ShinyHunters called Wynn Resorts. An employee, believing they were speaking with IT support, surrendered their credentials in real time. The breach was effectively complete before Wynn's security team knew a call had been placed.
That phone call was not where the attack began. It was where it ended. The real work — the reconnaissance that exposed the organisation — happened long before.
The Intelligence Phase Nobody Talks About
Before any contact is made, groups like ShinyHunters conduct structured reconnaissance on their target. They are not improvising. They are answering specific questions: who manages IT access? What SSO platform does the company use? Are any employee credentials already in breach databases? Is there a public login portal? Does the company's GitHub reveal useful internal detail?
This phase is silent, leaves no trace on your systems, and relies entirely on publicly available information — job postings, LinkedIn profiles, GitHub repositories, Shodan results, and breach data already circulating on underground forums. By the time anyone picks up the phone, the caller already knows the target's name, job title, and which platform they need access to.
Who ShinyHunters Is
ShinyHunters emerged in 2020 as a financially motivated criminal group with roots in the cybercriminal ecosystem known as the Com — a loose network of predominantly English-speaking, Western hackers primarily based in North America and the UK. They are not a state actor. There is no geopolitical agenda. Their motivation is straightforward: steal high-value datasets and extort companies under a pay-or-leak model.
Since 2020, ShinyHunters has claimed responsibility for breaches at over 100 named organisations. Their operational scale expanded significantly in 2024 when they exploited credential theft malware to access at least 160 companies through unprotected Snowflake environments — a campaign that yielded 73 million AT&T records, 560 million Ticketmaster customer details, and data from Santander Bank's operations across Chile, Spain, and Uruguay. In 2025, a formal operational alliance with Scattered Spider and LAPSUS$ produced what researchers now term the Scattered LAPSUS$ Hunters supergroup, attributed to breaches at over 760 organisations including Google, Cisco, Adidas, and Qantas.
What They Look for Before They Call
ShinyHunters' current preferred attack chain starts with vishing — voice phishing — to extract SSO credentials in real time. This requires knowing who to call and what to ask for. That knowledge is assembled in advance from five primary sources.
LinkedIn. A company's IT helpdesk team, IAM engineers, and SSO administrators are typically identifiable by job title. Scattered Spider — ShinyHunters' closest operational ally — has built its entire attack methodology around calling these specific roles, because they hold the access needed to reset credentials and override controls across an entire organisation. The 2025 vishing campaigns targeting Salesforce customers began with LinkedIn searches for helpdesk and IT operations staff.
Job postings. A posting for a "Salesforce Administrator" or "Okta IAM Engineer" confirms which platforms are in use before a single call is made. In the 2025 Salesforce campaign, ShinyHunters used job posting data to identify platform-dependent organisations and pre-screen targets by technology stack. "Experience with Okta required" is marketing copy to job applicants and targeting intelligence to adversaries.
Breach databases. Employee email addresses from previous unrelated breaches are routinely cross-referenced against corporate domains. Credential stuffing against public SSO portals is a standard pre-call step to identify which accounts are still active and whether password reuse is present. The Snowflake campaign succeeded specifically because credentials stolen by infostealer malware were tested against Snowflake login portals that had no MFA enforced.
Public SSO portals. Login pages at subdomains like company.okta.com or accounts.company.com are discoverable via Shodan and standard Google dorking. A visible portal is a confirmed, indexed attack surface. Its existence also confirms the SSO provider in use.
GitHub and public repositories. Hardcoded tokens, references to internal systems, API endpoint structures, and infrastructure naming conventions regularly appear in public repositories — often in historical commits that developers committed years ago and never cleaned up. Even configuration file templates reveal internal architecture.
Who Gets Targeted: Geographic, Sector, and Technology Preferences
ShinyHunters is not indiscriminate. Their targeting reflects a rational cost-benefit calculation: organisations with large customer datasets generate more extortion leverage, and companies in certain sectors face disproportionate reputational consequences from a public data release — making them more likely to pay.
Geographic profile. The group is US-dominant by target volume, reflecting the concentration of large enterprises and the relative scale of US breach markets. Their geographic scope has expanded materially over time. The 2024 Snowflake campaign reached Australia (Qantas), Spain and Latin America (Santander), and Japan (Mitsubishi). The 2025–2026 campaigns have targeted European telecoms explicitly, with Odido in the Netherlands as the most prominent example. Pizza Hut Australia, Tokopedia in Indonesia, and BigBasket in India demonstrate that English-language market concentration is a preference, not a constraint. The key selection variable is not geography but the size and sensitivity of the data a company holds and its reputational exposure to a public release.
Sector profile. Confirmed victims cluster in telecommunications, cloud and SaaS infrastructure, luxury hospitality and entertainment, dating and lifestyle platforms, financial services, food delivery and subscription services, and higher education. The 2025 Salesforce campaign added Cloudflare, Proofpoint, BeyondTrust, CyberArk, and Palo Alto Networks to a list that already included Match Group, Crunchbase, Panera Bread, and Wynn Resorts. The common thread is reputational exposure: a telecom operator, a dating app, or a luxury hotel chain faces a qualitatively different order of reputational damage from a data release than a B2B logistics company. That asymmetry is factored into the ransom calculation.
Technology stack as a targeting signal. Confirmed victims in the 2024 Snowflake campaign and the 2025 Salesforce campaign share one trait — they were publicly known users of those platforms. Platform relationships appear in job postings, partner directories, case studies, and conference speaker bios. Platform membership is not confidential; it is marketing material. It also functions as a pre-screened targeting list for adversaries who understand what access those platforms provide.
MFA posture. The Snowflake campaign succeeded because accounts lacked MFA enforcement. The vishing campaigns that followed used adversary-in-the-middle tools, including the now-dismantled Tycoon 2FA platform, to intercept authentication tokens in real time. Companies that have deployed MFA but not hardened against real-time interception remain viable targets under the current methodology. MFA is a control; it is not immunity.
The Alliance: Scattered Spider and LAPSUS$
ShinyHunters does not operate in isolation. Since at least mid-2024, their campaigns have increasingly overlapped with two other groups operating from the same criminal ecosystem.
Scattered Spider — also known as Octo Tempest or UNC3944 — specialises in vishing, SIM swapping, and real-time MFA interception. CISA issued a formal advisory on their techniques in late 2023 after confirmed breaches at MGM Resorts and Caesars Entertainment. LAPSUS$, which made headlines in 2022 for breaching Microsoft, Samsung, and Nvidia, pioneered insider recruitment as an initial access vector — offering corporate employees up to $20,000 for providing helpdesk or VPN credentials.
Researchers at Resecurity, Picus Security, and Silent Push documented the operational merger of these three groups in 2025, tracking coordinated campaigns under the label Scattered LAPSUS$ Hunters. In practice, a single campaign can now combine ShinyHunters' data exfiltration and extortion capability, Scattered Spider's vishing infrastructure and live phishing panels, and LAPSUS$'s insider access recruitment. Silent Push identified over 100 named organisations in the group's active targeting pipeline at the time of their report. Being on that list does not require having done anything wrong. It requires being a company of sufficient size, with a visible technology stack, whose customer data has market value.
What Your Organisation Looks Like From the Outside
A corporate attack surface assessment asks the same questions this group's analysts ask before making contact. Five are the most operationally significant:
- Is your SSO login portal discoverable? A simple Shodan query or Google dork returning your Okta or Salesforce login page means it is a confirmed, indexed attack surface — one that tells an adversary which platform to target and that your organisation uses centralised authentication.
- Are your IT and IAM staff identifiable on LinkedIn? Job titles, reporting structures, and team compositions are often visible. This is the foundation of a vishing pretext — knowing the name of a real helpdesk manager before calling is the difference between a convincing call and one that gets immediately flagged.
- Do your job postings reveal your platform stack? "Experience with Okta required" or "Snowflake certification preferred" published on LinkedIn or Indeed is intelligence freely offered to anyone who searches for it.
- Are employee email addresses in breach databases? Corporate email addresses in breach data from unrelated personal services are routinely cross-referenced against company domains. One match is enough to test credential reuse against your SSO portal.
- Does your company's GitHub expose internal references? A single repository with a commit history referencing internal endpoints, naming conventions, or configuration structure adds meaningfully to the reconnaissance picture — even if the code itself is innocuous.
Each of these data points is individually innocuous. Combined and cross-referenced, they form the briefing document that precedes a vishing call.
The Ransom Calculation
ShinyHunters' extortion model is consistent across victims. A ransom demand is made — typically between $500,000 and several million dollars. If the company pays, the data is theoretically withheld. If the company refuses or negotiates too slowly, the data is published: initially in staged batches to increase pressure, then in full.
Wynn Resorts refused. A public announcement followed. Odido refused a €1M demand and then a reduced €500,000 offer — the complete 6.5 million-record dataset, including five million identity documents, was published on March 1. AT&T settled. Ticketmaster's data was sold and redistributed on breach forums regardless of any payment. The pattern is not random. It reflects a deliberate model in which public disclosure functions as both punishment and advertisement — proof that the group follows through.
The leverage they hold is not technical. It is informational: they have the data, the exposure is real, and public disclosure is always one decision away. The attack surface they exploited to get there was built from information the organisation had already made public.