ShinyHunters: Anatomy of a
Cloud-Native Extortion Empire

Bottom Line Up Front: ShinyHunters is a financially motivated, cloud-specialist extortion collective that has evolved from bulk database reselling (2020–2023) into a highly coordinated vishing-and-OAuth-abuse operation. In 2024–2026 the group breached 160+ Snowflake customer environments, compromised 560M+ Ticketmaster records, and pivoted to Salesforce environment hijacking — all without exploiting a single platform vulnerability. Their modus operandi is social engineering at scale. As of 2025 they have formally allied with Scattered Spider and LAPSUS$, creating an industrialized cybercrime supply chain. Expect continued targeting of cloud-first enterprises, luxury goods, aviation, financial services, and any organization with an exposed Salesforce or Okta surface.

Who Are ShinyHunters?

The name "ShinyHunters" derives from a niche corner of the Pokemon universe: players who obsessively hunt rare, alternate-coloured "shiny" Pokemon through grinding in-game encounters. It is an apt metaphor — the group relentlessly grinds for rare, high-value data assets and sells them to the highest bidder.

ShinyHunters is not a monolithic APT in the traditional state-actor sense. Rather, it operates as a loose cybercrime collective — with a core leadership persona ("ShinyCorp") directing operations and recruiting specialist contractors. The group is believed to be part of "the Com," an informal English-speaking ecosystem of predominantly young Western hackers whose skills were sharpened on cryptocurrency scams and SIM-swapping before graduating to enterprise-scale intrusions.

Law enforcement has made inroads: in January 2024, French member Sebastien Raoult was sentenced to three years in prison and ordered to pay back $5 million. In June 2025, French authorities arrested four additional members operating under the aliases ShinyHunters, Hollow, Noct, and Depressed. Despite these arrests, the group has proven operationally resilient, re-emerging with new campaigns within weeks.

Evolution & Group Anthropology

Understanding ShinyHunters requires understanding their cultural context. They emerged not from a secretive, nation-state-sponsored lab, but from online gaming communities, Discord servers, and Telegram channels where young people traded hacked account credentials like trading cards. This origin shapes everything: their branding, their bravado, their communication style, and crucially, their social engineering psychology — they understand how people behave online.

Phase 1: Data Broker Era (2020–2023)

ShinyHunters launched its public identity on RaidForums in 2020 with a torrent of high-volume breaches — Tokopedia (91M records), Microsoft GitHub, Wattpad, Promo.com, and dozens more. The model was simple: breach, exfiltrate, sell or dump. Monetisation came primarily through selling databases on criminal forums. The "pay or we leak" model became their trademark.

Phase 2: Infrastructure Elevation (2023–2024)

The group became a power broker on BreachForums — first partnering with "Baphomet" to relaunch v2 of the forum in June 2023, then operating v4 independently in 2025. This forum administration gave them structural influence over the broader criminal data ecosystem: they could prioritise, amplify, or suppress listings, generating leverage well beyond their own breaches.

Phase 3: Cloud Extortion Pivot (2024–Present)

The 2024 Snowflake campaign marked a strategic inflection point. Rather than targeting individual companies directly, ShinyHunters attacked a cloud platform's customer base at scale, breaching 160+ enterprises in a single coordinated credential-stuffing wave. Monetisation shifted from one-time data sales to direct extortion — demanding ransoms in exchange for deletion of stolen data. AT&T reportedly paid $370,000. Ransom demands across victims ranged from $300K to $8M.

Phase 4: Alliance & Social Engineering Industrialisation (2025–2026)

By mid-2025, ShinyHunters had formalised a criminal alliance with Scattered Spider and LAPSUS$, creating 16+ coordinated Telegram channels. The alias Sp1d3rHunters — literally merging both groups' names — appeared on BreachForums as early as May 2024. This merger industrialised vishing: ShinyCorp explicitly recruited members based on proven social engineering skills on phone calls, targeting candidates who had previously run cryptocurrency scams impersonating Coinbase or Apple support.

Notable Attacks & Campaigns

TTP Analysis (MITRE ATT&CK)

ShinyHunters' operational playbook has matured significantly from 2020 to 2026. What follows is a comprehensive breakdown of observed techniques mapped to the MITRE ATT&CK Enterprise framework.

Vishing Playbook — Deep Dive

The most operationally sophisticated component of the current ShinyHunters methodology is their voice-phishing (vishing) pipeline. The attack chain for the Salesforce campaigns follows a reproducible playbook:

STEP 1 — RECONNAISSANCE
  # Mandiant notes campaigns are built on extensive target profiling
  → LinkedIn / company directories to identify helpdesk / IT staff
  → Public Salesforce org URLs identified via standard endpoint patterns
  → Okta subdomain enumeration and clone creation (e.g. trial-XXXXXXX.okta.com)

STEP 2 — VISHING CALL
  # ShinyCorp recruits from crypto-scam vishing talent pool
  → Attacker impersonates IT support / Salesforce vendor representative
  → Instructs target employee to visit Salesforce Connected App setup page
  → Victim enters "connection code" — authorises actor-controlled OAuth app
  → OAuth token grants persistent, MFA-bypassing access to the Salesforce org

STEP 3 — PERSISTENCE
  # Connected app survives password changes and MFA resets
  → Malicious Data Loader app registered in victim org
  → Refresh tokens maintained for extended access
  → Extortion contact made weeks to months after initial breach

STEP 4 — EXFILTRATION & EXTORTION
  → Bulk export via Salesforce APIs using Mullvad VPN for obfuscation
  → Data staged, compressed, exfiltrated to attacker-controlled storage
  → Ransom demand sent; failure to pay → data listed on leak site / BreachForums

Insider Recruitment

In a significant operational escalation, on August 31, 2025, a ShinyHunters-controlled Telegram channel published an open recruitment message seeking corporate insiders with access to:

• Okta or Microsoft SSO administrator accounts
• Citrix VPN administrator credentials
• GitHub, GitLab, or other version control system access
• Any privileged access to enterprise cloud platforms

This insider-recruitment model mirrors the tactics of LAPSUS$ and represents a maturation of the group's initial access capability that defenders cannot address purely through technical controls.

The Trinity: ShinyHunters x Scattered Spider x LAPSUS$

The merger of these three groups represents the most significant development in the Western cybercrime ecosystem since the rise of ransomware-as-a-service. Each group brings distinct capabilities:

The composite capability is formidable: ShinyHunters brings the data monetisation infrastructure and cloud breach expertise, Scattered Spider brings the social engineering talent pipeline, and LAPSUS$ brings the extortion methodology and brand intimidation. Together, they represent a full-spectrum cloud-native attack chain that requires no malware, no CVE exploitation, and no network perimeter breach.

IOCs & Detection Signals

The following are representative observable indicators attributed to ShinyHunters infrastructure and operations.

Behavioural Detection Signals

• Unexpected new OAuth connected app registrations in Salesforce — especially Data Loader variants — created outside change management windows
• Employees receiving unsolicited calls from individuals claiming to be IT support and directing them to Salesforce setup pages
• Bulk SQL GET commands executed against Snowflake environments outside business hours
• Creation of temporary stages in Snowflake with GZIP compression operations
• Salesforce Experience Cloud guest user queries with sortBy parameters bypassing 2,000-record API limits
• AWS ListBuckets and GetObject calls from unfamiliar IAM principals or source IPs
• Mullvad VPN exit node IPs appearing in Salesforce or cloud platform audit logs

Defensive Posture & Mitigations

Identity & Access Management

• Enforce MFA universally across all cloud platform accounts — Snowflake, Salesforce, AWS, Okta. The Snowflake campaign succeeded entirely because targeted accounts lacked MFA.
• Implement phishing-resistant MFA (FIDO2/hardware keys) for privileged accounts. TOTP and SMS-based MFA are bypassable via real-time phishing proxies.
• Audit and restrict Salesforce Connected App registrations. Require change management approval for new OAuth app authorisations. Monitor for Data Loader-type apps created outside normal admin workflow.
• Review and harden Salesforce Experience Cloud guest user settings. Restrict object and field access for unauthenticated guest profiles. Audit sharing rules and permission sets regularly.
• Implement OAuth token lifetime policies — reduce refresh token expiry for high-sensitivity integrations. Monitor and alert on token-based access from new devices or geographies.

Credential Hygiene

• Scan public and private repositories (GitHub, GitLab, Jira) for hardcoded credentials using tools such as Gitleaks or TruffleHog. The EPAM supply chain breach succeeded in part because credentials were cached in Jira.
• Subscribe to infostealer credential monitoring services (e.g., Hudson Rock, SpyCloud, Flare) to detect employee credentials appearing in stealer log marketplaces before attackers exploit them.
• Rotate all cloud service credentials on a schedule and immediately upon any supplier breach notification.

Vishing & Social Engineering Defence

• Train IT helpdesk staff with a callback verification protocol — never act on inbound IT support calls; always call back via a verified directory number. This is the single most effective control against the ShinyHunters vishing playbook.
• Implement a zero-trust helpdesk policy: no credential resets, MFA bypasses, or new app authorisations based solely on voice calls without out-of-band identity verification.
• Alert security teams to any employee-reported inbound IT calls requesting them to visit Salesforce setup pages, Okta admin portals, or VPN configuration pages.

Detection & Monitoring

• Enable Snowflake audit logging and alert on bulk GET commands, CREATE STAGE operations, and login events from new source IPs or user agents.
• Monitor Salesforce Login History, Setup Audit Trail, and Connected App OAuth Usage for anomalous patterns — particularly bulk API queries and off-hours activity.
• Block or alert on outbound connections to Mullvad VPN exit nodes from production cloud environments.
• Enrol in BreachForums and dark web monitoring to detect early-stage data listing activity before extortion contacts are made.

Third-Party Risk

• Assess all Salesforce ISV integrations (Gainsight, Salesloft/Drift, and others) for OAuth permission scope. Revoke or narrow permissions for integrations that do not require broad data access.
• Demand MFA enforcement attestations from cloud-platform suppliers as a contractual security requirement.
• Conduct supply chain risk assessments on all IT managed service providers with access to your cloud credentials or environments.

Threat Outlook & Assessment

ShinyHunters in 2026 is categorically more dangerous than the bulk-database-reselling operation of 2020. The group has achieved three things that most criminal organisations do not: strategic patience (the Ticketmaster breach went undetected long enough to exfiltrate 1.3 TB), platform specialisation (they are now genuinely expert in Salesforce, Snowflake, and Okta architecture), and alliance leverage (the com-coalition multiplies their reach and capability without proportional expansion of internal headcount).

Law enforcement pressure has proven insufficient to suppress the group. The June 2025 arrests of four French members produced no detectable operational pause. BreachForums continues to cycle through takedowns and rebirths — ShinyHunters themselves publicly warned that the latest iteration was a law enforcement honeypot, then proceeded to launch a new instance. This resilience is structural, not accidental: the group is designed to operate with a rotating cast of contractors rather than a fixed membership.

Near-term targeting assessment (High Confidence): Financial services and insurance organisations are the most likely near-term primary targets based on domain registration trend analysis (+12% financial targeting increase since July 2025). Organisations using Salesforce Financial Services Cloud, Salesforce Health Cloud, or Salesforce with Gainsight/Salesloft integrations should treat themselves as actively targeted.