AI Draft ACTIVE

ShinyHunters

Also known as: SH, UNC5537

Affiliation Cybercriminal

Motivation Financial

Status active

Country Unknown

First Seen 2020

Last Seen 2026

Target Sectors Technology, E-Commerce, Telecommunications, Financial Services, Healthcare

Target Geographies Global, United States, India, Europe

Executive Summary

ShinyHunters is a cybercriminal organization that specializes in large-scale data breaches, extortion, and the operation of dark web leak infrastructure. Since their emergence in 2020, the group has evolved through distinct operational epochs: beginning as prolific database thieves, later participating in massive cloud infrastructure compromises alongside initial access brokers, and eventually operating as an extortion brand and publication outlet for other intrusion teams.

In 2024, the magnitude of ShinyHunters’ operations escalated when they became the public face of the mass exploitation of Snowflake cloud data environments. Threat intelligence firms like Mandiant tracked the core intrusion activity under the cluster identifier UNC5537. Rather than being a perfect alias, UNC5537 functioned as the access and extraction crew during the Snowflake campaign, utilizing the ShinyHunters brand and infrastructure for public-facing extortion and data sales.

Notable Campaigns

During their initial emergence in 2020-2021, ShinyHunters operated primarily as a highly capable data theft ring targeting e-commerce and technology companies. Leveraging credential stuffing, exposed code repositories, and misconfigured cloud storage, the group stole massive databases. Notable victims included Tokopedia (91 million records), Wattpad (270 million records), and Mashable. The stolen data was typically monetized through direct sales on dark web forums and Telegram channels rather than through formalized double-extortion malware deployment.

The 2024 Snowflake campaign linked to ShinyHunters resulted in some of the largest data thefts in history, including 560 million records from Ticketmaster/Live Nation and 110 million customer records from AT&T. The group’s operations consistently prioritize volume, targeting databases that contain personally identifiable information (PII) for millions of consumers across global markets.

Technical Capabilities

ShinyHunters’ technical capabilities focus on discovering and exploiting weak identity perimeters in cloud and developer environments. Instead of deploying custom malware or zero-day exploits, they rely on “living off the land” in cloud ecosystems. They commonly identify exposed .env files, extract keys from public GitHub/GitLab repositories, or purchase logs from infostealers via Initial Access Brokers (IABs). Once valid API keys or session tokens are acquired, they authenticate directly to cloud infrastructure (AWS S3, Azure Blobs, SaaS admin portals) and execute bulk data extraction.

The group adopted expansive targeting scopes capturing high-tier telecommunication logs, financial infrastructure service vectors, and sensitive multi-tenant healthcare SaaS aggregates. Operationally, the group prefers striking heavily inter-connected data hubs capable of leaking exponential volumes of client data beyond standard local intrusion potentials.

Attack Chain Sequence

Credential Acquisition: ShinyHunters acquires valid credentials via specialized Initial Access Brokers (IABs), infostealer logs, or by scraping public code repositories for exposed API tokens and environment secrets.
Cloud Environment Penetration: Using the acquired credentials (often bypassing lack of MFA), the group authenticate directly to cloud storage platforms (AWS, Azure, Snowflake) to identify sensitive data stores.
Data Exfiltration: The group executes massive data transfer operations, often using native cloud tools or standard web-service protocols to move exfiltrated databases to attacker-controlled infrastructure.
Extortion and Publication: Stolen data is staged on the ShinyHunters Tor leak site. The group contacts victims to initiate extortion negotiations or proceeds directly to selling the data on dark web marketplaces.

Attribution

French national Sebastien Raoult was arrested in Morocco in 2022, extradited to the United States, and sentenced to three years in prison in January 2024 for his role in early ShinyHunters operations. Later ShinyHunters-branded leak-site activity has been tied to the European Commission Trivy breach and Hims & Hers reporting.

MITRE ATT&CK Profile

Initial Access

T1078.004 - Valid Accounts: Cloud Accounts: ShinyHunters consistently uses compromised credentials (stolen via phishing, infostealers, or purchased from IABs) as their primary initial access vector.

Collection

T1213 - Data from Information Repositories: The group actively accesses code repositories to find embedded credentials, API keys, and sensitive configuration data. T1530 - Data from Cloud Storage Object: Targets misconfigured cloud-hosted data stores and multi-tenant SaaS platforms for bulk data theft.

Exfiltration

T1567 - Exfiltration Over Web Service: Stolen data is transferred to attacker-controlled infrastructure and subsequently published on ShinyHunters’ Tor leak network for sale or free distribution.

Impact

T1657 - Financial Theft: Complete monetization strategy revolves around extortion of victim organizations and sales of raw data on dark web marketplaces.

Sources & References

U.S. Department of Justice: ShinyHunters Member Sentenced — U.S. Department of Justice, 2024-01-10
FBI: Data Breach Alert — FBI, 2023-09-21
Recorded Future: ShinyHunters Profile — Recorded Future, 2023-05-15
CERT-EU: European Commission Cloud Breach — CERT-EU, 2026-04-02
BleepingComputer: Hims & Hers Warns of Data Breach — BleepingComputer, 2026-04-03

Known Tools

Custom scrapers Cloud exploitation tools Credential stuffing tools