ShinyHunters publicly operates extortion-as-a-service with partner crews
Threat Actor Meta
Summary
Hide ▲
Show ▼
ShinyHunters publicly framed itself as an extortion-as-a-service (EaaS) operator, a shift that can scale multi-victim extortion and blur attribution across partner breaches. The model turns ShinyHunters into a revenue-sharing broker for stolen data and ransom pressure rather than just a single intrusion crew. Its cooperation with Crimson Collective and Scattered Lapsus$ Hunters suggests a broader extortion ecosystem around one public leak brand.
Related Happenings
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Scattered LAPSUS$ Hunters IT help-desk vishing campaign
Campaign
First: 25.02.2026 17:06
Last: 25.02.2026 17:06
Sources 1
About this happening:
**Scattered LAPSUS$ Hunters (SLH)** is running a **help-desk vishing campaign** that recruits women to impersonate employees, raising the success rate of **account-takeover attemp...
Scattered LAPSUS$ Hunters IT help-desk vishing campaign
CampaignAbout this happening: **Scattered LAPSUS$ Hunters (SLH)** is running a **help-desk vishing campaign** that recruits women to impersonate employees, raising the success rate of **account-takeover attemp...
Vect RaaS affiliate recruitment and early ecosystem buildout
Threat Actor Meta
First: 03.02.2026 16:00
Last: 03.02.2026 16:00
Sources 1
About this happening:
**Vect** has moved into **affiliate recruitment**, marking an early-stage **ransomware-as-a-service** buildout that could expand its reach and victim volume. The group has already...
Vect RaaS affiliate recruitment and early ecosystem buildout
Threat Actor MetaAbout this happening: **Vect** has moved into **affiliate recruitment**, marking an early-stage **ransomware-as-a-service** buildout that could expand its reach and victim volume. The group has already...
Scattered Lapsus Shiny Hunters' harassment-driven extortion operating model
Threat Actor Meta
First: 02.02.2026 18:15
Last: 02.02.2026 18:15
Sources 1
About this happening:
**Scattered Lapsus Shiny Hunters (SLSH)** is now using a **harassment-driven extortion model** that pairs stolen data with swatting, threats, and publicity pressure, raising the s...
Scattered Lapsus Shiny Hunters' harassment-driven extortion operating model
Threat Actor MetaAbout this happening: **Scattered Lapsus Shiny Hunters (SLSH)** is now using a **harassment-driven extortion model** that pairs stolen data with swatting, threats, and publicity pressure, raising the s...
ShinyHunters data-leak site exposing stolen attack data
Data Leak
First: 31.01.2026 17:02
Last: 31.01.2026 17:02
Sources 1
About this happening:
The **ShinyHunters** extortion gang launched a **data-leak site**, beginning to publish data tied to the theft campaign and raising the exposure risk for victims.
ShinyHunters data-leak site exposing stolen attack data
Data LeakAbout this happening: The **ShinyHunters** extortion gang launched a **data-leak site**, beginning to publish data tied to the theft campaign and raising the exposure risk for victims.
Timeline
-
07.10.2025 00:08 2 articles · 7mo ago
Crimson Collective and Scattered Lapsus$ Hunters align with ShinyHunters
Campaign Scope UpdateCrimson Collective announced collaboration with Scattered Lapsus$ Hunters and said it would use the newly launched ShinyHunters data leak site for future attacks and releases against Red Hat, indicating a partner-crew extortion workflow around the Red Hat matter.
Show sources
- Red Hat data breach escalates as ShinyHunters joins extortion — www.bleepingcomputer.com — 07.10.2025 00:08
- Crimson Collective hackers target AWS cloud instances for data theft — www.bleepingcomputer.com — 08.10.2025 20:33
-
07.10.2025 00:08 2 articles · 7mo ago
ShinyHunters says it is operating as extortion-as-a-service
Initial DisclosureShinyHunters said it has been privately operating as an extortion-as-a-service broker, taking a revenue share from extortion payments generated by other threat actors' attacks and positioning itself as an intermediary for stolen-data monetization.
Show sources
- Red Hat data breach escalates as ShinyHunters joins extortion — www.bleepingcomputer.com — 07.10.2025 00:08
- Red Hat data breach escalates as ShinyHunters joins extortion — www.bleepingcomputer.com — 07.10.2025 00:08
-
07.10.2025 00:08 1 articles · 7mo ago
ShinyHunters posts Red Hat leak entry and CER samples
Victim Impact UpdateA Red Hat entry appeared on ShinyHunters' new data leak extortion site with a warning that data would be publicly leaked on October 10th unless a ransom demand was negotiated, and the site released stolen customer engagement report (CER) samples tied to organizations including Walmart, HSBC, Bank of Canada, Atos Group, American Express, Department of Defence, and Société Française du Radiotéléphone.
Show sources
- Red Hat data breach escalates as ShinyHunters joins extortion — www.bleepingcomputer.com — 07.10.2025 00:08
-
07.10.2025 00:08 1 articles · 7mo ago
ShinyHunters extends public extortion to SP Global
Campaign Scope UpdateShinyHunters is also extorting SP Global on behalf of another threat actor linked to a claimed February 2025 breach, and the data leak site sets an October 10th deadline for public release unless a ransom is negotiated.
Show sources
- Red Hat data breach escalates as ShinyHunters joins extortion — www.bleepingcomputer.com — 07.10.2025 00:08