ShadowByt3$ Returns With Alleged Abbott LabCentral Portal Breach

Weeks after announcing its retirement, ShadowByt3$ has resurfaced with an alleged breach of Abbott's LabCentral portal, claiming to have stolen technical documentation and proprietary laboratory files.
Screenshot of a forum post in which the ShadowByt3$ threat group claims to have breached Abbott through its LabCentral portal, alleging the theft of approximately 690 MB of technical documentation and publishing a summary of the purportedly stolen files. Certain operational details have been redacted.
Forum post attributed to the ShadowByt3$ threat group alleging an intrusion involving Abbott's LabCentral portal. BreachNews redacted contact information, account details, portal URLs, and other operational information that was not necessary to understand the reported claims.

Weeks after claiming it had shut down operations, the ShadowByt3$ threat group has resurfaced with a new alleged victim, claiming it breached Abbott through the company’s LabCentral portal and stole approximately 690 MB of internal technical documentation.

The post marks the group’s first publicly observed activity since announcing its retirement in June. At the time, ShadowByt3$ claimed it was ending operations permanently and warned that any future use of its name would not be associated with the original operators. BreachNews covered that announcement here.

LabCentral access claimed

According to the forum post, the threat actor claims access was obtained through Abbott’s LabCentral technical library using a compromised account belonging to one of the company’s partners. The actor alleges approximately 690 MB of documentation was exfiltrated and says Abbott has 48 hours to make contact before the material is released.

The post is accompanied by screenshots appearing to show Abbott’s LabCentral technical library as well as a file tree listing the alleged contents of the archive. While the screenshots are consistent with the actor’s claims, they do not independently verify that unauthorized access or data theft occurred.

The screenshots below allegedly show access to Abbott’s LabCentral technical library.

Technical documentation allegedly stolen

Unlike many recent extortion claims involving customer databases, the alleged compromise appears to focus on proprietary technical documentation supporting Abbott’s laboratory diagnostics platforms.

According to the threat actor, the archive includes regulatory documentation, manufacturing certificates, operation manuals, assay packages, calibration files, software documentation, product requirement archives, and other technical materials associated with Abbott’s Alinity, ARCHITECT, and AlinIQ product lines.

The supplied file tree appears consistent with those categories, listing hundreds of PDFs, ISO images, ZIP archives, calibration packages, and assay-specific documentation spanning multiple laboratory systems.

The actor also claims to possess a file containing credentials associated with the alleged compromise, although BreachNews has not verified that claim or the contents of the purported file.

Group resumes previous tactics

The post also advertises insider recruitment, offering to split proceeds with employees willing to provide corporate access. ShadowByt3$ repeatedly promoted similar recruitment offers throughout its previous extortion campaign before announcing its retirement.

The group’s sudden return raises questions about whether the earlier retirement announcement represented a genuine shutdown or simply a temporary pause in operations. Retirement announcements from cybercriminal groups frequently precede rebranding efforts or the resumption of activity under the same or a different identity.

Awaiting response

BreachNews contacted Abbott for comment regarding the alleged compromise and the authenticity of the materials described in the post.

Abbott had not issued any public statement regarding the alleged incident at the time of publication.

Picture of m00s3c

m00s3c

Moose (@m00s3c) is the author of BreachNews, focusing on data breach intelligence, dark web monitoring, and threat analysis. His work involves analyzing breach claims, reviewing leaked datasets, and tracking threat actor activity to provide clear, factual reporting.

Latest News

Newsletter signup

Get the latest data breach and security news.

Please wait...

Thank you for signing up!

BREACHNEWS.COM/SUPPORT/

Support Independent News.

Help support breach monitoring, investigations, infrastructure, and reporting.

Support the site
INTEL.BREACHNEWS.COM

Live Cyber
Threat Map

Explore live cyber activity, recent breach reports, KEV alerts, and public threat feeds from a single interactive dashboard.

Launch Threat Map