ShinyHunters
Financially motivated threat group known for large-scale data theft and extortion, responsible for numerous high-profile database breaches sold on criminal forums.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
43 mentions · 11 sources"Instructure confirmed that ShinyHunters had exploited a vulnerability in its "Free-for-Teacher" account creation system."
"The Snowflake-related breaches in 2024 and the CRM-focused attacks in 2025—largely attributed to Shiny Hunters—impacted organizations globally."
"Today, the threat actor confirmed to BleepingComputer that they were behind the attacks"
"The credential harvesting domains attributed to UNC6661 commonly, but not exclusively, use the format sso.com or internal.com and have often been registered with NICENIC."
"Mandiant has observed incidents where attackers impersonate support personnel from third-party vendors to gain access."
"Technical controls such as detection of caller ID spoofing, and deepfake audio (which has been used by the ShinyHunters group)."
"ShinyHunters claimed responsibility and said it stole more than 600,000 Salesforce records containing personal and corporate information"
"GTIG assesses that the group has targeted dozens of organizations across North America, Australia, and the UK."
"In January 2026, the ShinyHunters threat group demonstrated a bypass technique that compromised authentication apps and tokens across more than 100 organizations"
"GTIG assesses that the operations are independent."
"GTIG has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand"
Hedge terms observed