The name comes from competitive Pokémon players who hunt for rare, colour-variant "shiny" monsters. The group that borrowed it has stolen data from hundreds of millions of people across more than a dozen countries, run active extortion campaigns against organisations on five continents, and kept operating through arrests, server seizures, and law enforcement operations on three continents. This is a profile of who ShinyHunters are, how they built their operation, and why the threat is not going away.
The 2026 update to this article adds three things the original (published March 2026) could not yet cover: the Salesforce-Aura supply-chain campaign that has dominated ShinyHunters' operations across 2025-2026; a documented case where the negotiation model produced a settled outcome (the Canvas LMS / Instructure resolution of May 2026); and an empirical 90-day cohort of fifty-four named victims that demonstrates the steady tempo at which the platform continues to operate.
For the operational mechanics of a peer ransomware operation that has overlapped with ShinyHunters on the same victims, see our companion threat-actor profile: Qilin Ransomware: The Most Active Threat Group of 2025-2026.
Origins: 2020–2021
ShinyHunters emerged publicly in 2020 with a series of high-volume claims that the security community initially treated with scepticism. The group announced on dark web forums that it had stolen 91 million user records from Tokopedia, Indonesia's largest e-commerce platform. The claim seemed implausible in scale, until samples were verified and the breach was confirmed.
What followed was a pattern of escalating announcements. The group claimed to have extracted source code from Microsoft's private GitHub repositories. Microsoft acknowledged unauthorised access but characterised the exfiltrated material as sample project data rather than production source code, neither a full denial nor a concession. Shortly after, ShinyHunters published 1.9 million records from Pixlr, the online photo editing service, alongside claims of compromises at Star Tribune and other media and retail targets.
The early phase established the group's operating model: announce a breach publicly before approaching the target privately, use the dark web release to apply pressure, and maintain a reputation for follow-through that makes future victims more likely to pay. The volume of claims also served a secondary purpose. In a landscape where many groups bluff, a group that consistently delivers verified data builds credibility that commands higher ransom premiums.
The name "ShinyHunters" derives from the Pokémon community term for players who seek out rare shiny-variant Pokémon through repetitive, methodical play. Their tactics mirror this approach. The parallel to their operation is intentional. They systematically work through targets one by one until something valuable surfaces.
How They Operate
ShinyHunters is not primarily a technical group. They do not develop zero-day exploits or operate sophisticated custom malware. Their method is social engineering, consistently applied at the authentication layer. They specifically target employees with access to Single Sign-On (SSO) systems and to the SaaS administration consoles that sit above them.
The standard attack sequence:
- Reconnaissance. OSINT on the target organisation identifies employees with administrative or IT roles, their names, email formats, and internal tools. LinkedIn, company websites, and leaked credential databases provide the raw material.
- Vishing (voice phishing). An attacker calls a target employee, impersonating IT support, a vendor, or a colleague. The call creates urgency (a security incident, an expired credential, an account lock) and pressures the employee into providing their SSO credentials and MFA codes in real time.
- Access and escalation. With a valid SSO session, the attacker moves laterally through cloud environments, mapping storage systems, CRMs, and databases. Privileges are escalated where possible.
- Exfiltration. Data is extracted in staged batches, often over days or weeks, to reduce the chances of triggering volume-based detection.
- Extortion. The target is added to a dark web extortion portal with a ransom demand and a countdown. Failure to pay results in incremental public release of the stolen data.
This playbook has been applied across Odido, Wynn Resorts, Crunchbase, and multiple other 2025-2026 targets with near-identical execution. The attack surface is always the same: the human at the authentication checkpoint, or the SaaS-integration platform that the human's credentials unlock.
SSO was designed to reduce password fatigue and centralise access management. In practice, it created a single high-value target. One compromised credential grants access to every integrated system simultaneously: CRM, cloud storage, analytics, internal databases. What was designed as convenience became a master key. In 2025 and 2026, the same logic extended one layer further up: a single SaaS-integration vendor like Salesforce, Snowflake, or an analytics middleware platform like Anodot.com became the master key for hundreds of downstream customer organisations.
The Business Model: From Extortion to RaaS
ShinyHunters' original revenue model was straightforward: steal data, demand payment for non-disclosure, publish data if payment is refused. This model has a documented reliability problem. Payment does not guarantee data deletion. Multiple organisations that paid the ransom subsequently found their data published anyway. The group's reputation for non-compliance with its own terms is a structural feature, not a bug. It maintains fear without creating a reliable enough track record that future victims feel confident paying. The Canvas LMS resolution of May 2026 (analysed in the Notable 2026 Operations section below) is the first publicly-documented exception to that pattern in two years.
By 2025, the group had begun expanding into Ransomware as a Service (RaaS) under the name shinysp1d3r. The timing was deliberate. LockBit, which had dominated the RaaS market from 2022 into 2023, suffered a significant disruption in February 2024 when international law enforcement agencies (including the NCA, FBI, Europol, and agencies from ten countries) seized LockBit's infrastructure and arrested multiple affiliates. LockBit's credibility among affiliates and buyers collapsed.
The gap that LockBit left, a large operational affiliate network with no primary provider, is exactly what shinysp1d3r was positioned to fill. Whether the pivot succeeded depends on whether ShinyHunters could build the operational trust with affiliates that LockBit spent years establishing. As of May 2026 the picture is mixed. shinysp1d3r exists as a brand but the dominant ShinyHunters revenue activity in 2026 has come from a different model entirely: industrialised exploitation of compromised SaaS-integration credentials at scale, with no ransomware encryption involved. That campaign is examined in detail below.
Scattered Spider and the Wider Collective
ShinyHunters does not operate in isolation. The group overlaps significantly with Scattered Spider (also tracked under the names 0ktapus, Muddled Libra, and Starfraud), a financially motivated threat group that uses identical social engineering methodology and frequently operates in coordination with ShinyHunters-affiliated actors.
Scattered Spider's most prominent documented operations were the September 2023 attacks on MGM Resorts and Caesars Entertainment, which together caused hundreds of millions of dollars in operational losses and disrupted casino and hotel systems across Las Vegas. The MGM attack followed the same template used against Odido: a vishing call to an IT helpdesk employee, SSO credential extraction, lateral movement through the cloud environment. The parallel is not coincidental. It is the same methodology applied by actors who share techniques, tools, and in some cases personnel.
Security researchers also track the collective SLSH (Scattered Lapsus Hunters), which incorporates elements of Lapsus$ (the group responsible for breaches at Microsoft, Nvidia, Samsung, and Uber in 2022) and The Com, a loose network of primarily English-speaking actors, many in their teens and twenties, coordinating on Telegram and Discord. The Com functions as both a cultural context and a recruitment pipeline. It is where techniques are shared, where new members are socialised, and where successful attacks are bragged about in real time.
Mandiant tracks the same activity under cluster code UNC6040. ShinyHunters explicitly self-attributed to this designation in their May 2026 leak-site listing for Cisco Systems, describing the campaign against Cisco as "3 breaches (UNC6040, Salesforce Aura, and AWS accounts)." This is the first publicly documented case of an actor using the threat-intelligence cluster name in their own communications, a small but meaningful signal about how the group reads its own coverage.
Where they communicate: ShinyHunters-affiliated actors have historically been most active on dark web forums including BreachForums and BreachStars, and use Telegram as their primary operational communication channel. As of the May 2026 update to this article, ShinyHunters has publicly disavowed every current BreachForums instance, addressed in the Current Status section below.
Who They Are, and Why Arrests Have Not Stopped Them
Operations are coordinated primarily from Eastern Europe and Asia, but membership is genuinely global. The group's resistance to disruption is a function of that distribution. There is no single node whose removal collapses the network.
The arrest record is extensive but largely ineffective as a deterrent:
- In 2022, Sébastien Raoult, a French national, was arrested in Morocco on ShinyHunters-related charges, extradited to the United States, and sentenced in 2024 to three years in federal prison. His arrest did not disrupt operations.
- Multiple English-speaking, Western-based members of Scattered Spider, including UK, US, and Australian nationals, have since been identified and prosecuted. The US Department of Justice charged five individuals in late 2024.
- BreachForums, a primary marketplace for the group's stolen data, has been seized multiple times. Most recently, on 10 October 2025, the FBI seized the forum infrastructure. A successor forum was operational within weeks. As detailed in the Current Status section, ShinyHunters has since publicly disavowed every claimant to the BreachForums name.
The pattern is consistent. Individual arrests remove individual actors. The techniques, the tools, and the broader network persist because they are not dependent on any single person. New actors join faster than old ones are prosecuted.
The Salesforce-Aura Campaign (Late 2025 to 2026)
The dominant ShinyHunters revenue activity across 2025-2026 has been a sustained extortion campaign targeting SaaS-integration credentials. The campaign has its own name in the group's own communications: "Salesforce Aura". On 9 March 2026, ShinyHunters posted a leak-site listing titled "Salesforce Aura Campaign" containing the text: "Several hundreds of companies set to release with FINAL WARNINGs upon failure to comply." The statement is rare in that the operator acknowledges the campaign frame explicitly and publishes an estimate of its scope.
The mechanics. The initial compromise traces to a 2025 incident at Salesloft Drift, a sales-engagement integration platform whose customers connect Drift to their Salesforce instances. The compromise yielded OAuth tokens and integration credentials for hundreds of downstream Salesforce customer organisations. Across late 2025 and through 2026, ShinyHunters has been systematically working through those downstream targets: contacting each, threatening publication, and either negotiating settlement or publishing the exfiltrated Salesforce records.
The exfiltrated data is structured CRM content. Customer contact records, account hierarchies, transaction histories, support cases, internal communications, and depending on the configured Salesforce object model, often financial and identity-document attachments. The records-per-victim figures are large because Salesforce stores everything a sales and support function touches. In the 90-day cohort detailed below, ShinyHunters has claimed individual-victim record counts ranging from 500 thousand (Cushman & Wakefield) to 40 million (McGraw Hill).
A second compromise vector runs alongside the Salesforce Aura chain. Anodot.com, an AI-driven analytics platform integrated with cloud data warehouses, has been named by ShinyHunters as the compromise vector for the Vimeo, Zara, and Rockstar Games breaches. In each case the exfiltrated data is Snowflake or BigQuery contents (data warehouse fact tables), not Salesforce CRM. The Rockstar Games disclosure of 14 April 2026 claims 78.6 million Snowflake records via Anodot.com. The pattern is identical to the Salesforce chain: compromise a single SaaS-vendor's credentials or integration tokens, then exploit the position across all of that vendor's customers.
Why this campaign matters. A single 2025 compromise of one shared SaaS dependency has delivered more than twelve months of downstream extortion revenue. The operational economics favour staying in this lane indefinitely. Every Salesforce-integrated customer who never rotated their OAuth tokens or audited their connected-app permissions after the 2025 Drift incident remains exploitable. ShinyHunters' March 2026 estimate of "several hundreds of companies" in the pipeline matches what the visible 2026 listings suggest. The 54 named victims documented below are a fraction of the operator-claimed total.
Notable 2026 Operations
Three incidents from the 2026 record warrant individual treatment. Each illustrates a different aspect of the operating model.
Canvas LMS / Instructure: A Documented Resolution (April–May 2026)
On 25 April 2026, ShinyHunters accessed Instructure's Canvas learning management system, the dominant LMS in North American higher education. Canvas serves more than thirty million active users worldwide across 8,809 educational institutions, including the University of California system, Arizona State University, Sacramento State, the University of Pennsylvania, Duke University, the University of Melbourne, the University of Technology Sydney, and RMIT.
Instructure detected the intrusion on 29 April. The company disclosed the incident publicly on 1 May, in a statement by Chief Information Security Officer Steve Proud: "Instructure recently experienced a cybersecurity incident perpetrated by a criminal threat actor. We are actively investigating this incident with the help of outside forensics experts." On 2 May Proud reported containment.
ShinyHunters listed Canvas / Instructure on its leak site on 3 May 2026 with the operator's standard formatting. Three days later they published a separate listing titled "Entire list of affected schools by Instructure breach," setting a 7 May deadline for any institution wishing to negotiate. The operator's claimed scope: "Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved." Total exfiltrated data: 3.65 terabytes.
The compromised categories per Instructure's own disclosure: names, email addresses, student identification numbers, and Canvas platform messages. Explicitly not compromised: passwords, dates of birth, government-issued IDs, and financial information. The non-compromise of credentials and government IDs is the practical reason the breach did not cascade into immediate identity-fraud attacks at the individual student level.
On 7 May, ShinyHunters escalated. The operator defaced the Canvas login page with a ransomware-style message and set a new deadline of 12 May.
On 11 May 2026, Instructure announced it had reached an agreement with ShinyHunters. The Inside Higher Ed headline reporting the resolution was unambiguous: "Instructure Pays Ransom to Canvas Hackers." Instructure's own statement, attributed to CISO Steve Proud: "We received digital confirmation of data destruction (shred logs)" and assurance "that no Instructure customers will be extorted as a result of this incident, publicly or otherwise."
On 13 May, ShinyHunters posted its own confirmation on the operator side: "We have nothing to add on or comment regarding the recent situation at the LMS company. If you are an impacted institution, we are not seeking your money. Please halt all attempts to reach out to us, the matter has been resolved. The Company and its customers will not further be targeted or contacted for payment. The data is nonexistent."
The terms of the agreement, including any monetary amount, were not publicly disclosed by either party. Unconfirmed reporting referenced by Wikipedia's "2026 Canvas data breach" article suggests $10 million USD. Instructure has not confirmed or denied that figure.
Three things make this resolution worth documenting carefully.
First, the verification mechanism. "Shred logs" refers to cryptographic artifacts that ShinyHunters provided to Instructure to attest to data destruction. This is a more specific technical claim than the common "we deleted it, trust us" pattern. It is still not independent verification. Instructure's own statement contains the necessary caveat: "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind."
Second, the expert critique. Cliff Steinhauer of the National Cybersecurity Alliance, quoted in Inside Higher Ed: "organizations may be trading a visible short-term disruption for a longer-term exposure problem that can resurface months or years later." Help Net Security's analytical framing was sharper: "This is exactly the problem with paying a ransom: once attackers have your data, there is no assurance it was not copied or shared with others. When dealing with criminals, all you really have is their word."
Third, the litigation track. On 13 May 2026 a class action lawsuit was filed in the United States District Court for the Southern District of California against Instructure on behalf of affected individuals. Negotiation with the threat actor and avoidance of public data release does not eliminate downstream legal exposure to the affected population. The Canvas resolution closes the extortion arc and opens the consumer-litigation arc on the same timeline.
This is the first publicly-documented case in 2026 where a major ShinyHunters extortion negotiation reached a resolution-with-confirmed-destruction outcome on both sides' public record. Whether the resolution holds (whether the data remains "nonexistent" as ShinyHunters has claimed) is something only time and the absence of future leaks can verify.
Cushman & Wakefield: The Double-Breach (May 2026)
On 3 May 2026, ShinyHunters listed Cushman & Wakefield, the global commercial real-estate services firm, on its leak site. The operator's claim: "Over 500k Salesforce records containing PII and other internal corporate data have been compromised."
What makes the Cushman & Wakefield incident structurally unusual is that ShinyHunters was the second listing. On 4 May 2026, the day after ShinyHunters' post, the Russian-speaking ransomware-as-a-service operation Qilin had already listed Cushman & Wakefield on its own leak site. The Qilin listing remains active as of publication with 9,354 recorded page views and zero data samples published, suggesting either ongoing negotiation or a holding posture designed to maximise payment pressure.
For the full mechanics of the Qilin operation and the structural implications of the cross-actor overlap, see our companion threat-actor profile on Qilin.
The double breach matters for two reasons. First, it confirms what threat-intelligence analysts had suspected since the September 2025 LockBit-Qilin-DragonForce cartel announcement: the operational boundaries between Russian-speaking RaaS platforms and the SLSH-cluster credential-theft operations are increasingly permeable. Both groups hit the same target inside three days with what appear to be different data subsets, suggesting either separate affiliate intrusions, sequential compromise, or coordinated multi-platform extortion. Second, it changes the calculus for the victim organisation. Cushman & Wakefield is now negotiating, simultaneously, with two operations whose disclosure timelines and payment-routing infrastructures are entirely independent.
As of 22 May 2026 neither operation has published any of the Cushman & Wakefield data. Status remains unresolved on the public record.
Odido NL and Ben.nl: The Telecom Anchor (February–March 2026)
The Odido / Ben.nl breach was the spine of ShinyHunters' early-2026 activity in the European telecom sector. On 23 February 2026, ShinyHunters issued a final warning listing claiming "Almost 21M records" of compromised data. The records included full names, physical addresses, email addresses, phone numbers, plaintext passwords, IBANs, passport numbers, and driver's licence numbers, all extracted from Odido's Salesforce environment.
By 1 March, the operator escalated. ShinyHunters posted a leak-site message: "Due to recent developments regarding this telco, daily leaks will not happen anymore. Instead, you can download the Odido dataset concerning its full former and current customers below." Updated scope: 15 million Salesforce records; 88 gigabytes uncompressed. The same post contained the operator's editorial framing: "This is your fault, Odido. You are the reason why an entire country is about to suffer for an unestimated amount of years. Unprecedented."
Privacy Insight Solutions has covered the Odido incident across multiple companion pieces, with the most detailed forensic timeline at Odido Breach: How ShinyHunters Stole 6.2M Records. The relevant point for this updated profile is operational: Odido represents one of the largest absolute records-per-victim claims in ShinyHunters' history and the rare case where the leak-site published the full dataset rather than continuing to negotiate. The negotiation track had been exhausted by the time the 1 March message was posted.
Sector Concentrations in 2026: Education and Wealth Management
The 90-day cohort (analysed in detail below) shows two sectors dominating 2026 activity.
Education. Nine documented victims in the trailing 90 days: Canvas LMS / Instructure (the umbrella), Harvard University, the University of Pennsylvania (separately listed in February 2026, before the Canvas breach, and again as part of the Canvas-affected institutions), McGraw Hill (40 million Salesforce records), Follett Software, Udemy (1.4 million records), Houghton Mifflin Harcourt, Infinite Campus, and an aggregated Italy schools listing. The pattern: institution-scale identity records, minors' data, and the broader downstream value of education-sector PII (used for student-loan fraud, financial-aid fraud, and identity construction over the long lifecycle of a young person's identity).
Wealth management and financial advisory. Twelve documented victims in 90 days: Pathstone Family Office (641 thousand records), Mercer Advisors (5 million Salesforce records, 1.3 million PII), Beacon Pointe Advisors (100 thousand records including 59 thousand PII), Ameriprise Financial (236 gigabytes including Sharepoint), CFGI Management (800 thousand records + 40 thousand financial documents), Aura Group (2 million records), Marcus & Millichap (30 million records), Berkadia Commercial Mortgage (5 million records, 27 gigabytes), Towerpoint Wealth, Ryan LLC (4.8 million records), Kemper Corporation (13 million Salesforce records), and Abrigo (1.7 million Salesforce records). Plus financial-adjacent listings: Adelante Soluciones Financieras / Addi.com (16 million records, 518 gigabytes, including TransUnion and Experian credit-bureau data), Canada Life Assurance (5.6 million records), ZenBusiness (802 gigabytes), and Figure Technology Solutions.
The wealth-management cluster materially extends the cohort Privacy Insight Solutions documented in May 2026 in our piece on the registered investment advisor (RIA) cybersecurity training-first gap. That piece named six RIA firms; the cohort visible on the leak site in the 90 days that followed contains all six plus six additional firms in adjacent wealth-management and financial-advisory categories. The SaaS-credential-theft chain is now systematically exploited against the wealth-management sector and has expanded beyond the original RIA cohort into mortgage, insurance, and tax-advisory firms.
The 90-Day Cohort (February–May 2026)
Across the trailing 90 days at the time of this update (21 February to 21 May 2026), ShinyHunters' leak site has carried fifty-four unique named victims, after deduplication of multi-stage listings and exclusion of three operator press statements. The cohort excludes any victim whose listing was removed from the leak site before publication: removal is the operator's standard indicator of a paid-and-deleted outcome. The Medtronic plc listing of mid-April (claiming 9 million records of healthcare-sector data) is no longer visible on the leak site, indicating either a paid settlement or an unannounced removal. Privacy Insight Solutions counts the public 54 as a lower bound; the operator's own 9 March 2026 statement claims "several hundreds of companies" in the pipeline.
Operational tempo across the 90 days: approximately 17 victims posted per month, sustained without significant spikes or troughs. The notable single-day clusters were 17 April (eight victims posted simultaneously) and 11 April (eight victims). These mass postings are characteristic of the Salesforce Aura campaign: the operator queues victims through the negotiation pipeline and publishes them in batches when deadlines expire.
Standout enterprise names from the cohort, by sector:
- Retail and e-commerce: 7-Eleven (600 thousand records), Zara (140 gigabytes), Mytheresa, Hallmark Cards (7.9 million records), Bumble (30 gigabytes), Panera Bread (14 million records), CarMax (400 thousand records).
- Hospitality and tourism: Aman Resorts (250 thousand records), Carnival Corporation (8.7 million records, multiple terabytes).
- Transportation: Pitney Bowes (25 million records), Amtrak (9.4 million records), Canada Life Assurance.
- Telecom: Odido NL & Ben.nl (15 million records, 88 gigabytes).
- IT and software: Cisco Systems (3 million records across three integrated breaches), Vimeo (Snowflake and BigQuery via Anodot.com), Rockstar Games (78.6 million Snowflake records), Vertex Inc.
- Services: ADT (10 million records), Alert 360, Bumble.
- Public sector: European Commission (350 gigabytes).
- Adult and dating: Bumble, Match Group (10 million records spanning Hinge, Match, OkCupid).
Three categories of caveat to the cohort number. First, paid-ransom victims are invisible to the cohort because their listings are delisted after settlement; the Canvas LMS case is the documented one, but the same mechanism produces a steady stream of unattributed quiet outcomes. Second, aggregated meta-listings (the Salesforce Aura Campaign listing of 9 March and the Instructure affected-schools list of 5 May) each likely cover dozens of downstream victims who are never individually listed. Third, the cohort reflects ShinyHunters' own leak-site activity only; victims compromised through ShinyHunters affiliates but published elsewhere (the SLSH cluster, individual operators using Telegram channels) are not counted.
The Scale: 2020–2026
The cumulative impact of ShinyHunters operations is difficult to overstate. The table below covers confirmed or attributed breaches.
| Year | Target | Records | Data Type |
|---|---|---|---|
| 2020 | Tokopedia | 91M | User accounts, hashed passwords |
| 2020 | Microsoft (GitHub) | — | Source code repositories |
| 2020 | Pixlr | 1.9M | User accounts |
| 2021 | Bonobos | 7M | Customer data, partial payment info |
| 2021 | Mashable | 5.2M | User database |
| 2022 | AT&T | 70M | Customer PII (disputed) |
| 2024 | Ticketmaster / Live Nation | 560M | Customer data, partial payment |
| 2024 | Santander Bank | 30M | Customer and employee data |
| 2025 | Odido (NL) | 6.2M (initial) | Full PII, telecom metadata |
| 2025 | Salesloft Drift | (downstream chain) | OAuth tokens, integration credentials |
| 2026 | Odido (NL) | 15M (final) | Full PII, IBANs, passports, driver licences |
| 2026 | Canvas LMS / Instructure | 275M individuals (resolved) | Student names, emails, IDs, messages |
| 2026 | Cisco Systems | 3M+ Salesforce, plus GitHub and AWS | Multi-system compromise |
| 2026 | Rockstar Games | 78.6M Snowflake records | Telemetry via Anodot.com |
| 2026 | Cushman & Wakefield | 500k+ Salesforce records | Real-estate counterparty data |
| 2026 | McGraw Hill | 40M Salesforce records | Education-sector PII |
| 2026 | Salesforce Aura Campaign | "Several hundreds" (operator-claimed) | Cross-victim SaaS exfiltration |
| 2026 | Other cohort (51 named victims) | various | See cohort analysis above |
The acceleration from 2024 onward is notable. The group is not slowing. The Ticketmaster breach alone (560 million records) represents one of the largest single exfiltrations in history. The 2025-2026 Salesforce Aura campaign represents the first sustained multi-year operation against a single shared-SaaS substrate, and on the operator's own claim it is still in early stages of monetisation.
Beyond the Breach
For the individuals whose information appears in these datasets, the exposure does not end when the breach is announced. Stolen records are sold, traded, combined with data from other breaches, and purchased by actors whose purposes extend well beyond the original theft.
Identity fraud at scale. The Adelante / Addi.com exfiltration (16 million records including TransUnion and Experian credit-bureau data) is the cleanest 2026 case. Records of this depth, combined with KYC documents that ShinyHunters lists alongside core PII in the Salesforce attachments cohort, enable identity reconstruction at a level that defeats most consumer-grade verification controls. The pattern repeats with each Salesforce-CRM exfiltration where the targeted firm stored counterparty identity documents in connected-record attachments.
Targeted social engineering. The 500 thousand Salesforce records in the Cushman & Wakefield exfiltration constitute a primary-source CRM dataset of commercial real-estate counterparties: landlords, tenants, brokers, and investment principals indexed against transaction history. That structure is precisely what enables targeted social engineering against executives at counterparty firms, particularly those whose property dealings involve sensitive negotiation positions. The wealth-management exfiltration cohort (Pathstone, Mercer, Beacon Pointe, Ameriprise, CFGI, Aura, Marcus & Millichap, Berkadia, Towerpoint, Ryan, Kemper, Abrigo) extends the same logic to high-net-worth individual client profiles.
Doxxing and reputational harm. The 2026 cohort contains an unusual concentration of consumer-facing organisations with public-figure customers: Aman Resorts (international luxury hospitality), Canada Goose (premium retail), Mytheresa (luxury e-commerce), Bumble and Match Group (dating apps with extensive private-message archives). Each of these datasets enables actors with non-extortion motives (harassment, journalism, intelligence) to construct profiles of individuals far removed from the original commercial relationship.
Sextortion and physical threats. The Match Group exfiltration (10 million records of Hinge, Match, and OkCupid usage data) and the Bumble exfiltration (Google Drive and Slack documents alongside platform data) provide the substrate for targeted sextortion against individuals whose dating-app activity intersects with their public, professional, or family lives.
Identity fraud in the education cohort. The Canvas / Instructure resolution does not eliminate downstream exposure. Even if ShinyHunters' "shred logs" attestation is accurate and the data has been destroyed at the operator's end, the threat actor possessed the data for sixteen days before resolution and operated in an environment where copies leak to affiliated brokers within hours of exfiltration. The class action filed 13 May 2026 in the Southern District of California is the institutional acknowledgment that the consumer-side harm continues independent of the negotiation outcome.
The downstream harms continue long after the original incident is closed, the forensic review is complete, and the public attention has moved on. For organisations that have been listed on a ShinyHunters leak site, the operational question is not whether the data will be misused. It is which adversary will misuse it, and on what timeline.
If your organisation has been listed on a ShinyHunters leak site, or you believe your supply chain includes a victim of the Salesforce Aura campaign, a Corporate Audit maps the full identity-and-data exposure surface across executive principals, employees, and key counterparties — including what has already been published and what is downstream.
Talk to an AnalystCurrent Status as of 22 May 2026
Three operational developments from the past two weeks shape the status of ShinyHunters as of publication.
The Canvas LMS resolution (11–13 May 2026). Analysed in detail above. The first publicly-documented case in 2026 of a ShinyHunters extortion negotiation reaching a settled outcome with operator-confirmed data destruction. The litigation track via class action filed 13 May is the institutional acknowledgment that this outcome does not close downstream consumer harm.
The shinyhunte.rs domain suspension (12 May 2026). The group's previous clearnet domain, shinyhunte.rs, was suspended by the domain registry. As of the operator's own 12 May notification: "The domain shinyhunte.rs was suspended, it is not operated and owned by us anymore. DISCLAIMER: It may be reclaimed by unknown persons in the future for malicious use. We do not control shinyhunte.rs anymore, it has been suspended by the registry. Update, May 12, 13:00 p.m. ET: We will operate at this onion domain only moving forward. Anyone claiming to be us anywhere is impersonating. Our new PGP key is listed in the « Contact us! » button." The change moves the operator from clearnet to onion-only operation, removing one of the public-facing surfaces that journalists and researchers had used to monitor activity.
The BreachForums disclaimers (March-May 2026). ShinyHunters has publicly disavowed every current claimant to the BreachForums name. The operator-side framing, posted in March 2026 and reaffirmed in May: BreachForums has been seized multiple times, most recently by the FBI on 10 October 2025. An unauthorised forum-data leak on 9 January 2026 was used by impersonator personas going by "N/A" and "Indra" to construct similar-looking successor forums. All current instances (breachforums.ai, .sb, .ac, .fi, .bf, and .us) are operator-disavowed. ShinyHunters has threatened to leak the BreachForums backup datasets (including private messages, IP addresses, posts) if the impersonator forums continue to operate. The group claims to hold exploits for all 1.8 versions of the MyBB forum software that underlies the BreachForums platform.
The cumulative signal across these three developments is operational reorganisation, not retreat. The Canvas resolution demonstrates negotiation outcomes are possible. The domain suspension and onion-only pivot reduce attack-surface exposure to law-enforcement and registry-level disruption. The BreachForums disavowals consolidate the operator's claim over the brand and signal-control over future communications. ShinyHunters as of 22 May 2026 is, by the operator's own statement and by the empirical leak-site tempo, fully operational.
The Pattern Continues
ShinyHunters operates on a simple premise: technical defences have become expensive to defeat, but human defences at the authentication layer remain cheap to bypass. Until organisations invest in social engineering resistance with the same rigour applied to patch management and firewall configuration, the economics favour the attacker.
The 2025-2026 Salesforce Aura campaign extended that premise one layer higher up the stack. The human at the SaaS-vendor's authentication checkpoint is now the target. A single compromise at Salesloft Drift, or Anodot.com, or any analytics-or-integration middleware sitting between an enterprise's CRM and its data warehouse, cascades across hundreds of downstream customers who never directly authorised the threat actor's access.
The Canvas LMS resolution introduces a new variable to the model. If the "shred logs" verification mechanism scales (if other victims can negotiate with comparable confidence in deletion) the operator's reputation for non-compliance with payment terms may shift. Whether that shift represents a structural change or a one-time outlier will be visible in the next twelve months of negotiation outcomes.
The group brags publicly about operations. Members refer to the work as "fun and profit." That combination, financial motivation paired with reputational investment in being seen as effective, makes them reliable as a threat. They will keep operating because it works, because the consequences for most members remain theoretical, and because there are always new targets whose employees have never been trained to resist a convincing phone call from a fake IT desk. The Salesforce Aura pipeline alone, on the operator's own estimate, contains "several hundreds of companies" that have not yet reached public listing.
Sources
Primary platform and affiliate reporting:
- Mandiant / Google Threat Intelligence Group. UNC6040 cluster designation, methodology overlap with Scattered Spider / SLSH cohort. Various reports 2024-2026.
- US Department of Justice. Charges against five named Scattered Spider individuals, late 2024.
- FBI press materials. Sébastien Raoult arrest (Morocco, 2022); BreachForums seizure (10 October 2025).
The Canvas LMS / Instructure resolution:
- Wikipedia, "2026 Canvas data breach". Last edited 20 May 2026. Comprehensive incident timeline and citations. en.wikipedia.org/wiki/2026_Canvas_security_incident
- Inside Higher Ed, "Instructure Pays Ransom to Canvas Hackers" (Kathryn Palmer, 11 May 2026). Primary source on payment confirmation and Instructure CISO Steve Proud's statement on "digital confirmation of data destruction (shred logs)." insidehighered.com/news/tech-innovation/administrative-tech/…
- ABC7 News / Associated Press (Kelvin Chan, 12 May 2026). "Deal Reached: Hackers to Delete Data Stolen from Canvas Educational Platform." Independent confirmation of Instructure's CISO statement. abc7news.com/post/deal-reached-hackers-delete-data-stolen-ca…
- Help Net Security, "Instructure took a risky approach to recover stolen Canvas data" (12 May 2026). Analytical critique of the verification mechanism. helpnetsecurity.com/2026/05/12/instructure-canvas-data-breac…
- The Hacker News, "Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak" (12 May 2026). Independent reporting. thehackernews.com/2026/05/instructure-reaches-ransom-agreeme…
Cushman & Wakefield double-breach:
- ShinyHunters leak-site listing, 3 May 2026 (verbatim operator quote reproduced above).
- Privacy Insight Solutions, "Qilin Ransomware: The Most Active Threat Group of 2025-2026" — companion analysis of the Qilin side. privacyinsightsolutions.com/blog/qilin-ransomware-threat-pro…
Odido cluster:
- Privacy Insight Solutions, "Odido Breach: How ShinyHunters Stole 6.2M Records" — initial documentation. privacyinsightsolutions.com/blog/shinyhunters-odido-breach
- Privacy Insight Solutions, "Odido One Month In: Daily Leaks and the Customer-Letter Failure" — escalation arc. privacyinsightsolutions.com/blog/odido-one-month-breach-esca…
Wealth-management sector cluster:
- Privacy Insight Solutions, "RIA Cybersecurity in 2026: Where Training-First Programs Miss the Actual Attack Surface" — original RIA cohort analysis. privacyinsightsolutions.com/blog/ria-cybersecurity-training-…
Salesforce Aura campaign mechanics:
- ShinyHunters leak-site listing "Salesforce Aura Campaign", 9 March 2026 (verbatim operator quote reproduced above).
- ShinyHunters leak-site listing for Cisco Systems, 1 April 2026: "3 breaches (UNC6040, Salesforce Aura, and AWS accounts)" — operator self-attribution to Mandiant cluster code.
Industry context:
- ReliaQuest threat intelligence reporting (Q3 2025) on the LockBit + Qilin + DragonForce cartel announcement. Cross-cluster operational permeability framing.
- National Cybersecurity Alliance — Cliff Steinhauer quote on long-term post-payment exposure (via Inside Higher Ed).
- Google Threat Intelligence Group, "GTIG AI Threat Tracker" (11 May 2026). Broader threat-actor landscape including AI-augmented exploitation. cloud.google.com/blog/topics/threat-intelligence/ai-vulnerab…
Companion reading from Privacy Insight Solutions:
- Qilin Ransomware: The Most Active Threat Group of 2025-2026. privacyinsightsolutions.com/blog/qilin-ransomware-threat-pro…
- The Ransomware Negotiation Transcript: What Recent Disclosures Reveal About How Demands Are Set, Met, or Refused. privacyinsightsolutions.com/blog/ransomware-negotiation
- Reading the 2026 Ransom Note: What Modern Extortion Letters Reveal About Operator Intent. privacyinsightsolutions.com/blog/reading-the-2026-ransom-not…
- RaaS Inc.: The Business Plan Nobody Asked For. privacyinsightsolutions.com/blog/raas-business-plan-unit-eco…
- The Silent Market: How Stolen Corporate Data Is Quietly Bought and Sold. Market analysis of how stolen access and data is priced, sold, and silenced — the series index. privacyinsightsolutions.com/blog/the-silent-market