Black-hat criminal hacker group
A notorious cybercrime and extortion group responsible for some of the largest data breaches in history. Utilizing voice phishing, social engineering, and advanced data exfiltration techniques to compromise enterprise systems worldwide.
The name ShinyHunters is derived from Shiny Pokémon — a rare alternate color scheme in the Pokémon video game franchise. Players who actively hunt for these Pokémon are referred to as "shiny hunters."
ShinyHunters is a black-hat criminal hacker and extortion group that has been active since 2020 or earlier, and is said to have been involved in a significant number of data breaches. ShinyHunters has utilized voice phishing and other forms of advanced social engineering to gain access to the systems of its targets. After gaining access to a target, the group has been known to exfiltrate data and demand ransom payments. If targets do not pay the ransom, the stolen information is often leaked or sold on the dark web. As of 2026, ShinyHunters is believed to be affiliated with The Com, a large international network of cybercriminals.
ShinyHunters' membership is believed to partially overlap with other groups linked to international cybercrime network The Com, including Scattered Spider and Lapsus$. Cybercrime group Scattered Lapsus$ Hunters claims to include members of all three groups. Google-owned cybersecurity firm Mandiant described ShinyHunters as "multiple threat clusters" operating under a single brand in January 2026, and a February 2026 analysis by Kim Zetter describes ShinyHunters and its peer groups as "loose-knit cells" of The Com.
The group employs a sophisticated blend of social engineering and technical exploitation.
Impersonating IT support staff to trick employees into revealing credentials or installing malicious tools, bypassing traditional authentication methods including MFA.
Using modified versions of enterprise tools like Salesforce Data Loader to systematically export CRM data, hunting for credentials, access keys, and sensitive business information.
Stealing OAuth and refresh tokens from third-party integrations (Salesloft Drift, Gainsight) to gain unauthorized access to hundreds of Salesforce customer instances simultaneously.
Targeting enterprise single sign-on (SSO) environments including Okta through custom phishing kits and voice-based social engineering to capture logins and MFA codes.
Demanding ransom payments after successful intrusions. When targets refuse to pay, stolen data is published on dedicated leak sites or sold on dark web forums.
Exploiting misconfigurations in cloud platforms (Snowflake, Salesforce Experience Cloud/Aura) using custom scanning tools to identify and extract data from vulnerable instances.
Over 1.79 billion user records compromised across dozens of high-profile breaches.
Breached twice — first in 2021 selling 70M subscriber records, then again in 2024 stealing data on over 110M customers. AT&T paid a $370,000 ransom.
Claimed responsibility for the Ticketmaster breach via the Snowflake campaign. One of the largest single data breaches in history.
Exfiltrated 3.65 TB of data from Canvas LMS, impacting 275M users across 8,809 institutions. Included names, emails, student IDs, and private messages.
Compromised all Santander staff and 30M customers in Spain, Chile and Uruguay through the Snowflake campaign.
Gained access to a database containing 270M user records including usernames, real names, hashed passwords, email addresses, and geographic data.
Breached the Indonesian e-commerce giant, claiming data for 91M user accounts with gender, location, usernames, emails, phone numbers, and hashed passwords.
Claimed 94 GB of historical analytics data containing over 200M records of user email addresses, search history, watch/download activity, and location data.
Australian airline suffered a cyberattack exposing data of approximately 5.7M customers, later confirmed to be the work of ShinyHunters.
Hacked and leaked over 350GB of data including PII, email communications, sensitive documents, and data belonging to 42 internal clients and 29 EU entities.
Four waves of coordinated, large-scale data theft operations targeting enterprise cloud platforms.
In 2024, ShinyHunters claimed to have hacked Snowflake-related customers including Ticketmaster, Santander Bank, and Neiman Marcus. In 2026, a second widespread data theft campaign targeted Snowflake customers through the third-party integrator Anodot, affecting "over a dozen" companies. Snowflake confirmed the incident and Google's Mandiant tracked the case.
A widespread data-theft campaign targeting Salesforce cloud customers. The group impersonated IT support staff and used voice phishing to trick employees into installing malicious versions of Salesforce's Data Loader tool, abusing OAuth to bypass authentication. Confirmed breaches at Google, Cisco, Adidas, Qantas, Allianz Life, Workday, Pandora, Chanel, TransUnion, and LVMH subsidiaries (Dior, Louis Vuitton, Tiffany & Co.).
Used OAuth tokens stolen from Salesloft's Drift integration to access numerous Salesforce customer orgs. Described as "the biggest SaaS compromise in history," affecting over 700 organizations and stealing approximately 1.5 billion data records. Public disclosures include Cloudflare, Workiva, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks.
Used OAuth tokens stolen from Gainsight Salesforce integration to access customer instances. Google identified more than 200 potentially affected Salesforce instances. Victims included Atlassian, Docusign, F5, GitLab, LinkedIn, Malwarebytes, SonicWall, Thomson Reuters, and Verizon.
Exploited misconfigurations in Salesforce Experience Cloud (Aura) using a modified version of AuraInspector and custom tools. Claimed to have breached about 400 companies including Snowflake, Okta, LastPass, Salesforce itself, Sony, and AMD.
A series of social-engineering campaigns targeting enterprise single sign-on environments including Okta. Attacks used voice-phishing and credential-harvesting infrastructure to trick employees into divulging SSO credentials and MFA codes. Affected organizations include Harvard, Princeton, UPenn, Grubhub, Panera Bread, Match Group, Tinder, Hinge, Bumble, Odido, and Wynn Resorts. Over 100 organizations targeted in this campaign.
Linked to a third-party analytics breach at Mixpanel affecting multiple high-profile companies including Pornhub and OpenAI. Threat actors exploited a smishing-based compromise of Mixpanel systems to export analytics-related datasets belonging to several customers.
Law enforcement efforts against the group have resulted in multiple arrests and convictions.
A French programmer suspected of belonging to the group was arrested in Morocco and extradited to the United States. Sentenced to three years in prison and ordered to return five million dollars. Raoult had worked for the group for more than two years but was not a major player.
A 19-year-old Massachusetts student was charged with hacking and extorting an education-technology provider (widely reported to be PowerSchool). Lane used stolen contractor credentials to access the company's network, exfiltrate data on tens of millions of students and teachers, and demand a $2.85 million bitcoin ransom. He pleaded guilty on June 6, 2025.
French authorities announced that four members of the ShinyHunters cyber criminal group were arrested in multiple French regions for cybercrime activities. The coordinated global law enforcement effort targeted the 'ShinyHunters', 'Hollow', 'Noct', and 'Depressed' aliases.
The fastest answers to the questions people ask first about ShinyHunters.
ShinyHunters is a black-hat criminal hacker and extortion group active since 2020. The group specializes in voice phishing, data exfiltration, and large-scale ransomware attacks against enterprise organizations worldwide. They are responsible for over 1.79 billion compromised user records across dozens of high-profile breaches.
ShinyHunters was formed around 2019, with its first known data breaches appearing in January 2020. The group has been continuously active through 2026.
The group uses voice phishing (vishing), advanced social engineering, and custom-developed tools to gain access to enterprise systems. They impersonate IT support staff, trick employees into installing malicious software, steal OAuth tokens from third-party integrations, and exploit cloud platform misconfigurations.
Major victims include AT&T, Ticketmaster, Microsoft, Google, Santander, Qantas, Wattpad, Tokopedia, Pornhub, SoundCloud, Rockstar Games, Instructure (Canvas), LVMH (Louis Vuitton, Dior, Tiffany & Co.), Kering (Gucci, Balenciaga), and many more.
Yes. In January 2024, Sébastien Raoult was sentenced to three years in prison. In June 2025, Matthew D. Lane pleaded guilty to hacking PowerSchool. Also in June 2025, French authorities arrested four alleged members of the group.
Yes. ShinyHunters remains active as of May 2026, with recent high-profile breaches including Instructure (Canvas), ADT, Rockstar Games, the European Commission, Telus, and Wynn Resorts. The group is believed to be affiliated with The Com cybercrime network.
Verified reporting from leading cybersecurity publications and threat intelligence firms.
Comprehensive coverage of ShinyHunters operations, including the Canvas hack and Snowflake breach analysis.
Read coverage →Primary technical reporting on data breaches, including exclusive confirmations from ShinyHunters members.
Read coverage →In-depth investigative reporting on ShinyHunters, Scattered Spider, and the broader cybercrime ecosystem.
Read coverage →Threat intelligence reports tracking UNC6040, UNC6395, and the expansion of ShinyHunters-branded SaaS data theft.
Read analysis →Breaking news on data breaches including Harvard, UPenn, Princeton, Gainsight, and Figure Technologies.
Read coverage →Independent breach reporting and verified extortion communications with ShinyHunters affiliates.
Read coverage →