ShinyHunters first appeared in 2020 as a financially motivated cybercriminal group. Their early operations revolved around large-scale credential theft and database exploitation. The group gained immediate notoriety by targeting major platforms like Tokopedia (91 million records), Wishbone, Microsoft’s GitHub repositories, and Wattpad (270 million records). By selling stolen information on underground forums, they quickly became one of the most active players in the data-breach economy.
ShinyHunters were also linked to leaks from services like Pluto TV, Nitro PDF, Pixlr, Animal Jam, and more. Beyond breaches, they held influence in the cybercriminal ecosystem by running iterations of BreachForums, one of the most prominent platforms for trading stolen data.
Expansion into High-Value Targets
Between 2021 and 2024, ShinyHunters scaled their operations, moving beyond consumer platforms and into critical service providers. Notable victims included AT&T Wireless (affecting over 110 million customers), Santander Bank, and Ticketmaster. Their association with the Snowflake data-theft campaign cemented their reputation as a group willing to target enterprise systems and supply chains to maximize impact.
By late 2024, law enforcement pressure intensified. Several members and associates were arrested in France and Morocco, leading to speculation that the group had been disrupted. Yet, ShinyHunters re-emerged in 2025 with significantly more sophisticated tactics.
2025 Salesforce Campaign
The group’s most ambitious operation to date surfaced in 2025, with a sweeping attack campaign against Salesforce CRM platforms. This campaign impacted global enterprises such as Google, Adidas, Cisco, Qantas Airways, Allianz Life, and LVMH subsidiaries (Louis Vuitton, Dior, Tiffany & Co.).
Attack Methodology
- Initial Access via Vishing
ShinyHunters shifted focus from pure technical exploits to social engineering. Using spoofed calls, fake IT personas, and urgency tactics, they tricked employees into granting access to Salesforce connected apps. - OAuth Abuse
Victims were guided into authorizing malicious Salesforce connected apps disguised as tools like “My Ticket Portal.” These apps requested elevated API permissions, granting ShinyHunters persistent access tokens that bypassed multi-factor authentication. - API Exploitation and Data Theft
Using Salesforce REST APIs, attackers ran bulk SOQL queries, pulling customer records, PII, and business intelligence data at scale. Logs show that their malicious apps consistently retrieved data volumes of ~2.3 MB per request, evading detection by blending with normal traffic. - Obfuscation
Data exfiltration traffic was routed through Mullvad VPN and Tor, frustrating forensic investigations and complicating attribution. - Lateral Movement
Compromised credentials and OAuth tokens were leveraged to pivot into other integrated platforms, including Okta, Microsoft 365, and Meta Workplace. This expanded the scope of stolen data beyond Salesforce.
Collaboration with Scattered Spider
Evidence suggests a tactical partnership between ShinyHunters and Scattered Spider (UNC3944/Octo Tempest). Both groups are tied to a larger collective known as “The Com,” which specializes in social engineering, SIM swapping, and large-scale fraud. Infrastructure overlaps, phishing domain patterns, and stylistic similarities in vishing scripts indicate close collaboration.
Impact on Victims
The campaign had wide-ranging consequences:
- Google confirmed theft of small and medium business contact information from its Salesforce instance.
- Qantas Airways reportedly paid a ransom of 4 Bitcoin (~$400,000) to prevent data leakage.
- LVMH luxury brands saw their customer databases compromised, highlighting attackers’ focus on high-value industries.
- Other enterprises like Adidas, Cisco, Allianz Life, and Chanel also confirmed or investigated breaches.
Monetization and Extortion
ShinyHunters employ a delayed extortion model. After exfiltrating data, ransom demands—ranging from $400,000 to $2.3 million—are issued weeks later. While some companies resisted, others paid to prevent public leaks. Analysts warn that ShinyHunters may soon launch a dedicated leak site to escalate pressure.
Enterprises using SaaS platforms like Salesforce must harden their defenses with OAuth governance, behavioral monitoring, phishing-resistant MFA, and employee training to mitigate these advanced campaigns.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
