Threat Actor: ShinyHunters

October 7, 2025

The threat actor known as ShinyHunters emerged around 2020, initially operating as a prolific data breach and extortion group focused on selling massive user databases on dark web forums. Since then, the group has undergone a significant transformation, evolving from a straightforward data broker into a sophisticated, multi-faceted eCrime enterprise. This evolution is marked by a strategic shift toward targeting the core of the modern enterprise: cloud and Software-as-a-Service (SaaS) platforms.

At the heart of this transformation is the formation of a powerful cybercrime alliance known as “Scattered Lapsus$ Hunters,” which combines the specialized skills of ShinyHunters, the social engineering experts of Scattered Spider, and the public extortion specialists of LAPSUS$. This syndicate has executed some of the most impactful data theft campaigns in recent years, systematically compromising major SaaS platforms like Salesforce and Snowflake. Their operations are no longer limited to simple data dumps but now involve multi-million dollar extortion demands leveled directly at global corporations.

The alliance operates on a modular, business-like model that represents the industrialization of cybercrime: Scattered Spider provides initial access, ShinyHunters executes the data theft and monetization, and LAPSUS$ members apply public pressure. This operational trajectory is not coincidental; it directly mirrors the enterprise migration to the cloud, as the group has pivoted from exploiting traditional web application vulnerabilities to subverting the identity and trust models that underpin the SaaS ecosystem. This report provides a definitive analysis of this evolved threat, deconstructing their organization, tactics, and campaigns to equip security leaders with the strategic intelligence required to build a resilient defense.

Anatomy of a Modern eCrime Collective

Understanding ShinyHunters requires looking beyond a single entity and examining the complex, interconnected ecosystem in which they operate. Their motivations are clear, their partnerships are strategic, and their structure is fluid, making them a uniquely resilient and adaptive adversary. This section deconstructs the group’s business model, its core alliances, and the broader cybercrime subculture that fuels its operations.

Motivation and Business Model: Extortion-as-a-Service

ShinyHunters is a financially motivated criminal enterprise, driven by the direct monetization of stolen data. Their business model has matured into a two-pronged strategy that maximizes profit from their intrusions. The first stream involves the large-scale sale of exfiltrated databases on dark web marketplaces like the revived BreachForums, with asking prices often ranging from $500,000 to over $2 million per dataset.

The second, more direct stream is corporate extortion, where the group leverages the threat of public data disclosure to coerce victims into paying a ransom. To amplify this pressure, the group operates a dedicated data leak site where they name non-compliant victims and post samples of the stolen information, creating immense reputational and regulatory pressure. This sophisticated approach functions as an “Extortion-as-a-Service” platform, where the ShinyHunters brand and infrastructure are used to monetize access gained by specialist partners, turning data theft into a scalable criminal enterprise.

The “Scattered Lapsus$ Hunters” Alliance

In 2025, the threat landscape witnessed the formalization of a cybercrime “supergroup” operating under the “Scattered Lapsus$ Hunters” banner, uniting the capabilities of three distinct but interconnected entities. This alliance is not merely a collaboration but a strategic merger of specialized skills, creating a full-service breach-to-extortion pipeline. The operational synergy is built on a clear and effective division of labor that maximizes the strengths of each constituent group.

Scattered Spider (tracked as UNC3944) serves as the initial access specialist, leveraging its mastery of social engineering to compromise corporate networks by “logging in, not hacking in”. ShinyHunters (tracked as UNC6040) then takes over, using its expertise and infrastructure to perform large-scale data exfiltration and manage the monetization and extortion process. Finally, members associated with the LAPSUS$ group act as a force multiplier for the extortion campaign, using their signature playbook of public taunts, media engagement, and chaotic data leaks via platforms like Telegram to intimidate victims and pressure them into payment.

This modular structure allows the syndicate to operate with a level of efficiency and scale that a monolithic group could not achieve. While one team focuses on gaining new access, another can be monetizing a previous breach, increasing their operational tempo and overall impact. This business-like approach represents a significant maturation in the eCrime landscape, posing a complex, multi-stage threat that is far more challenging to defend against than a single actor’s TTPs.

The Com Ecosystem: A Cybercrime Subculture

The Scattered Lapsus$ Hunters alliance operates within a broader, more nebulous entity known as “The Com,” short for “The Community”. The Com is not a formal group but a loosely organized, English-speaking cybercrime subculture populated primarily by technically adept teenagers and young adults. It functions as a decentralized ecosystem where membership is fluid and participants can move between different “crews” or collaborate on specific campaigns.

This ecosystem serves as both a talent pool and an innovation hub for its constituent groups. Key personas, such as the ShinyHunters leader “ShinyCorp” and the operator “Yukari” (an active member of both ShinyHunters and Scattered Spider), leverage The Com to recruit specialists, such as vishing experts from communities like “Sim Land”. The constant exchange of ideas, tools, and techniques within The Com allows groups like ShinyHunters to rapidly adapt their TTPs and remain at the cutting edge of financially motivated cybercrime. This decentralized, subculture-driven structure provides a layer of resilience, making the threat much harder to disrupt than a traditional, hierarchical criminal organization.

Tactics, Techniques, and Procedures (TTPs)

The operational playbook of ShinyHunters and its affiliates demonstrates a sophisticated understanding of the modern enterprise attack surface. Their campaigns strategically avoid targeting hardened network perimeters and instead focus on exploiting the weakest links in the cloud era: human trust and the complex web of digital identities. Their core TTPs reveal a mastery of “Identity-Centric Intrusion,” where the goal is not to “hack in” through software exploits but to “log in” using compromised credentials and abused trust relationships.

Initial Access: The Human Element

The primary method used by the alliance to gain an initial foothold is social engineering, executed with a high degree of skill and scale. The group’s access specialists, typically from Scattered Spider, conduct voice phishing (vishing) campaigns where they impersonate a company’s internal IT help desk or support staff. This tactic, mapped to MITRE ATT&CK T1566.004 (Spearphishing Voice), is designed to exploit an employee’s natural inclination to trust and assist their IT department.

To enhance the effectiveness and scale of these operations, the group has adopted advanced technologies. They have been observed using AI-powered voice generation tools like Bland AI, which can create dynamic, human-like conversational agents that are more convincing than traditional robotic robocalls. This is supplemented by automated “press-one” (P1) vishing services, often managed through Telegram bots, which allow them to target a vast number of employees with minimal manual effort.

SaaS Platform Exploitation: The Core Playbook

Once a human target is engaged, the alliance executes a series of well-defined plays designed to compromise and exfiltrate data from major SaaS platforms. These campaigns are not opportunistic but are systematic, repeatable processes that abuse the legitimate functionality of the target platforms. The following three campaigns represent the cornerstone of their modern operations.

The Salesforce Vishing Campaign (UNC6040)

This campaign is a classic example of abusing legitimate features through social engineering. The attack chain begins with a vishing call from an operative (tracked as UNC6040) to a targeted employee, often in a customer support or administrative role. The attacker, posing as IT support, guides the employee to Salesforce’s legitimate connected app setup page (e.g., https://login.salesforce[.]com/setup/connect) under the pretense of troubleshooting a technical issue.

The employee is then tricked into entering an 8-character device code provided by the attacker, which initiates and completes an OAuth 2.0 device authorization flow. This action grants a malicious “Connected App” controlled by the attackers persistent API access to the company’s Salesforce instance. The malicious app is often given a benign-sounding name like “MyTicketingPortal” or “SalesforceDataLoader123” to appear legitimate, and because the authorization is performed by a valid, logged-in user, it successfully bypasses security controls like multi-factor authentication (MFA). With the persistent OAuth token in hand, the attacker can then make API calls to exfiltrate massive amounts of data from standard Salesforce objects such as “Account,” “Contact,” “Case,” and “Opportunity”.

The Salesloft/Drift Supply Chain Attack (UNC6395)

This campaign demonstrates the group’s ability to execute sophisticated supply chain attacks that compromise hundreds of victims simultaneously. The attack (tracked as UNC6395) did not target Salesforce customers directly but instead began by compromising a key third-party vendor: Salesloft. The attackers first gained access to Salesloft’s private GitHub repository, likely through stolen developer credentials.

Once inside the repository, they used an open-source secrets scanning tool called TruffleHog to search the source code for hardcoded credentials and API keys. This scan was successful, yielding valid OAuth access and refresh tokens for the Salesloft Drift application—an AI chatbot that integrates deeply into its customers’ Salesforce and Google Workspace environments. Armed with these stolen third-party tokens, the attackers gained immediate, unauthorized API access to the SaaS environments of approximately 760 companies that used the Drift integration, a tactic mapped to MITRE ATT&CK T1550.001 (Application Access Token). Over a ten-day period in August 2025, the group systematically exported an estimated 1.5 billion records from victim Salesforce instances and actively hunted through the stolen data for additional high-value secrets, such as AWS access keys and Snowflake tokens, to facilitate further lateral movement.

The Snowflake Credential Stuffing Campaign (UNC5537)

The attack on Snowflake customers showcases a simpler, yet brutally effective, approach focused on exploiting poor credential hygiene. This campaign (tracked as UNC5537) was fueled by credentials harvested from widespread infostealer malware infections on systems not owned by Snowflake, with some of the stolen credentials dating as far back as 2020. These credentials, likely purchased from underground criminal marketplaces, were then used in a large-scale credential stuffing attack against Snowflake customer login portals, a tactic mapped to MITRE ATT&CK T1078 (Valid Accounts).

The campaign’s high success rate was almost entirely due to a single, critical security failure: the targeted accounts were not protected by MFA. This allowed the attackers to gain access with only a valid username and password, bypassing a fundamental layer of modern identity security. Once authenticated, the attackers used a combination of standard SQL commands (SHOW TABLES, SELECT * FROM, CREATE STAGE, GET) and a custom reconnaissance tool known as “RapeFlake” or “FROSTBITE” to enumerate, stage, and exfiltrate massive datasets to external cloud storage providers like MEGA.

These three campaigns reveal a clear strategic pattern. In each case, the initial point of compromise was not a vulnerability in the SaaS platform’s code but a failure in the identity and access management (IAM) lifecycle—a tricked user, a stolen third-party token, or a weak password without MFA. This demonstrates a deliberate choice to target the soft underbelly of cloud security: the sprawling and often poorly governed web of human and non-human identities. Consequently, effective defense requires a paradigm shift away from traditional vulnerability management and toward a focus on Identity Threat Detection and Response (ITDR), SaaS Security Posture Management (SSPM), and rigorous governance of all third-party integrations.

MITRE ATT&CK Mapping

To provide a standardized framework for understanding and defending against these threats, the observed tactics, techniques, and procedures (TTPs) of ShinyHunters and its affiliates are mapped to the MITRE ATT&CK® framework. This matrix translates the narrative of their campaigns into a structured, actionable format that security operations teams can use to build detection rules, guide threat hunting missions, and assess the coverage of their security controls.

Tactic	Technique ID	Technique Name	Sub-Technique ID	Sub-Technique Name	Description of Use by ShinyHunters & Affiliates
Initial Access	T1566	Phishing	T1566.004	Spearphishing Voice	Core tactic of UNC6040/Scattered Spider, using vishing calls to impersonate IT support and trick employees into authorizing malicious apps.
Initial Access	T1078	Valid Accounts			Core tactic of UNC5537, using credentials stolen via infostealer malware to log into Snowflake instances that lack MFA.
Initial Access	T1199	Trusted Relationship			The UNC6395 campaign is a classic supply chain attack, abusing the trusted relationship between Salesforce customers and the Salesloft/Drift integration.
Defense Evasion, Lateral Movement	T1550	Use Alternate Authentication Material	T1550.001	Application Access Token	Core tactic of UNC6395, abusing stolen OAuth tokens from the Salesloft/Drift integration to access hundreds of Salesforce and Google Workspace environments.
Persistence	T1556	Modify Authentication Process	T1556.006	Multi-Factor Authentication	In vishing calls, actors persuade help desk staff to reset MFA settings or enroll new adversary-controlled devices, creating a persistent bypass.
Privilege Escalation, Defense Evasion	T1134	Access Token Manipulation	T1134.002	Create Process with Token	The abuse of high-privilege OAuth tokens to act on behalf of an administrative user aligns with the intent of this technique, allowing the attacker to operate with elevated permissions.
Collection	T1114	Email Collection			UNC6395 leveraged stolen Drift Email OAuth tokens to exfiltrate data from a small number of Google Workspace accounts.
Collection	T1213	Data from Information Repositories	T1213.002	Sharepoint	Mentioned as a collection target in general analysis of similar threat actor campaigns, indicating a known area of interest for data gathering.
Exfiltration	T1567	Exfiltration Over Web Service	T1567.002	Exfiltration to Cloud Storage	UNC5537 was observed exfiltrating data from Snowflake to the cloud storage provider MEGA, using it as an external repository for stolen data.

Known Indicators of Compromise (IOCs)

This section provides a consolidated repository of known Indicators of Compromise (IOCs) associated with the campaigns conducted by ShinyHunters and its affiliated threat clusters (UNC6040, UNC6395, and UNC5537). While sophisticated actors rapidly rotate their infrastructure, these IOCs are valuable for historical log analysis and threat hunting to identify potential past or ongoing compromises. However, these static indicators should be used in conjunction with the behavioral detection strategies outlined in the recommendations section for a more resilient, forward-looking defense.

Network Indicators (UNC6040, UNC6395, UNC5537)

IP Addresses: Threat actors frequently used commercial VPN services and the Tor network to obscure their true origin. Logins or API activity from these IP addresses, especially when correlated with other suspicious behavior like bulk data downloads, should be treated as high-risk.

Known VPN/Tor IPs: A wide range of IPs associated with services like Mullvad VPN, Private Internet Access (PIA), and various Tor exit nodes have been observed across all major campaigns. A partial list includes: 5.255.123.158, 23.129.64.147, 37.114.50.18, 45.141.215.19, 81.17.28.95, 179.43.159.201, 208.68.36.90.
Exfiltration Infrastructure: UNC5537 was observed using Virtual Private Server (VPS) systems from the Moldovan provider ALEXHOST SRL (AS200019) for data exfiltration activities.

Domains: Phishing domains were used in the social engineering phases of the UNC6040 campaign to add a layer of legitimacy to their impersonations.

Known Phishing Domains: ticket-dior[.]com, ticket-nike[.]com, ticket-audemarspiguet[.]com.

Host & Application Indicators

User-Agent Strings: The attackers used specific, and sometimes custom, user-agent strings during their data exfiltration activities, which can serve as a high-fidelity indicator of their tools.

Known User-Agents: Salesforce-Multi-Org-Fetcher/1.0, Salesforce-CLI/1.0, python-requests/2.32.4, Python/3.11 aiohttp/3.12.15.

Application IDs & Names: The UNC6040 and UNC6395 campaigns relied on the abuse of specific OAuth applications.

Malicious App Names: Generic or impersonating names such as “MyTicketingPortal” or “SalesforceDataLoader123” were used to trick users during the authorization process.
Compromised App IDs (Google Workspace): The Drift Email application ID 1084253493764-ipb2ntp4jb4rmqc76jp7habdrhfdus3q.apps.googleusercontent.com was exploited in the UNC6395 campaign.

Threat Actor Aliases & Infrastructure

Threat Clusters: Security researchers track the distinct activity clusters associated with the alliance under the following UNC (Uncategorized) designations:

UNC6040: Associated with the Salesforce vishing and malicious OAuth app campaign.
UNC6395: Associated with the Salesloft/Drift supply chain attack and OAuth token theft.
UNC5537: Associated with the Snowflake credential stuffing campaign.

Email Addresses: The group has used specific email addresses for extortion communications.

Known Extortion Emails: shinycorp@tuta[.]com, shinygroup@tuta[.]com, shinyhuntersgroups@tutamail[.]com.

Cloud Infrastructure: The attackers utilized their own cloud infrastructure to stage attacks.

Malicious AWS Account ID: The AWS account ID 337122806991 was identified as being used by UNC6395 to conduct reconnaissance against S3 buckets.

High-Profile Victims and Campaigns

The impact of ShinyHunters and their affiliates is best understood through the lens of their victims. The group has consistently targeted large, data-rich organizations across a wide range of industries, including technology, telecommunications, finance, retail, and education. The following table provides a consolidated chronicle of their most significant and well-documented breaches, contextualizing each incident with the scale of the victim, the attack vector employed, and the ultimate outcome of the compromise. This list is not exhaustive but represents the campaigns that have defined the group’s evolution and cemented its reputation as a top-tier eCrime threat.

Victim	Approx. Date	Company Size/Revenue (at time of breach)	Attack Vector / Threat Cluster	Data Stolen / Impact	Public Leak Status
Microsoft	May 2020	Tech Giant (~$143B FY2020 Revenue)	GitHub Repo Compromise	500 GB of private source code from the company’s private GitHub account.	A 1 GB sample was published on a hacking forum to validate the claim.
AT&T	2021 (Acknowledged 2024)	Telecom Giant (~$122B FY2023 Revenue)	Unknown (claimed by ShinyHunters)	Personally Identifiable Information (PII) for 70 million subscribers, including names, addresses, phone numbers, and Social Security numbers.	The dataset was initially offered for sale in 2021 and was later leaked for free on a hacking forum in March 2024.
PowerSchool	Dec 2024	EdTech Leader (~$697M FY2023 Revenue)	Stolen Subcontractor Credentials	PII for 62 million students and 9.5 million teachers, including highly sensitive data like SSNs, medical information, and parental contacts.	The company paid a $2.85 million ransom to prevent the data’s release, but was later targeted with re-extortion attempts using the same data.
Ticketmaster	May 2024	Ticketing Giant (~$23B FY2024 Revenue)	Snowflake Credential Stuffing (UNC5537)	PII and partial credit card data for an estimated 560 million customers, totaling 1.3 TB of data.	The complete dataset was offered for a one-time sale of $500,000 on the revived BreachForums.
Santander Bank	May 2024	Global Bank (~$67B FY2024 Revenue)	Snowflake Credential Stuffing (UNC5537)	Data on 30 million customers and staff across Spain, Chile, and Uruguay, including bank account details, 28 million credit card numbers, and HR records.	The dataset was offered for sale on BreachForums for $2 million.
Red Hat	Sep 2025	Software Leader (~$6.5B Annual Run Rate)	GitLab Instance Compromise (Crimson Collective)	570 GB of data from a consulting GitLab instance, including 800 sensitive Customer Engagement Reports (CERs) containing client infrastructure details.	Samples were leaked on Telegram, with the full dataset threatened for release if a ransom was not paid.
Multiple (Salesforce Vishing)	2025	Various (Google, Cisco, LVMH, Qantas, Adidas, Disney, Marriott, etc.)	Vishing & OAuth Abuse (UNC6040)	Customer Relationship Management (CRM) data, including contact lists, customer profiles, loyalty program data, and internal business notes.	A dedicated dark web leak site was launched to name and extort 39 high-profile victims, threatening public disclosure.
Multiple (Salesloft/Drift)	Aug 2025	760 Companies (Palo Alto Networks, Zscaler, Cloudflare, etc.)	Supply Chain / Stolen OAuth Tokens (UNC6395)	An estimated 1.5 billion Salesforce records were exfiltrated. The stolen data was also actively scanned for further credentials like AWS keys and Snowflake tokens.	The group announced plans for a separate extortion campaign and leak site for these victims.

Strategic Recommendations and Defensive Posture

Defending against a threat as adaptive and sophisticated as the ShinyHunters alliance requires a multi-layered strategy that moves beyond traditional, perimeter-focused security. The group’s success hinges on exploiting human behavior and the inherent trust models of modern SaaS ecosystems. Therefore, an effective defensive posture must harden the human element, secure the sprawling SaaS attack surface, and implement advanced technical detection capabilities tailored to their specific TTPs.

Hardening the Human Perimeter (Countering Vishing)

The reliance of UNC6040 on vishing makes the human element the first and most critical line of defense. Organizations must assume their employees will be targeted and equip them with the tools and training necessary to resist social engineering.

Implement Stringent Verification Protocols: All IT help desk requests that involve sensitive actions, such as password resets, MFA device changes, or application authorizations, must be subject to a strict, out-of-band identity verification process. This should involve a callback to a pre-registered phone number on file for the employee, not the number the caller is using. Under no circumstances should easily discoverable information like a supervisor’s name or the last four digits of an SSN be accepted as proof of identity.
Conduct Realistic, Scenario-Based Training: Generic phishing awareness training is insufficient. Organizations should conduct regular vishing simulations that mimic the specific tactics used by UNC6040, such as impersonating IT support and guiding users through a seemingly legitimate process. This builds muscle memory and helps employees recognize the red flags of a real attack.
Foster a Culture of Healthy Skepticism: Security awareness programs must empower employees to question and refuse urgent or unusual requests, regardless of the caller’s apparent authority. Create a simple, well-publicized process for employees to report suspicious calls without fear of reprisal, ensuring that security teams can quickly investigate potential threats.

Securing the SaaS Ecosystem (Countering OAuth & Supply Chain Abuse)

The UNC6395 and UNC5537 campaigns highlight the immense risk posed by poorly governed SaaS integrations and weak identity controls. Securing this ecosystem requires a shift toward a Zero Trust mindset, where access is never implicitly trusted.

Enforce Rigorous OAuth Governance: Implement a “deny-by-default” or “admin approved” policy for all new OAuth and Connected App installations in platforms like Salesforce and Google Workspace. This prevents users from unilaterally authorizing potentially malicious applications. Conduct regular audits of all existing connected apps, enforcing the principle of least privilege by revoking unnecessary permissions and removing any applications that are unused or unrecognized.
Strengthen Third-Party Risk Management: Treat every third-party application integrated into your core SaaS platforms as a potential attack vector. The security posture of vendors like Salesloft should be scrutinized as an extension of your own, as a compromise of their environment can lead directly to a breach of yours. Ensure that contracts and security assessments cover the vendor’s own software development lifecycle and credential management practices.
Mandate Phishing-Resistant MFA: Enforce the use of strong, phishing-resistant multi-factor authentication across all SaaS platforms, especially for privileged accounts and access to sensitive data repositories like Snowflake. The success of the UNC5537 campaign was almost entirely predicated on the absence of MFA, making its universal adoption one of the single most effective controls against this type of attack.

Technical Detection and Response

Proactive detection and rapid response are essential for mitigating the impact of an intrusion, as the attackers move quickly to exfiltrate data once they gain access. Security operations teams must tune their monitoring and response capabilities to the specific behaviors exhibited by the ShinyHunters alliance.

Leverage SaaS-Native Logging: Actively monitor and alert on high-fidelity events within your core SaaS platforms. For Salesforce, this means utilizing Shield Event Monitoring to detect suspicious activities such as new or unusual OAuth app authorizations, high-volume API calls or report exports from a single user, and concurrent user sessions from geographically disparate IP addresses.
Conduct Behavior-Based Threat Hunting: Do not rely solely on static IOCs. Proactively hunt for anomalous activity patterns that align with the attackers’ TTPs. For example, build queries to detect a user login from a known VPN or Tor exit node, immediately followed by a series of API calls consistent with bulk data enumeration and exfiltration.
Develop SaaS-Specific Incident Response Playbooks: Traditional incident response plans focused on endpoint and network forensics are insufficient for cloud-native breaches. Develop and test specific playbooks for SaaS security incidents that include procedures for rapidly revoking suspicious OAuth tokens, disabling or isolating compromised user accounts, and preserving and analyzing SaaS audit logs to determine the scope of data exfiltration.

Shenouda.nl is the personal website of Joe Shenouda, a seasoned cybersecurity expert and CISO, dedicated to providing strategic insights into the global cyber threat landscape through threat intelligence analysis. The site features blog posts on current cyber incidents, such as data breaches, hacktivist activities, and geopolitical cyber conflicts, often mapping threats to frameworks like MITRE ATT&CK and offering defense recommendations. It serves as a resource for professionals in the field, combining Joe’s extensive experience in cyber defense with timely analyses of emerging threats.