z91.215.85[.]22/beaconpointe_pay_or_leak_2026.7z37.72.140[.]17/bf_03_2026.sql.7z— Unidentified victim
In addition to blocking the specific IOCs above, implement pattern-based DNS blocking for domains matching: *-sso.com, *-okta.com, login-*gov.com, *careers*team*.com, quicklogin-*.top, and *forticloud.online. These patterns capture the group's naming conventions and will catch rotated infrastructure.
Recommendations
Immediate Actions (0-48 Hours)
- Block all IOCs at DNS, proxy, email gateway, and firewall layers. Ingest the full IOC list into your SIEM and EDR platforms for retroactive hunting.
- Implement pattern-based domain blocking using the naming conventions documented above. ShinyHunters rotates domains every 72-96 hours; static blocklists alone are insufficient.
- Audit SSO authentication logs for the past 90 days. Look for login attempts from the phishing domains listed above, unusual geographic locations, or anomalous session token patterns.
- Review extortion server connectivity. Check network logs for any outbound connections to 37.72.140[.]17 or 91.215.85[.]22. Any hits indicate potential data exfiltration or reconnaissance.
- Salesforce Audit: Immediately run AuraInspector (or equivalent) against all public Salesforce Experience Cloud sites. Disable API access for the “Guest User Profile” unless explicitly required. Scan for
/s/sfsites/auraendpoint exposure. - MFA Hardening: Transition from “Push” to “Number Matching” immediately as a stop-gap. Prioritize FIDO2/WebAuthn (YubiKey/Titan) to fully defeat 0ktapus 2.0 AitM attacks.
- Hunt for 0ktapus 2.0 forensic markers: Search for
com.okta.android.authuser-agent strings, MFA device enrollments named “Passkey” on Genymobile platforms, and accounts that left Security/IR Slack channels immediately after login.
Short-Term Actions (1-4 Weeks)
- Deploy FIDO2/WebAuthn hardware security keys for all privileged accounts, cloud administrators, and executives. This is the only MFA method resistant to 0ktapus AitM attacks. TOTP and push-based MFA must not be considered sufficient for high-value accounts.
- Implement Continuous Access Evaluation (CAE). If a user’s IP changes to a known VPN or a new MFA device is enrolled, automatically revoke all active SaaS sessions (O365, Salesforce, Slack).
- Build 0ktapus 2.0 detection rules. Monitor for anomalous authentication patterns: legitimate MFA tokens used from unexpected IPs within seconds of being generated, Genymobile device enrollments, or session cookies appearing from different ASNs than the authentication request.
- Implement brand monitoring for your organization’s name in newly registered domains. Services like DomainTools, SecurityTrails, or MTAC can alert on lookalike domain registrations within hours.
- Anti-Vishing Help Desk Protocol:
- Video Verification: All password/MFA resets must be conducted via a live video call. The employee must hold a physical government ID to the camera.
- Out-of-Band Callbacks: If a user calls for a reset, the help desk must terminate the call and call the employee back on their registered corporate phone number.
Strategic Actions (1-3 Months)
- Develop a data extortion response plan. Unlike ransomware, data extortion does not offer a decryption key as leverage. Response plans must address legal, regulatory, communications, and negotiation dimensions. Have the plan ready before the demand arrives.
- Deploy cloud DLP controls. ShinyHunters’ primary objective is data exfiltration from cloud platforms (Snowflake, AWS S3, Azure Blob, Salesforce). Implement DLP monitoring that detects unusual data access patterns, bulk downloads, and API-based exfiltration.
- Third-party supply chain audit. Review all third-party analytics, SaaS, and AI productivity tools with OAuth access to your environment. The Anodot vector demonstrates that third-party service account tokens provide silent, persistent access that bypasses standard login alerting.
- Engage Mjolnir Security for ongoing MTAC threat monitoring, 0ktapus detection rule development, and extortion response readiness assessment. Our sensors provide real-time visibility into ShinyHunters infrastructure that no commercial threat feed can match.
Mjolnir Security — Threat Intelligence & Data Extortion Response
Mjolnir Security provides specialized threat intelligence, MTAC sensor monitoring, and data extortion response services to detect, prevent, and respond to ShinyHunters and similar data extortion operations.
- MTAC Threat Monitoring: Continuous sensor telemetry monitoring for ShinyHunters infrastructure, new phishing domains, extortion server activity, and 0ktapus kit deployments. Real-time alerts when your organization or sector is targeted.
- Phishing Defence & SSO Security: Comprehensive assessment of your SSO authentication stack, FIDO2 deployment planning, 0ktapus detection rule development, and brand monitoring for lookalike domain registrations.
- Data Extortion Response: End-to-end incident response for data extortion events, including forensic investigation, data impact assessment, regulatory notification support, negotiation advisory, and crisis communications.
- Cloud Security Assessment: Security assessment of Snowflake, AWS, Azure, and GCP environments to identify the misconfigurations and credential exposures that ShinyHunters exploits for data theft.
References
- "ShinyHunters Data Breach Group Profile," MTAC Threat Intelligence, Mjolnir Security, 2026. intel.mjolnirsecurity.com
- "Convergence of Chaos: Lapsus$, ShinyHunters & Scattered Spider," Skuggaheimar, Mjolnir Security, Sep 2025. intel.mjolnirsecurity.com
- "ShinyHunters: Anatomy of a Cloud-Native Extortion Empire," Skuggaheimar, Mjolnir Security, Mar 2026. intel.mjolnirsecurity.com
- "0ktapus: A Phishing Kit That Attacked 130+ Organizations," Group-IB, Aug 2022. group-ib.com
- "Sebastien Raoult Sentenced to 3 Years for ShinyHunters Cybercrime," US Department of Justice, Jan 2024. justice.gov
- "Snowflake Breach: AT&T, Ticketmaster, and 160 More Victims," Mandiant, Jun 2024. cloud.google.com
- Krebs, B. "Tracking the Convergence of Lapsus$, ShinyHunters, and Scattered Spider," KrebsOnSecurity, 2024. krebsonsecurity.com
- "T1556.006 - Modify Authentication Process: Multi-Factor Authentication," MITRE ATT&CK. attack.mitre.org
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts