
Threat Actor Profile · HiveForce Labs Threat Intelligence
From the database bazaar to a federated extortion brand, ShinyHunters has stolen 3B+ records from 300+ named victims across five operational eras. As of July 2026 the group operates inside the Scattered LAPSUS$ Hunters (SLH) alliance, running concurrent Salesforce OAuth, Canvas, and identity-platform campaigns against the global enterprise.
Section 01
ShinyHunters is the longest-running, most adaptive financially-motivated data-theft group of the past decade. Across seven years and five operational eras, the threat actor has moved from consumer database dumps to cloud data warehouses, Salesforce CRM environments, SaaS supply-chain integrations, and identity-platform fronts — stealing more than 3B+ records in total. ShinyHunters has never been disrupted by law enforcement action because the brand has always been larger than any single operator behind it.
As of July 2026, ShinyHunters is running multiple concurrent campaigns against the global enterprise — not as a single group, but as a federated brand operating under the Scattered LAPSUS$ Hunters (SLH) alliance alongside Scattered Spider and LAPSUS$.
Industrial-scale voice-phishing has hit Google, Cisco, Adidas, Qantas, LVMH, Allianz, Workday, Pandora, Chanel, and TransUnion. ShinyHunters claims 1.5B records exfiltrated from 760 Salesforce tenants via stolen Drift OAuth tokens.
In August 2025, ShinyHunters, Scattered Spider, and LAPSUS$ publicly merged as Scattered LAPSUS$ Hunters. The alliance pools initial access, exfiltration, and extortion capabilities. The ShinyHunters brand identity is now plural — and partially impersonated by unaffiliated actors.
3.65 TB / 275M Canvas records were stolen via a Free-for-Teacher support-ticket vulnerability. Approximately 330 institutional Canvas portals were defaced on May 7, and Instructure paid the ransom on May 11 in exchange for a "shred log" proof of destruction. Penn, Princeton, Harvard, McGraw Hill, and Follett confirm this is a sector-wide campaign, not an isolated incident.
Section 02
Each ShinyHunters era industrialises the previous era's tradecraft against a higher-leverage attack surface. The business model is unchanged — exfiltrate, extort, leak — while the blast radius escalates.
Emerged on the breach-forum economy industrialised by Gnostic Players. Each breach was a separate phishing operation; harvested credentials were reused and databases auctioned on RaidForums. Era 1 built the ShinyHunters brand into a publicly-tradeable trademark by end-2021 — the asset that has survived every later law-enforcement action.
Raoult was arrested in Morocco in 2022 and sentenced in January 2024 (36 months plus $5M restitution); co-conspirators were indicted. Operations continued because decapitation requires a singular leader, and ShinyHunters never had one. The "lapsus$hiny$catteredwizard$pider" Telegram channel (late 2024) shows alliance ties were already live.
UNC5537, overlapping with ShinyHunters, bought infostealer logs and walked into roughly 165 Snowflake tenants. AT&T paid ~$370K in BTC for deletion. Moucka was arrested in late 2024, but the operation continued — breaking the one-victim-at-a-time model by targeting a platform sitting under 165 enterprises simultaneously.
ShinyHunters vishing led to a modified Data Loader and mass exfiltration of Accounts, Contacts, and Cases — tracked as UNC6240 extortion. On August 28, ShinyHunters stole Drift OAuth tokens across 760 Salesforce tenants, claiming 1.5B records. "We have MFA" was bypassed by social engineering; defence shifted to identity, OAuth lifecycle, and SaaS audit.
ShinyHunters, Scattered Spider, and LAPSUS$ federate as Scattered LAPSUS$ Hunters. "Retirement" was performative — the Aura misconfiguration (March 2026, 400+ companies) and the Canvas breach (May 2026) followed. Brand is plural but unequal: ShinyHunters and Scattered Spider run independent operations inside SLH, while LAPSUS$ has had no solo victim since August 2025.
Per HivePro TA2026107 (April 2026), the ShinyHunters name is now used by at least three operationally distinct entities. Every ShinyHunters attribution claim should be treated as a marketing assertion to be validated, not a forensic fact.
Inside the SLH alliance. Runs the high-end campaigns: Salesforce vishing (Cisco, Adidas, Qantas), Drift/Gainsight OAuth abuse, Salesforce Aura, and Canvas/Instructure. Operates the shinyhunte.rs data leak site and the canonical Tox / BTC negotiation channels.
Telegram and dark-web operators using the ShinyHunters name without affiliation, extorting victims under the brand. Explicitly observed in the May 2025 PowerSchool school-district re-extortion. ShinyHunters has publicly denied operating retail sales channels.
Operators such as "DB+ Collector" conduct no intrusions — they aggregate and resell infostealer-log credentials under the ShinyHunters umbrella name. Their threat is credential exposure, not direct system compromise.
Implication: paying one "ShinyHunters" extortion demand does not prevent another. The brand is plural — extortion liability is per-claim, not per-actor.
The ShinyHunters Salesforce breach path follows a consistent five-step loop. Each step has discrete defensive controls, and a different team accountable for them.
| Step | Stage | Tradecraft |
|---|---|---|
| 1 | Identity Acquisition | Vishing to help desk; IT-impersonation calls; victim-branded credential portals; real-time MFA relay; infostealer log markets. |
| 2 | Persistence | Register attacker MFA device; delete "method enrolled" emails (ToogleBox Recall); authorize malicious Connected Apps. |
| 3 | Lateral Movement | Use SSO session to pivot Salesforce → M365 → SharePoint → Slack; search for confidential, internal, proposal, and VPN content. |
| 4 | Exfiltration | Modified Salesforce Data Loader; PowerShell-driven SharePoint bulk downloads; OAuth token-stuffed API extraction. |
| 5 | Extortion | 72-hour BTC timer via Tox; ShinyHunters data leak site publication; SMS harassment; DDoS amplification; private dataset sale up to $1M. |
Key finding: no malware executes on an endpoint in steps 1–4 of the ShinyHunters Salesforce chain. EDR has zero defensive value against this chain. The high-leverage controls are identity-side and SaaS-audit-side, not endpoint-side.
ShinyHunters is identity-first; CVE exploitation is a minor part of the group's tradecraft. Most of the ShinyHunters attack surface is SaaS integrations and OAuth abuse, not patchable bugs.
| CVE | Product | CVSS | Use by ShinyHunters / SLH |
|---|---|---|---|
CVE-2025-31324 | SAP NetWeaver – unrestricted file upload | 10.0 | SLH publicly claimed exploitation |
CVE-2025-61882 | Oracle E-Business Suite (BI Publisher) | 9.8 | SLH leaked PoC October 2025; mass exploitation by Cl0p |
CVE-2021-35587 | Oracle Access Manager | 9.8 | "Yukari" persona – Oracle 12c data theft |
CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools | 9.8 | Unauthenticated RCE used for initial access |
| no CVE | Salesforce Aura / Experience Cloud misconfiguration | – | March 2026 – ~400 companies affected |
| no CVE | Salesloft–Drift OAuth token theft | – | TruffleHog-enabled → 760 Salesforce tenants → 1.5B records claimed |
| no CVE | Gainsight Salesforce integration OAuth abuse | – | November 2025 – 285 Salesforce instances |
Named ShinyHunters victim counts across SLH-era operations cluster by sector. Financial services leads because Salesforce CRM penetration is highest — UNC6040 activity concentrates where the data is. Tech and SaaS victims cluster around the Drift/Gainsight cascade, where vendors are compromised through their own customers' integrations. Education is the newest and most concentrated escalation, moving from Penn to Harvard to Princeton to Canvas in eight months.
HiveForce Labs' forecast of where the SLH alliance is most likely to escalate next, based on tradecraft maturity, attack-surface migration, and recently-claimed access.
Education-sector escalation continues. After Instructure paid the ransom on May 11 — a confirmed payday on a 3.65 TB exfiltration — expect similar pressure on Blackboard, D2L, and Schoology customers; extortion of K-12 districts directly, bypassing the LMS vendor; targeted lifts of donor and alumni databases at additional Ivies and R1 universities; and follow-on impersonation phishing against the 9,000 Canvas-customer institutions, regardless of Instructure's data-destruction proof.
More Salesforce-AppExchange supply-chain hits. Drift (August 2025) and Gainsight (November 2025) established the playbook. Any AppExchange-published integration with broad OAuth scopes — analytics, AI assistants, marketing-attribution tools — is a viable next vector. Expect another large-scale OAuth cascade by Q3.
ShinySp1d3r RaaS launches operationally. The teased "ShinySp1d3r" VMware ESXi ransomware would move SLH from pure data-theft into encryption-enabled double extortion, closing the one gap relative to ALPHV/BlackCat-era playbooks. Initial victim disclosures are likely in the manufacturing or healthcare sector.
Government / NGO extortion expansion. The EU Commission (March 2026) and CIC Vietnam (September 2025) incidents show willingness to hit state-affiliated targets. Expect additional EU agencies, mid-tier national governments, and large NGOs to receive extortion demands, testing the political response calculus.
Section 03
Four pillars, ordered by leverage rather than familiarity, derived from HivePro TA2026107, the Mandiant January 2026 hardening guide, and SLH post-incident response patterns.
Deploy FIDO2 keys or passkeys for all workforce accounts, mandatory for SSO admins. Push, SMS, and TOTP are all trivially captured by ShinyHunters-style vishing. Hardware-bound credentials cannot be relayed.
Run a daily OAuth-token audit. Allowlist Salesforce Connected Apps and remove mass-export permissions from non-admin users. Define trusted IP ranges and rotate API keys in BrowserStack, GitHub, GitLab, Jira, and Azure DevOps.
Alert on ToogleBox Recall authorization events, deletion of "MFA enrolled" emails, PowerShell-driven SharePoint bulk downloads, Salesforce Data Loader exports from untrusted IPs, and Okta admin role assignments from anonymized IPs.
Prioritize CVE-2025-31324 (SAP NetWeaver), CVE-2025-61882 (Oracle E-Business Suite), and CVE-2021-35587 (Oracle Access Manager) under a 24-hour patch service level agreement.
Subscribe to ShinyHunters, Scattered Spider, and LAPSUS$ tracking with auto-alerting on new IOCs and TTPs as the SLH alliance evolves.
Track and prioritize CVE-2025-31324, CVE-2025-61882, CVE-2021-35587, and CVE-2026-35273 across all internet-facing SAP, Oracle EBS, Oracle Access Manager, and PeopleSoft deployments.
Monitor LummaC2, StealC, Vidar, RedLine, Meduza, and Rhadamanthys — the infostealer pipeline that feeds ShinyHunters and SLH initial access.
Auto-import network and endpoint indicators of compromise directly into SIEM, EDR, firewall, and SaaS-audit log telemetry.
Section 04
High-level ShinyHunters IOC inventory across UNC6661, UNC6671, and SLH clusters. The complete corpus — 95+ SHA256 hashes, 26 IPv4 addresses, 22 phishing domains, and full payment and negotiation indicators — is published in the HiveForce Labs advisories referenced below.
<company>sso, <company>okta<companyname>sso.com, <companyname>okta.com, <companyname>internal.com — registered via NICENIC or Tucows.Section 05
MITRE ATT&CK operational hotspots for ShinyHunters and the SLH alliance. Heat shows where SLH operators spend the most time across the intrusion lifecycle.
T1566.004T1078T1195T1111T1528T1539T1098.005T1136.003T1550.001T1578.005T1213T1119T1567.002T1041T1020T1071.001T1090.003T1657T1498Section 06
ShinyHunters and SLH alliance intelligence in this profile draws on the following HiveForce Labs advisories, which contain the complete IOC corpus and technical detail.
TA2025307 — IOC Ingestion ReferenceTA2026107 — ShinyHunters Attribution ReferenceTA2026165 — IOC Ingestion Reference