.svg)
.svg)
Defending Against ShinyHunters: Tactics and Breaches
Overview
Known Aliases
Associated Malware or Tools
Techniques and TTPs (Mitre ATT&CK Mapping)
ShinyHunters first appeared in 2020. Since then, the group has grown into one of the most active financially motivated threat actors in the enterprise space.
They do not work alone. The group hires members of Scattered Spider and The Com to carry out voice phishing campaigns at scale [1]. Some members also maintain ties to Ransomware-as-a-Service programs. This cross-group model gives ShinyHunters access to a broader pool of tools, skills, and targets.
Across six years, ShinyHunters has targeted universities, airlines, telecoms, cloud platforms, and consumer services across multiple continents. Their most notable breaches include the 2020 Microsoft GitHub exfiltration, where ShinyHunters stole over 500 GB of source code, and the July 2025 Qantas attack, which exposed data belonging to 5.7 million customers.
ShinyHunters shows no sign of slowing down. Understanding how they operate is the first step to stopping them.
In this blog, we cover the major historical breaches attributed to ShinyHunters, break down their tactics and techniques, and show you how Picus helps you defend your organization against this threat group.
Simulate APT Attacks with 14-Day Free Trial of Picus Platform
What Are the Major Activities of the ShinyHunters Group?
2020 – ShinyHunters emerged as a financially motivated cybercriminal group [2], specializing in large-scale database theft and selling stolen records on hacking forums.
May 2020 – ShinyHunters claimed to have exfiltrated over 500 GB of source code from Microsoft's private GitHub repositories. Roughly 1 GB of the stolen data was published on a hacking forum. Microsoft confirmed awareness of the breach and later secured the affected repositories [3].
July 2020 – The group breached Wattpad's database, obtaining approximately 270 million user records [4].
September 2023 – ShinyHunters claimed to have compromised Pizza Hut Australia, obtaining over 1 million customer records and 30 million order records [5]. Pizza Hut Australia later confirmed the breach [6].
July 2025 – A cyberattack attributed to ShinyHunters exposed data belonging to approximately 5.7 million customers of Australian airline Qantas [7].
November 2025 – Hackers linked to ShinyHunters targeted Harvard University, compromising systems associated with the institution [8].
December 2025 – ShinyHunters was linked to a breach of SoundCloud that exposed personal data from roughly 29.8 million user accounts, representing about 20% of the platform's user base [9].
February 2026 – ShinyHunters was connected to a breach of Dutch telecom provider Odido, affecting around 6 million individuals, with data subsequently leaked to the dark web [10].
Which MITRE ATT&CK Techniques Are Used by ShinyHunters?
Tactic: Resource Development
T1583.006 Acquire Infrastructure: Web Services
ShinyHunters group exploited legitimate services like VoIP and AI-based voice tools for conducting vishing attacks at a larger scale. The exploited services include Twilio, Google Voice, and 3CX for call setup.
The AI voice tools used for vishing attacks are Vapi and Bland AI. Bland AI offered LLM-based conversational flows to attackers for generating natural-sounding conversations, selecting voice gender and regional characteristics, and adjusting call content in real time according to the responses from victims [11].
This helped in keeping the attacks natural even when victims did not follow a specific scenario.
Tactic: Initial Access
T1078 Valid Accounts
ShinyHunters sought unauthorized access into enterprise environments by actively recruiting malicious insiders capable of providing direct access to single sign-on (SSO) platforms, VPNs, and version control repositories.
The below is a Telegram message sent by the threat actor for recruiting insiders [11]:
scattered LAPSUS$ hunters 4.0 |
T1133 External Remote Services
ShinyHunters used commercial VPN services and residential proxy networks to route operational traffic. Services identified include Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, and nsocks [12].
T1190 Exploit Public-Facing Application
ShinyHunters exploited CVE-2021-35587, a vulnerability in Oracle Access Manager, to gain unauthorized access to production databases. Once authenticated via a weak, hard-coded credential stored on the application server, the actor used SQL*Plus to query and exfiltrate data [11]. For instance, the below SQL query can be used to exfiltrate customer credentials:
SELECT username, email, password_hash, ssn FROM CUSTOMERS.USER_ACCOUNTS WHERE rownum <= 500000; |
T1195 Supply Chain Compromise
ShinyHunters targeted high-level engineering accounts on platforms like Git, BrowserStack, and JFrog to breach CI/CD pipelines, aiming to launch supply chain attacks.
In one incident, they stole enterprise BrowserStack API keys and leaked them through a temporary Telegram channel. Given BrowserStack’s integrations with CI/CD pipelines and tools like GitHub, Jira, Slack, and Azure DevOps, a single exposed key could grant attackers access across development and testing workflows [11].
T1566 Phishing
Attackers impersonated IT staff in voice calls to employees at specific organizations, directing them to fake, brand-specific credential harvesting sites via phishing links. There, victims entered their SSO credentials and MFA codes.
In one campaign, threat actors cloned the login interface and authentication flow of a legitimate Okta website, replicating the target’s branding to mimic an authentic Okta environment [11].
In the Salesforce-targeting campaigns, victims were instructed during phone calls to navigate to the legitimate Salesforce /setup/connect page and enter a connection code, which granted attacker-controlled OAuth applications access to organizational Salesforce accounts.
Tactic: Persistence
T1098.005 Account Manipulation: Device Registration
After capturing both SSO credentials and live MFA authentication codes from victims via fake login portals, ShinyHunters registered an attacker-controlled device to the victim's MFA configuration. This registration gave the attacker durable, ongoing access to the account even after the phishing session ended.
To prevent the victim from detecting this unauthorized device enrollment, the attacker subsequently deleted the MFA enrollment notification email from the victim's inbox using ToogleBox Recall application [12].
Tactic: Discovery
T1526 Cloud Service Discovery
ShinyHunters enumerated cloud environments and applications, specifically querying for documents containing keywords such as "proposal," "internal," "salesforce," or personally identifiable information (PII) [12].
Tactic: Exfiltration
T1567 Exfiltration Over Web Service
Stolen data was exfiltrated to storage and file-sharing services. LimeWire was specifically used as the destination for samples of stolen data [11], which were then shared with victims as proof of access during extortion negotiations.
Tactic: Impact
T1657 Financial Theft
The threat actors financially exploited their unauthorized access by demanding seven-digit extortion payments from victim companies and attempting to sell exfiltrated enterprise datasets to other cybercriminals for up to $1 million per organization [12].
How Picus Helps Against Threat Actors like ShinyHunters?
We strongly recommend simulating attacks by threat actors such as ShinyHunters to validate the effectiveness of your security controls against data exfiltration using the Picus Data Exfiltration Module. You can also validate your security posture against hundreds of other threat actors and region-specific exfiltration campaigns in minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for ShinyHunters:
Threat ID | Threat Name | Attack Module |
26895 | Critical OS Data Exfiltration Campaign | Data Exfiltration |
30640 | Source Code Data Exfiltration Campaign | Data Exfiltration |
49541 | PDF Format Data Exfiltration Campaign | Data Exfiltration |
96916 | XLS(X) Format Data Exfiltration Campaign | Data Exfiltration |
60131 | DOC(X) Format Data Exfiltration Campaign | Data Exfiltration |
30199 | Payment Card Industry (PCI) Data Exfiltration Campaign - 1 | Data Exfiltration |
69511 | Payment Card Industry (PCI) Data Exfiltration Campaign - 2 | Data Exfiltration |
47972 | Payment Card Industry (PCI) Data Exfiltration Campaign - 3 | Data Exfiltration |
21600 | Payment Card Industry (PCI) Data Exfiltration Campaign - 4 | Data Exfiltration |
24992 | Payment Card Industry (PCI) Data Exfiltration Campaign - 5 | Data Exfiltration |
86756 | Personally Identifiable Information (PII) Data Exfiltration Campaign - 1 | Data Exfiltration |
71123 | Personally Identifiable Information (PII) Data Exfiltration Campaign - 2 | Data Exfiltration |
35732 | Country Specialized Data (US) Exfiltration Campaign | Data Exfiltration |
51350 | Payment Card Industry (US) Data Exfiltration Campaign | Data Exfiltration |
50011 | Payment Card Industry (UK) Data Exfiltration Campaign | Data Exfiltration |
58765 | Country Specialized Data (U.K.) Exfiltration Campaign - 1 | Data Exfiltration |
80898 | Country Specialized Data (U.K.) Exfiltration Campaign - 2 | Data Exfiltration |
61054 | Financial (UK) Data Exfiltration Campaign | Data Exfiltration |
47996 | DOC(X) Format (UK) Data Exfiltration Campaign | Data Exfiltration |
25566 | XLS(X) Format (U.K.) Data Exfiltration Campaign | Data Exfiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
Key Takeaways
- ShinyHunters is a financially motivated cybercriminal group that emerged in 2020, focusing on stealing and extorting data.
- The group partners with members of Scattered Spider and The Com for voice phishing campaigns and leverages connections to Ransomware as a Service programs to access a wider range of tools and targets.
- Attackers employ AI voice tools, such as Vapi and Bland AI, to conduct vishing attacks using natural sounding conversational flows that adjust in real time based on victim responses.
- The threat actors actively recruit malicious insiders to gain direct, unauthorized access to enterprise single sign on platforms, VPNs, and version control repositories.
- To facilitate supply chain attacks, ShinyHunters targets high level engineering accounts on platforms like Git, BrowserStack, and JFrog to breach CI/CD pipelines.
- Organizations can use the Picus Data Exfiltration Module to simulate ShinyHunters attacks and validate the effectiveness of existing security controls against data exfiltration threats.
References
[1] “ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications.” Accessed: Mar. 11, 2026. [Online]. Available: https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications
[2] “ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications.” Accessed: Mar. 11, 2026. [Online]. Available: https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications
[3] L. Abrams, “Microsoft’s GitHub account hacked, private repositories stolen,” BleepingComputer. Accessed: Mar. 11, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/microsofts-github-account-hacked-private-repositories-stolen/
[4] L. Abrams, “Wattpad data breach exposes account info for millions of users,” BleepingComputer. Accessed: Mar. 11, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/wattpad-data-breach-exposes-account-info-for-millions-of-users/
[5] Accessed: Mar. 11, 2026. [Online]. Available: https://databreaches.net/2023/09/03/pizza-hut-australia-customer-data-hacked-shinyhunters-claims-to-have-more-than-1-million-customers-information/
[6] J. Taylor, “Pizza Hut Australia hack: data breach exposes customer information and order details,” The Guardian, The Guardian, Sep. 20, 2023. Accessed: Mar. 11, 2026. [Online]. Available: https://www.theguardian.com/australia-news/2023/sep/20/pizza-hut-hack-australia-data-breach-passwords-information-leak
[7] L. Abrams, “Qantas confirms data breach impacts 5.7 million customers,” BleepingComputer. Accessed: Mar. 11, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/qantas-confirms-data-breach-impacts-57-million-customers/
[8] S. Gatlan, “Harvard University discloses data breach affecting alumni, donors,” BleepingComputer. Accessed: Mar. 11, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/harvard-university-discloses-data-breach-affecting-alumni-donors/
[9] L. Abrams, “SoundCloud confirms breach after member data stolen, VPN access disrupted,” BleepingComputer. Accessed: Mar. 11, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/soundcloud-confirms-breach-after-member-data-stolen-vpn-access-disrupted/
[10] NL Times, “Hackers publish 680,000 Odido customer records, demand ransom and threaten more releases,” NL Times. Accessed: Mar. 11, 2026. [Online]. Available: https://nltimes.nl/2026/02/26/hackers-publish-680000-odido-customer-records-demand-ransom-threaten-releases
[11] “ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications.” Accessed: Mar. 11, 2026. [Online]. Available: https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications
[12] “Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft,” Google Cloud Blog. Accessed: Mar. 11, 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft