ShinyHunters
ShinyHunters is a notorious data-theft and breach-focused group that rose to prominence in 2020 by leaking and selling millions of user records from companies worldwide.
The Origin of ShinyHunters
Unlike ransomware groups, ShinyHunters does not encrypt systems. Instead, their operations focus on breaching networks, stealing data, and monetizing it via underground forums or Telegram channels. They have been linked to high-profile leaks from Microsoft’s GitHub repositories, Tokopedia, Tokopedia, Bonobos, and dozens of smaller organizations.
The group is known for high-volume breaches, with databases containing tens of millions of records regularly appearing on underground marketplaces. ShinyHunters’ operational style blends financial extortion, brand damage, and reputation building—making them a persistent threat to enterprises across multiple industries.
In August 2025, ShinyHunters entered into an operational partnership with LAPSUS$ and Scattered Spider, forming the extortionist collective Scattered LAPSUS$ Hunters. In this alliance, ShinyHunters provides a pipeline of massive stolen databases and breach infrastructure, complementing LAPSUS$’s public spectacle-driven extortion model and Scattered Spider’s sophisticated social engineering and SaaS intrusion skills. This collaboration expands ShinyHunters’ influence beyond underground markets into the mainstream media spotlight, allowing them to amplify ransom pressure and reputation damage while accelerating monetization.
Countries targeted by ShinyHunters
Global, with victims across:
- United States
- India & Southeast Asia
- Europe (France, Germany, UK)
- Latin America
Industries targeted by ShinyHunters
ShinyHunters’ breaches span a wide spectrum, typically focused on data-rich industries:
- Retail & e-commerce (Tokopedia, Wattpad, Bonobos)
- Technology & SaaS (Microsoft GitHub repositories)
- Financial services (various fintech and banking-related databases)
- Food & Beverage (home delivery platforms, restaurant apps)
- Healthcare and consumer platforms with PII-rich datasets
Known Victims
- GitHub: Stolen source code repositories
- Tokopedia: 91M user records leaked
- Wattpad: 270M records stolen and leaked
- Bonobos: 7M customer records sold online
- Numerous food delivery & e-commerce platforms globally
ShinyHunters' Attack Method
Exploits misconfigured applications, weak credentials, or acquires access via dark web brokers.
Uses publicly available exploits or misconfigurations in web applications and databases.
Relies on stealth, often blending in with legitimate traffic or exploiting weak cloud security.
Targets GitHub, cloud storage, and internal databases; harvests user credentials.
Maps accessible databases and internal repositories.
Expands access from web apps into backend databases and code repositories.
Exfiltrates large-scale datasets containing PII, financial information, and source code.
Executes simple data extraction scripts and automated crawlers to maximize data theft.
Transfers stolen datasets to underground forums and Telegram channels.
Causes reputational damage via mass leaks, extortion attempts, and the sale of data dumps.
Exploits misconfigured applications, weak credentials, or acquires access via dark web brokers.
Uses publicly available exploits or misconfigurations in web applications and databases.
Relies on stealth, often blending in with legitimate traffic or exploiting weak cloud security.
Targets GitHub, cloud storage, and internal databases; harvests user credentials.
Maps accessible databases and internal repositories.
Expands access from web apps into backend databases and code repositories.
Exfiltrates large-scale datasets containing PII, financial information, and source code.
Executes simple data extraction scripts and automated crawlers to maximize data theft.
Transfers stolen datasets to underground forums and Telegram channels.
Causes reputational damage via mass leaks, extortion attempts, and the sale of data dumps.
TTPs Used By ShinyHunters
How to Detect ShinyHunters with Vectra AI
FAQs
Does ShinyHunters deploy ransomware?
No. Unlike many eCrime groups, they focus solely on data theft and leaks, not file encryption.
How do ShinyHunters make money?
By selling stolen databases on underground forums and Telegram channels, or by extorting companies.
What kind of data do they steal?
Primarily PII, login credentials, financial data, and source code repositories.
Are their breaches targeted or opportunistic?
Mostly opportunistic, exploiting vulnerable or poorly secured systems for maximum data volume.
Do they work with insiders?
Unlike LAPSUS$, there is less evidence of insider recruitment; they rely more on technical breaches.
What is their relationship to other groups?
They have now partnered with LAPSUS$ and Scattered Spider under the “Scattered LAPSUS$ Hunters” brand. They are also giving away information about Qilin and DragonForce, which shows they aren't probably not on good terms with these groups anymore.
How can organizations detect their presence?
By monitoring for abnormal database queries, GitHub access, and large-scale data exfiltration events. Tools like Vectra AI can identify these behaviors early.
Which industries are most at risk?
Any organization holding large consumer datasets, especially retail, SaaS, and financial services.
How damaging are their leaks?
Extremely—many involve tens or hundreds of millions of records, leading to identity theft, credential stuffing, and reputational loss.
What is the best defense strategy?
Adopt strong identity security practices, monitor repositories for exposed credentials, and deploy Vectra AI to detect abnormal exfiltration and credential abuse across hybrid and cloud environments.