Threat Actor Profile: ShinyHunters / ShinyCorp

Threat Actor Profile: ShinyHunters / ShinyCorp

UNC6040  |  UNC6240  |  UNC6661 |  UNC6671

1. Executive Summary

ShinyHunters (also known as ShinyCorp) is a highly active international cybercriminal group that first emerged in early 2020. The group specializes in large-scale data theft, extortion, and the operation of dark web cybercriminal infrastructure most notably BreachForums. As of April 2026, ShinyHunters remains one of the most prolific and technically sophisticated financially motivated threat actors globally.

The group operates an Extortion-as-a-Service (EaaS) model and demonstrates strong operational resilience, despite multiple law enforcement actions and the arrest of key members, campaigns continue with minimal disruption. Google Threat Intelligence tracks their activity under at least four distinct cluster designations (UNC6040, UNC6240, UNC6661, UNC6671), reflecting the group's distributed and loosely affiliated structure.

2. Identity & Attribution

2.1 Known Aliases & Identifiers

2.2 Organizational Structure

ShinyHunters does not operate as a single individual or a tightly structured organization. Intelligence assessments indicate a loosely affiliated network model consistent with an Extortion-as-a-Service (EaaS) framework. The following structural characteristics have been observed:

• Core operators: A small group of founding members manages infrastructure, tooling, and BreachForums administration.

• Affiliated actors: External contributors execute specific campaigns (e.g., initial access brokers, infostealer operators) and are compensated per breach.

• Overlap with The Community: Google GTIG assesses plausible behind-the-scenes links with Scattered Spider and possibly former Lapsus$ members, sharing TTPs including Okta credential targeting and IT helpdesk impersonation.

• Resilience: The June 2025 French arrest of a key operator (who had transferred BreachForums control to IntelBroker) did not interrupt active campaigns confirming no single-point-of-failure dependency.

3. Attack History & Campaign Timeline

4. Tactics, Techniques & Procedures (TTPs)

4.1 MITRE ATT&CK Mapping

4.2 Attack Vector Deep-Dive

Credential Stuffing (Cloud SaaS)

ShinyHunters first acquires large volumes of credentials from prior breaches and infostealer logs, then systematically tests them against cloud platforms lacking MFA enforcement. The 2024 Snowflake campaign is the definitive example. Snowflake itself was not compromised; rather, hundreds of customer tenants with reused credentials and no MFA were systematically accessed. 73% of victims in the current Data Leak Site tracker show prior infostealer domain exposure, confirming this as a primary pre-attack intelligence source.

Salesforce Experience Cloud / Aura Exploitation

Beginning September 2025 and escalating through March 2026, ShinyHunters exploited misconfigured Salesforce Experience Cloud guest user profiles. The attack flow:

• Mass scanning of public /s/sfsites/aura endpoints using a modified version of Mandiant's open-source AuraInspector tool.
• Guest user profiles configured with excessive permissions allow unauthenticated GraphQL queries against internal CRM objects.
• A bypass for Salesforce's 2,000-record GraphQL API limit was discovered through the sortBy parameter, enabling bulk extraction.
• Custom tool 'RapeForce' (echoing 'RapeFlake' from the Snowflake campaign) automated exploitation at scale.
• ShinyHunters subsequently claimed discovery of a new bypass effective even on correctly configured instances, unconfirmed as of publication.

Vishing & Social Engineering (UNC6040)

The 2025 CRM campaign involved sophisticated voice phishing operations targeting Salesforce Data Loader users. Operators called employees by impersonating IT helpdesk staff and directed them to connect to malicious OAuth applications , often disguised as 'My Ticket Portal' to internal Salesforce environments. This allowed credential and MFA token theft without traditional malware deployment.

Supply Chain Pivoting

ShinyHunters consistently demonstrates preference for third-party integration vectors over direct target compromise. Notable examples include Anodot (analytics SaaS, April 2026 Rockstar breach), Salesloft/Drift (OAuth token abuse, August 2025), and Gainsight (connected Salesforce app exploitation). This approach multiplies the attack surface of a single compromise across dozens of downstream enterprise clients.

5. Infrastructure & Indicators of Compromise

5.1 Known IOCs

5.2 Exploited CVEs & Vulnerabilities

• CVE-2025-61882 - Oracle E-Business Suite (EBS)
• CVE-2026-20045 - Cisco Unified Communications
• Snowflake OAuth Abuse - credential stuffing against tenants without MFA (no CVE; configuration issue)
• Salesforce Aura/Experience Cloud - guest user profile misconfiguration (no CVE; Salesforce advisory issued March 2026)

6. Victimology & Targeting Profile

6.1 Sector Distribution (Current Campaign)

6.2 Geographic Distribution

The United States accounts for approximately 69% of tracked victims, reflecting ShinyHunters' focus on English-speaking organizations and large enterprises with cloud-heavy architectures. Secondary geographies include France (4 victims), Germany (4), Japan (3), and Australia (3), with the broader European region increasingly targeted notably the European Commission breach in March 2026.

6.3 Targeting Criteria

Analysis of victim patterns reveals consistent selection criteria:

• Heavy Salesforce adoption: Victims universally operate Salesforce CRM or Experience Cloud, often with third-party integrations.
• Cloud-native architecture: AWS, Snowflake, and SaaS-heavy organizations with multiple data integration points.
• Prior infostealer exposure: 73% of targeted domains show employee credentials in infostealer logs suggesting pre-attack intelligence gathering.
• High brand value: Preference for recognized enterprise brands (Fortune 500, financial services, luxury retail) to maximize extortion leverage.
• Insufficient MFA posture: Tenants on cloud platforms without enforced multi-factor authentication are disproportionately represented.

7. Extortion Model & Dark Web Operations

7.1 Extortion Playbook

ShinyHunters operates a consistent extortion sequence across campaigns:

7.2 BreachForums

ShinyHunters' operation of BreachForums, the dominant English-language cybercrime marketplace provides a significant structural advantage: it gives the group control over data distribution channels, community trust, and intelligence on competitor actors. Key milestones:

• 2022: Launch of BreachForums V2 following FBI seizure of RaidForums and BreachForums V1.
• 2025: FBI seizes BreachForums domains (October 2025); ShinyHunters transfers control to IntelBroker.
• 2026 (March): ShinyHunters claims breach of BreachForums V5 exposing approximately 339,800 forum member emails, usernames, and Argon2-hashed passwords deanonymizing a significant portion of the underground community.

8. Defensive Recommendations

8.1 Priority Actions

9. Related Threat Actors & Ecosystem

ShinyHunters does not operate in isolation. The following actor relationships are shown below:

10. Analyst Assessment

ASSESSMENT: ShinyHunters remains a top-tier threat to enterprise organizations with Salesforce or Snowflake deployments.

ShinyHunters' trajectory shows a consistent pattern of capability escalation and operational adaptation.  

Key analytical observations:

• Every significant campaign since 2024 has exploited SaaS misconfigurations or third-party integrations, not endpoint malware. Traditional endpoint security is insufficient as a defensive control against this actor. Cloud-native dominance
• The conversion of Mandiant's own defensive tool (AuraInspector) into an offensive weapon demonstrates sophisticated tradecraft and a willingness to actively monitor the defender community for exploitable resources. Tool weaponization
• The EaaS structure means law enforcement actions against individual operators (Sezyo Kaizen, French arrests in 2025) produce minimal operational disruption. Expect continued activity regardless of additional arrests. Arrest-resistant model
• The EU Commission breach (March 2026) marks a significant expansion into government and critical infrastructure targets, suggesting the group is testing the limits of politically sensitive targeting. Escalating scope
• The 73% infostealer overlap among victims underscores that the primary attack surface is not technical but credential hygiene. Organizations with robust credential monitoring and MFA are substantially less exposed. Infostealer dependency