ShinyHunters: The Hacker Group That Turned Data Into a Business Model

ShinyHunters emerged from near-anonymity in May 2020 and within two weeks had listed over 200 million stolen user records for sale on the dark web. Six years later, the group has breached between 300 and 400 companies, compromised billions of records, and built one of the most recognizable groups in cybercrime.

They did it by exploiting tecnical vulnerabilities and human trust.

Understanding the ShinyHunters

ShinyHunters is a black-hat criminal hacker and extortion group believed to have formed as early as 2019. The group operates under the leadership of a persona known as ShinyCorp, also referred to across Telegram channels as sp1d3rhunters and shinyc0rp.

The group’s motive is financial. Their operating model follows a simple, brutal pipeline: Breach, exfiltrate data, issue a ransom demand, and publish or auction the data if the payment is refused.

Over time, this model has scaled into something closer to a criminal enterprise. By 2025, ShinyHunters had expanded into Ransomware as a Service (RaaS) under the alias ShinySp1d3r, positioning themselves to fill the gap left by LockBit’s disruption in early 2024.

ShinyHunters also took over ownership of BreachForums, one of the web’s most prominent marketplaces for stolen data, following the arrest of its original founder in 2023. In October 2025, the FBI seized the forum. ShinyHunters publicly walked away shortly after, describing it as a waste of time, leaking data on 300,000 forum users, and warning that all remaining active BreachForums domains are impostors.

Arrests and Law Enforcement Action

Law enforcement has made tangible progress against the group, though arrests haven’t stopped operations.

In May 2022, French programmer Sébastien Raoult – also known as Sezyo Kaizen – was arrested. France declined to extradite him, and the United States ultimately secured extradition via Morocco.

Raoult arrived in the U.S. in January 2023. In January 2024, he was sentenced to three years in federal prison and ordered to pay more than $5 million in restitution after being charged with conspiracy to commit wire fraud and aggravated identity theft.

The U.S. Department of Justice stated that between April 2020 and July 2021, Raoult and his co-conspirators breached more than 60 businesses, causing financial damages exceeding $6 million. Two co-conspirators, Gabriel Kimiaie-Asadi Bildstein and Abdel-Hakim El Ahmadi, both French nationals, were named in the same indictment. Neither has been publicly convicted to date.

In May 2024, authorities arrested John Erin Binns, a U.S. citizen, in Turkey on charges connected to hacking T-Mobile in 2021.

In June 2025, French authorities coordinated a multi-region operation that resulted in the arrest of four additional suspected members linked to the BreachForums administration, operating under the aliases ShinyHunters, Hollow, Noct, and Depressed. The group’s core leadership remained active throughout and after each of these actions.

How the ShinyHunters Operate

ShinyHunters don’t rely on a single attack method. Their effectiveness comes from operational versatility – drawing on whichever tactic best suits the target.

• Cloud misconfigurations are a consistent entry point. Weak access controls and misconfigured cloud storage have enabled several high-profile breaches. Organizations that scale cloud infrastructure quickly often outpace their own security hygiene.
• OAuth token theft is a more targeted technique. ShinyHunters compromise OAuth tokens, using them to gain access to connected SaaS platforms. A single compromised token can cascade across multiple downstream targets.
• Supply chain attacks extend the blast radius further. Rather than attacking a target directly, the ShinyHunters breach a vendor or technology provider that services multiple companies. The 2024 Snowflake incident is the clearest example – one supply chain compromise resulted in data being stolen from at least 160 businesses.
• Insider recruitment has become a documented part of the group’s approach. ShinyHunters bribes employees and contractors into providing internal access to systems. This technique is particularly difficult to detect because the credentials used are legitimate, authorized, and leave minimal forensic traces.
• Voice phishing (vishing) and advanced social engineering have become increasingly central to the group’s campaigns. Attackers impersonate IT support to trick employees into sharing credentials or granting access to internal systems.

ShinyHunters’ Breaches

How It Started

Tokopedia

In May 2020, ShinyHunters breached Tokopedia, Indonesia’s largest e-commerce platform, and claimed to have the data of 91 million user accounts. The stolen data included birth dates, names, email addresses, and passwords. The breach was one of the group’s first public actions and established their model of large-scale data exfiltration followed by dark web sales.

AT&T Wireless

ShinyHunters first attacked AT&T in 2021, selling the data of 70 million people on a cybercrime forum. AT&T initially denied the claim. In 2024, the group resurfaced with a far larger dataset affecting 110 million customers. AT&T confirmed the breach and reportedly paid a $370,000 ransom to have the data deleted.

Ticketmaster and Snowflake

In 2024, ShinyHunters put the personal data of 560 million Ticketmaster customers up for sale, asking $500,000 for exclusive access. The 1.3-terabyte dataset included names, addresses, phone numbers, and partial credit card details. Live Nation confirmed unauthorized activity in a filing with the U.S. Securities and Exchange Commission.

The Threat Today

Coinbase

In 2025, ShinyHunters recruited overseas customer support contractors to access Coinbase’s internal systems and extract customer data, including names, Social Security numbers, bank details, and transaction histories. The attackers demanded a $20 million ransom.

Coinbase refused to pay, instead offering a $20 million reward for information leading to the attackers’ arrest. A former Coinbase employee was arrested in connection with the breach in December 2025.

Instructure/Canvas

In April 2026, ShinyHunters breached Instructure, the organization behind the Canvas learning management system, exploiting a vulnerability in its Free-For-Teacher account program. The group claimed to have exfiltrated 3.65 terabytes of data affecting 275 million users across 8,809 educational institutions worldwide.

Anodot

In 2026, ShinyHunters compromised Anodot, a third-party analytics provider, stealing authentication tokens that provided access to customer data stored in Google BigQuery and Snowflake environments. Confirmed downstream victims include Rockstar Games, where nearly 80 million records were stolen, Vimeo, where 119,000 users had their data exposed, and Zara, where 197,000 customer records were compromised.

Why Enterprises Are Still at Risk

The entry point varies, but the outcome is consistent: Data stolen and a ransom demand issued

The downstream consequences of a breach extend well beyond the initial data theft. Stolen employee credentials are used to launch targeted phishing campaigns against customers and partners. Exposed domain information enables cybercriminals to register lookalike domains that impersonate your brand. Leaked email addresses become fuel for BEC attacks.

The breach is the beginning of the threat, not the end of it.

Without continuous monitoring for credential exposure, lookalike domain activity, and email authentication gaps, enterprises remain exposed long after a breach has been contained.

How Sendmarc Helps Organizations Stay Protected

Sendmarc addresses the email risk that emerges after a breach.

Breach Detection

When employee email credentials are exposed in a data breach, companies often don’t know until the damage is done.

Sendmarc’s Breach Detection continuously monitors known breach data sources for compromised employee credentials. Security teams receive alerts when credentials appear in leaked datasets, enabling rapid response before those credentials are used for account takeover, lateral movement, or targeted phishing.

For stretched IT and security teams managing large, distributed environments, this removes the burden of manual investigation. Continuous monitoring replaces reactive discovery.

Lookalike Domain Defense

After a high-profile breach, cybercriminals may register lookalike domains that impersonate the affected brand. These domains are used to launch phishing campaigns targeting customers, partners, and employees who may already be on alert following breach disclosures, and therefore more likely to respond to what appears to be an urgent communication.

Sendmarc’s Lookalike Domain Defense identifies domains designed to impersonate your business. Security teams gain visibility into impersonation attempts before those domains are weaponized, enabling takedown action and proactive customer communication.

Email Authentication

DMARC enforcement prevents unauthorized senders from using your domain to deliver fraudulent emails.

Sendmarc’s DMARC management solution gives security and IT teams unified visibility across all email-sending sources, identifies unauthorized or misconfigured senders, and enforces authentication policies across departments and regions. Combined with SPF and DKIM management, this ensures that emails sent from your domain are authenticated, auditable, and protected from exploitation.

ShinyHunters have operated for six years, survived multiple arrests, and continued to evolve their methods. The threat isn’t theoretical. The breach data is real, the downstream email risk is real, and the organizations that remain exposed are those without continuous monitoring in place.

Sendmarc helps companies close that gap – before a breach becomes a brand crisis.