Home > Threat Actors > ShinyHunters: Threat Actor Profile

ShinyHunters: Threat Actor Profile

m00s3c
March 30, 2026
May 6, 2026

Attribution: Financially motivated cybercriminal group, suspected French-speaking members

First Observed: 2020

Primary Operations: Large-scale database theft, credential harvesting, data extortion, data sales

ShinyHunters is a financially motivated cybercrime collective known for large-scale data exfiltration and extortion operations targeting enterprise platforms, particularly cloud-hosted environments. Active since at least 2020, the group has evolved into a high-volume threat actor focused on extracting and monetizing sensitive corporate and customer data through coordinated leak campaigns, ransom demands, and direct data sales.

Overview

The group operates a public-facing leak and extortion model, where organizations are listed alongside breach claims, dataset descriptions, and deadline-driven warnings. Their approach centers on breaching organizations, exfiltrating data at scale, and pressuring victims to pay under threat of public exposure.

Recent activity shows a consistent focus on SaaS platforms, CRM systems, and internal corporate environments. ShinyHunters frequently combines technical compromise with psychological pressure, using public messaging to frame victims as negligent and to accelerate negotiations.

2026 Campaign Escalation and Recent Coverage

Throughout 2026, ShinyHunters has significantly increased both the volume and visibility of its operations, shifting from isolated breach claims to coordinated multi-company campaigns and rapid follow-through on extortion threats.

BreachNews has reported on the following ShinyHunters-linked incidents:

In multiple cases, the group has followed through on threats by publishing data after deadlines passed, reinforcing the credibility of their extortion model.

Latest Activity Tracker

This section is continuously updated as new ShinyHunters activity is reported.

May 2026: Addi financial platform breach claim involving 16M records
May 2026: Vimeo dataset allegedly leaked following failed extortion tied to third-party access
May 2026: Instructure Canvas breach linked to potential global education sector impact
April 2026: New victim wave including Zara, 7-Eleven, and Pitney Bowes (Salesforce-linked claims)
April 2026: Carnival Corporation dataset allegedly published following failed negotiations
April 2026: ADT listed with 10M+ records and pay-or-leak deadline
April 2026: Alleged sale of Anthropic Claude Mythos AI model data and internal documents

Tactics and Operational Patterns

ShinyHunters demonstrates a consistent operational model centered on data exfiltration rather than encryption-based ransomware. Key tactics include:

Data-first extortion: Prioritizing theft and public exposure over system disruption
Deadline-driven pressure: Issuing “final warning” notices with specific leak dates
Public negotiation tactics: Using public listings to pressure organizations and shape narrative
Mass data packaging: Structuring datasets for resale or publication
Cloud and SaaS targeting: Focusing on Salesforce, cloud storage, and internal platforms

Salesforce Campaign and Enterprise Targeting

A major component of ShinyHunters’ recent activity involves large-scale data extraction from Salesforce environments and similar cloud-based platforms. These incidents often involve misconfigured access controls or exposed data pathways, allowing unauthenticated or low-privilege access to sensitive datasets.

The scale of these operations suggests repeatable techniques and potentially automated scanning and extraction workflows targeting misconfigured enterprise systems.

Shift Toward Data Sales and Intellectual Property

In addition to traditional extortion, ShinyHunters has increasingly moved toward direct data sales, offering datasets, internal systems, and in some cases alleged intellectual property for purchase.

This includes recent listings involving internal corporate data, enterprise system access, and experimental AI-related assets, indicating a broader monetization strategy beyond customer data alone.

Behavior and Messaging Strategy

The group frequently uses confrontational messaging in its listings, accusing organizations of failing to protect user data and framing payment as a responsible decision. Public posts often include countdowns, warnings, and reputational pressure tactics designed to force rapid engagement.

Unlike quieter threat actors, ShinyHunters relies heavily on visibility and narrative control as part of its operational model.

Recent Trends

Activity in 2026 reflects increased automation, higher targeting volume, and more aggressive follow-through on extortion threats. The group’s ability to consistently target enterprise environments suggests ongoing access to vulnerable systems or effective exploitation of common misconfigurations.

The shift toward combining breach claims, public pressure, and data sales positions ShinyHunters as one of the most active and visible financially motivated threat actors currently operating.

Notes

All breach claims attributed to ShinyHunters should be treated as unverified unless confirmed by affected organizations or independently validated. However, the group’s history of publishing data following failed negotiations indicates that many claims warrant serious attention.

Update (May 6, 2026): Added recent BreachNews coverage including Addi, Vimeo, and Instructure incidents, expanded link list with all ShinyHunters-related reports, and updated activity tracker with latest May 2026 developments.

Tags: data-exfiltration extortion

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.