ShinyHunters Wage Broad Corporate Extortion Spree
8 hours ago
- #ransomware
- #cybercrime
- #data-breach
- A cybercriminal group, ShinyHunters, used voice phishing to steal over a billion records from Salesforce customers and is now threatening to publish data from Fortune 500 firms unless ransoms are paid.
- The group also claimed responsibility for breaches involving Discord user data and theft of sensitive files from Red Hat customers.
- In May 2025, ShinyHunters launched a social engineering campaign targeting Salesforce portals via malicious apps.
- Google's Threat Intelligence Group (GTIG) warned about ShinyHunters extorting victims and planning to launch a data leak site.
- A victim shaming blog, 'Scattered LAPSUS$ Hunters,' began publishing names of affected companies, including Toyota, FedEx, Disney/Hulu, and UPS.
- The group claimed responsibility for a breach involving a Red Hat GitLab server with over 28,000 Git code repositories and 5,000 Customer Engagement Reports (CERs).
- Discord notified users affected by a breach involving a third-party customer service provider, exposing usernames, emails, IP addresses, and payment card details.
- ShinyHunters set a ransom deadline of October 10 for Salesforce data and plans to extort more organizations affected by a Salesloft data theft.
- Salesforce stated it will not negotiate or pay extortion demands, focusing on defense, forensic analysis, and cooperation with law enforcement.
- The group is linked to multiple hacking collectives, including Scattered Spider, Lapsus$, and ShinyHunters, operating via Telegram and Discord.
- A critical zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882) was exploited by the Clop ransomware gang, initially disclosed by the group.
- Malware-laced threats were sent to security researchers, including a trojan (ASYNCRAT) disguised as a Windows screenshot file.
- Law enforcement agencies are under pressure to apprehend members, with recent charges against alleged Scattered Spider members in the U.K. and U.S.
- Notable arrests include a 19-year-old U.K. resident linked to LAPSUS$ and a 20-year-old Florida man sentenced to 10 years for cybercrime activities.