ShinyHunters

Executive Summary

Intelligence Cut-off Date: 12-May-2026

ShinyHunters is a financially motivated cybercrime brand operated by a fluid, English-speaking collective that overlaps substantially with Scattered Spider and LAPSUS$ under the “Scattered Lapsus$ Hunters” (SLSH) umbrella. Over the past twelve months the group has shifted from forum-driven bulk data dumps toward direct extortion of SaaS-dependent enterprises, exploiting the supply-chain trust between victims and their analytics, observability, and integration vendors. The 2026 campaign tempo — Grubhub/Panera (January), Wynn Resorts and Odido (February), Telus and the Salesforce Experience Cloud campaign (March), Instructure Canvas (May) — has been the most aggressive on record.

Overall Assessment: [Confidence: HIGH] ShinyHunters is an active, sustained, and adaptive threat to any enterprise running Salesforce, Snowflake, Okta, or OAuth-connected analytics platforms. Attribution to specific named operators is fluid and should be treated at the collective level rather than the persona level.

Identity and Attribution

ShinyHunters first surfaced in 2020 as a data-theft and data-sales actor on RaidForums and its successor BreachForums [Source: Wikipedia / multiple vendor histories, Rating: B2]. Across vendor naming conventions the group is tracked as Bling Libra by Unit 42, UNC6040 by Google Threat Intelligence Group (specifically for the June 2025 Salesforce vishing campaign), and UNC604 by Varonis [Source: Unit 42, Google Cloud Blog, Varonis, Rating: B2]. As of 2024–2026, ShinyHunters is best understood as a brand operated by SLSH — a loose criminal collective with overlapping membership across Scattered Spider, LAPSUS$, and the historical ShinyHunters persona [Source: KrebsOnSecurity, Feb 2026, Rating: B2].

Operators have been arrested in France, the United States, Canada, the United Kingdom, Turkey, and Finland over 2022–2025. Sébastien Raoult, a French national, was extradited to the US and sentenced in 2024 [Source: DOJ press release, Rating: A2]. Despite these arrests, operational tempo has accelerated rather than slowed, consistent with a brand-and-affiliate model rather than a fixed team [Confidence: HIGH].

The group is the current operator of BreachForums, alongside the former administrator “Baphomet,” and runs a dedicated Tor extortion site for victim shaming and data publication [Source: hackread, Rating: C2]. In March 2026 internal disputes spilled into public view when a disgruntled member exposed ~323,000 BreachForums user records via the group’s own extortion site [Source: DataBreach.io, Mar 2026, Rating: B3].

Motive and Objective

The primary motive is financial gain through data theft and extortion [Confidence: HIGH]. The specific monetization stack has evolved across three layers: (1) direct ransom demands against breached enterprises (peaking at $65M against Telus in March 2026); (2) bulk dataset sales on BreachForums and successor venues; and (3) reputation-driven shaming via the leak site and journalist outreach, which compresses the victim’s negotiation window. A secondary motive is notoriety within the underground economy — the ShinyHunters brand is itself an asset, used to attract affiliates and to credentialize claims. A tertiary motive, observed in 2026, is retaliation against rivals within the cybercrime ecosystem, evidenced by the BreachForums user leak [Single-source].

Victimology

Targeting is broad and opportunistic at the sector level but deliberate at the platform level — ShinyHunters consistently follows the data, attacking whichever enterprises host valuable datasets on SaaS platforms the group has tooling against. Targeted sectors in the last 24 months include telecommunications (AT&T 2024, Odido Feb 2026, Telus Mar 2026), SaaS and cloud-dependent enterprises broadly, higher education (Instructure Canvas, May 2026), hospitality and gaming (Wynn Resorts, Feb 2026), fintech (Figure Technology Solutions, Feb 2026), and food service and retail (Grubhub, Panera Bread, Pizza Hut Australia). Geographic focus is North America (US and Canada) and Western Europe (UK, Netherlands), with intermittent activity in Australia. No CIS-country targeting exclusion has been observed, which is consistent with the non-Russian-nexus attribution. Technology stack targeting centers on Salesforce, Snowflake, Okta SSO, and OAuth-connected analytics platforms (Mixpanel, Anodot, and similar tier-2 SaaS).

Sector Proximity Assessment:

• Global telecommunications: Direct — telcos are an active and named target set. AT&T, Odido, and Telus have all been breached or extorted within the past 24 months, and telcos remain the highest-payoff target for SLSH-style mass-data extortion.
• Defense technology / high-tech startups: Adjacent — there is no evidence of targeting specifically against the defense industrial base, but any startup running the same Salesforce/Snowflake/Okta stack inherits the same attack surface as named victims.
• Venture capital / investment: Adjacent — fintech is in scope (Figure Technology Solutions, Feb 2026), and portfolio companies sharing SaaS infrastructure inherit second-order exposure even when the VC itself is not a target.
• Government / think tanks: Low — no direct government targeting observed; the indirect risk is via shared SaaS vendors and contractor datasets, not via the group’s own intent.
• Higher education / research institutions: Direct — the May 2026 Instructure Canvas campaign hit 8,800+ institutions and ~275M records (group claim), making the education sector an active target rather than an adjacent one.

Capability Assessment

Rating: High [Confidence: MODERATE]

ShinyHunters does not match nation-state benchmarks for stealth, dwell time, or zero-day capability. The group’s tradecraft is dominated by social engineering and the abuse of legitimate cloud functionality, not by custom malware or novel exploitation [Source: Intel 471, EclecticIQ, Rating: B2]. However, the rating is elevated to High based on three factors: (1) operational scale — over a dozen named enterprise victims in five months of 2026 alone; (2) supply-chain leverage — the group has repeatedly identified and pivoted through third-party SaaS vendors (EPAM for Snowflake, Mixpanel for Salesforce, Anodot for Vimeo) that most security teams do not inventory or monitor; and (3) custom tooling — the March 2026 Salesforce Experience Cloud campaign used a modified version of Salesforce’s own AuraInspector framework to extract data at scale, demonstrating platform-specific development capability [Source: Salesforce Security Advisory, Mar 2026, Rating: A2]. The group’s operational evasion is moderate — leak sites have been seized, members have been arrested — but the brand has survived every disruption to date.

Modus Operandi

Key Campaigns

• Snowflake credential-stuffing campaign (2024 Q2–Q3): Compromised approximately 165 Snowflake customer tenants, including Ticketmaster, AT&T, Santander, and Advance Auto Parts, via credential stuffing using credentials harvested through a supply-chain breach of EPAM Systems and through commodity infostealer logs [Source: Mandiant, CrowdStrike, Rating: B2].
• UNC6040 Salesforce vishing campaign (June 2025): Voice-phishing of contact-center agents at ~700 Salesforce customers, with subsequent OAuth abuse. Pivot involved a smishing compromise of Mixpanel that enabled analytics-dataset exfiltration affecting downstream customers including (claimed) Pornhub Premium and OpenAI API user records [Source: Google Cloud Blog, Rating: B2; OpenAI/Pornhub claims: Unverified].
• Okta SSO vishing wave (January 2026): IT help-desk impersonation campaigns against Okta-using enterprises, requesting MFA resets during “policy updates” [Source: KrebsOnSecurity, Rating: B2].
• 2026 winter–spring extortion run: Grubhub and Panera Bread (Jan 2026), Wynn Resorts (Feb 2026), Figure Technology Solutions (Feb 2026), Odido (Feb 2026, 21M records), Telus and Telus Digital (Mar 2026, claimed 1PB, $65M demand), and Instructure Canvas (May 2026, claimed 275M records / 8,800 institutions) [Source: Rescana, Halcyon, Dataminr, Rating: C2].
• Salesforce Experience Cloud campaign (March 2026): Modified AuraInspector tooling exploiting Experience Cloud misconfigurations to exfiltrate data at scale [Source: Salesforce Security Advisory, Rating: A2].

MITRE ATT&CK TTPs

Phase	Technique ID	Technique Name	Notes
Initial Access	T1566.004	Spearphishing Voice	Vishing against IT help desks; impersonates internal staff requesting MFA resets
Initial Access	T1199	Trusted Relationship	Supply-chain pivots: EPAM (Snowflake), Mixpanel (Salesforce), Anodot (Vimeo)
Initial Access	T1078	Valid Accounts	Credential-stuffing and OAuth-token reuse against SaaS tenants
Credential Access	T1110.004	Credential Stuffing	Reuse of credentials from prior breaches against Snowflake, Salesforce, Okta
Credential Access	T1552	Unsecured Credentials	Identified credentials in Jira, internal repos, infostealer logs
Reconnaissance	T1589.001	Gather Victim Identity Information	Targets identified via leaked credential corpora and infostealer telemetry
Collection	T1530	Data from Cloud Storage Object	Bulk extraction from Snowflake tables and Salesforce objects
Collection	T1213	Data from Information Repositories	Jira, Confluence, and SaaS document stores
Exfiltration	T1567	Exfiltration Over Web Service	Native SaaS export functions and OAuth-connected analytics tooling
Impact	T1657	Financial Theft	Extortion via leak site, journalist outreach, and executive harassment
Impact	T1485	Data Destruction	Threatened destruction or public release; rarely executed prior to negotiation

Tools and Malware

The group is notable for the absence of traditional malware in its tradecraft. The attack chain is dominated by living-off-the-cloud techniques rather than custom implants. Named tooling and components include: a modified AuraInspector binary used to abuse Salesforce Experience Cloud (March 2026); commodity infostealers (RedLine, Raccoon, Lumma — used not by the group directly but as upstream credential sources); legitimate OAuth integrations abused to maintain access without password reset detection; and the vishing playbook itself, which is the group’s most distinctive capability. No custom backdoors, rootkits, or implants have been publicly attributed to ShinyHunters as of cut-off date [Confidence: HIGH].

Infrastructure Patterns

ShinyHunters operates BreachForums as its primary criminal-economy venue and runs a dedicated Tor-based extortion and leak site for victim publication [Source: hackread, Barracuda Networks Blog, Rating: B3]. Telegram channels are used for affiliate coordination and journalist outreach. Voice infrastructure for vishing is rotated through commercial VoIP and SIP services. Supply-chain pivots — EPAM, Mixpanel, Anodot — function as de facto operational relays: the group does not need to maintain long-lived C2 because data exfiltration runs over the victim’s own legitimate SaaS web traffic. Negotiation channel is typically email or a Tor portal hosted alongside the leak site. Operational hardening includes the use of residential-proxy ASNs to defeat geo-anomaly detection on Salesforce and Okta logins [Source: Varonis, Rating: B3].

Extortion Tactics

The SLSH negotiation playbook is distinctively aggressive [Source: KrebsOnSecurity, Rating: B2]. Tactics include: leak-site countdown timers; sample-data publication during negotiation; direct harassment of victim executives and their family members; swatting of executives’ home addresses; journalist outreach to apply public-disclosure pressure; and regulator outreach (notifying data-protection authorities about the breach to force statutory disclosure timelines). Ransom demands have ranged from low six figures up to the $65M Telus demand in March 2026, with flexibility observed in published cases — the group typically negotiates downward, suggesting initial demands are anchoring rather than firm.

Activity Timeline

Date	Event	Source	Rating
2026-05	Second wave against Instructure Canvas via Free-For-Teacher accounts; education sector still under sustained pressure	Rescana / Halcyon	C2
2026-03	Telus and Telus Digital extortion: claimed 1PB stolen, $65M ransom demand	Rescana	C2
2026-03	Salesforce Experience Cloud campaign using modified AuraInspector tooling	Salesforce Security Advisory	A2
2026-03	Public leak of ~323K BreachForums user records following internal dispute	DataBreach.io	B3
2026-02	Wynn Resorts breached: ~800K customer and employee records claimed	Dataminr	C2
2026-02	Figure Technology Solutions breached: ~1M records claimed	KrebsOnSecurity	B2
2026-02	Odido (NL telecom) breached: 21M records / 6M individuals	KrebsOnSecurity / Dutch press	B2
2026-01	Grubhub and Panera Bread extortion: ~5M individuals affected (Panera)	KrebsOnSecurity	B2
2026-01	Coordinated vishing campaign against Okta-using enterprises (SSO targeting)	KrebsOnSecurity	B2
2025-10	SLSH announces “hiatus” after FBI seizure of clearweb leak site; resumes activity within ~90 days	The Register	B2
2025-06	UNC6040 Salesforce vishing campaign begins; ~700 Salesforce customers affected; Mixpanel pivot	Google Cloud Blog	B2
2024-Q2	Snowflake credential-stuffing campaign begins: Ticketmaster, AT&T, Santander among ~165 affected tenants; EPAM Systems supply-chain pivot	Mandiant / CrowdStrike	B2
2024	Sébastien Raoult sentenced in US following 2022 arrest and extradition	DOJ press release	A2
2020	ShinyHunters brand surfaces on RaidForums; early breaches include Tokopedia, Wattpad, Microsoft GitHub claims	Multiple	B2

Forecast, Implications, and Recommendations

What Next (Forecast)

[Confidence: MODERATE] SLSH will continue to pivot through the SaaS supply chain — analytics, observability, and integration vendors — because these are first-class targets that most security teams do not inventory. Expect the next high-profile campaigns to start in a vendor most victims have never named in a security review, not in the marquee CRM itself. [Confidence: MODERATE] The vishing playbook will industrialize further; SLSH is recruiting women for vishing operations specifically to defeat help-desk caller-gender heuristics [Source: Dataminr, Rating: B3]. [Confidence: LOW] Sector expansion into healthcare and energy is plausible given the demonstrated data-class indifference, but no public evidence of imminent campaigns at cut-off date. Conditions that would change the forecast: a coordinated multi-jurisdiction takedown of BreachForums and the SLSH extortion site, or sustained arrests of named operators rather than affiliates, would materially degrade operational tempo. Past disruption attempts have not produced this outcome.

So What (Implications)

The blast radius for any single victim is the union of every SaaS its data touches, not the perimeter of its directly managed systems. A help-desk vishing call against a single contact-center agent can detonate Salesforce, Snowflake, and three OAuth-connected analytics platforms in a single sitting. Telecoms face the highest-payoff scenarios — Telus, Odido, and AT&T all illustrate that a single successful campaign can generate 21M+ record exposures. For higher-ed and SaaS-dependent enterprises broadly, the May 2026 Instructure precedent shows that even legitimately “free” or “trial” tiers of SaaS can be weaponized into multi-thousand-institution mass breaches when misconfigured. Insurance, regulatory, and executive-harassment pressure typically collapses the victim’s negotiation window from weeks to days, which materially shifts payment economics in the group’s favor.

Now What (Recommendations)

1. Harden the help desk against vishing (T1566.004) — Implement mandatory out-of-band callback verification for any inbound request to reset MFA or change credentials. Establish a “no MFA reset on inbound call” rule with no exceptions. Build detection content for help-desk vishing patterns and rehearse the response playbook. This is the single highest-leverage control against SLSH.
2. Inventory and constrain OAuth and connected-app permissions — Conduct a full audit of all OAuth-connected applications across Salesforce, Snowflake, Okta, and analytics platforms. Revoke unused integrations. Enforce least-privilege OAuth scopes, particularly on analytics tooling in the Mixpanel/Anodot class. Require quarterly re-attestation of every connected app.
3. Hunt for SaaS extortion indicators in identity and export logs — Tune detection on Snowflake and Salesforce for anomalous data-export volumes, mass record reads, new connected-app registrations, and authentication from residential-proxy ASNs. Specifically alert on T1110.004 (credential-stuffing) and T1530 (cloud-storage data access) patterns. Treat after-hours bulk exports as high-priority.
4. Refresh the executive duty-of-care plan — Pre-wire legal, communications, and physical-security responses to swatting, family harassment, and journalist outreach, which are standard SLSH negotiation tactics. Brief executives and their families on the playbook before an incident, not during one. Ensure the CISO has direct, pre-approved authority to coordinate with local law enforcement on swatting incidents.
5. Map your third-party SaaS supply chain explicitly — Build an authoritative inventory of every analytics, observability, and integration vendor with data access to your Salesforce, Snowflake, or Okta tenant. For each, document the OAuth scope, the data they receive, the breach-notification SLA, and the assessed blast radius if that vendor were compromised. Treat this map as a tier-1 risk register, not a procurement document.

Technical Evidence

Type	Value	First Seen	Last Seen	Confidence
Tooling	Modified AuraInspector binary (Salesforce Experience Cloud abuse)	2026-03	2026-05	HIGH
CVE / Misconfiguration	Salesforce Experience Cloud guest-user misconfigurations	2024	2026-05	HIGH
Technique Indicator	OAuth-token reuse against Snowflake and Salesforce tenants	2024-Q2	2026-05	HIGH
Technique Indicator	Authentication from residential-proxy ASNs against Okta	2026-01	2026-05	MODERATE
Leak Site	BreachForums (operator)	2023	2026-05	HIGH
Leak Site	ShinyHunters Tor extortion portal	2025-06	2026-05	HIGH

[Data Gap: Specific C2 domains and IP addresses associated with vishing infrastructure are not consistently published in vendor reporting; defenders should rely on behavioral indicators rather than network-layer IOCs for this actor.]

References

1. Google Cloud Blog. Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft. https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft. Rating: B2
2. Salesforce Security Advisory (March 2026). Linked threat group exploiting Experience Cloud misconfigurations with modified AuraInspector tooling. Rating: A2
3. Mandiant / Google Threat Intelligence Group. UNC6040 Salesforce vishing campaign reporting (June 2025 onward). Rating: B2
4. Unit 42 (Palo Alto Networks). Bling Libra’s Tactical Evolution: The Threat Actor Group Behind ShinyHunters. https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/. Rating: B2
5. Unit 42. The Golden Scale: Bling Libra and the Evolving Extortion Economy. https://unit42.paloaltonetworks.com/scattered-lapsus-hunters/. Rating: B2
6. KrebsOnSecurity (February 2026). Please Don’t Feed the Scattered Lapsus ShinyHunters. https://krebsonsecurity.com/2026/02/please-dont-feed-the-scattered-lapsus-shiny-hunters/. Rating: B2
7. Intel 471. Here’s how to guard your enterprise against ShinyHunters. https://www.intel471.com/blog/shinyhunters-data-breach-mitre-attack. Rating: B2
8. EclecticIQ. ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications. https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications. Rating: B3
9. Varonis. What Salesforce Organizations Need to Know About ShinyHunters and Vishing. https://www.varonis.com/blog/salesforce-vishing-threat-unc604. Rating: B3
10. Halcyon. Education Sector in the Crosshairs: ShinyHunters’ Extortion Campaign Against Instructure. https://www.halcyon.ai/ransomware-alerts/education-sector-in-the-crosshairs-shinyhunters-extortion-campaign-against-instructure. Rating: C2
11. Dataminr. Cyber Intel Brief: ShinyHunters Claims Breach of Canvas LMS. https://www.dataminr.com/resources/intel-brief/shinyhunters-claims-instructure-canvas-breach/. Rating: C2
12. Dataminr. Scattered Lapsus$ Hunters Recruiting Women for Operations. https://www.dataminr.com/resources/intel-brief/slh-recruiting-women-for-vishing/. Rating: C2
13. Rescana. Vimeo Data Breach 2026: ShinyHunters Exploit Anodot Integration via Snowflake and BigQuery. https://www.rescana.com/post/vimeo-data-breach-2026-shinyhunters-exploit-anodot-integration-to-expose-119-000-user-records-via-snowflake-and-bigquery/. Rating: C3
14. Rescana. Instructure Canvas Data Breach: ShinyHunters Hack Exposes Student Information at 8,800+ Schools and Universities. https://www.rescana.com/post/instructure-canvas-data-breach-shinyhunters-hack-exposes-student-information-at-8-800-schools-and-universities/. Rating: C3
15. Barracuda Networks Blog (January 2026). BreachForums disclosure surfaces falling out among ShinyHunters thieves. https://blog.barracuda.com/2026/01/26/breachforums-disclosure-shinyhunters. Rating: C2
16. The Register (October 2025). Salesforce bandits run into hiding amid arrests, seizures. https://www.theregister.com/2025/10/13/scattered_lapsus_hunters_hiatus/. Rating: B2
17. Wikipedia. ShinyHunters. https://en.wikipedia.org/wiki/ShinyHunters. Rating: C3
18. Wikipedia. Scattered Lapsus$ Hunters. https://en.wikipedia.org/wiki/Scattered_Lapsus$_Hunters. Rating: C3
19. US Department of Justice. Sébastien Raoult sentencing (2024). Rating: A2