3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Shinyhunters

Shinyhunters

ID: b24e8db4391f6c92a113a67f24a03a33
Hacktivist Group Hacktivism
Threat types: Hacktivism, Intrusion, Extortion, Vishing
Unknown
Updated: 2026-03-14
Created: 2026-03-04
Progress: 77% Completeness: 80% Freshness: 70%
Operation zone:
Aliases Limited alias preview
Shiny Shiny Hunters Sh******* Sh***********
Showing 2 of 4 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium-high
Actor Techniques page ATT&CK® Diagram

ShinyHunters is a cybercrime brand associated with large-scale data theft and extortion. Recent OSINT emphasizes identity-driven access (vishing/SSO credential theft) and OAuth/token abuse leading to SaaS tenant access and bulk export, alongside underground forum ecosystem adjacency (BreachForums) used for pressure and monetization. Activity is often claim-led; corroborate via victim disclosures and telemetry.


Technique Technique name Tactics Evidence
T1598 Phishing for Information TA0043
  • 2026-01-27 — Voice-based social engineering (vishing) targeting SSO credentials is described in reporting framed around ShinyHunters-linked activity. · ref
T1078 Valid Accounts TA0001 TA0003 TA0004 TA0005
  • 2026-01-27 — Identity compromise implies subsequent use of valid accounts/sessions to access SSO dashboards and connected SaaS platforms for data theft. · ref
T1528 Steal Application Access Token TA0006
  • 2025-09-18 — OAuth/token abuse is central in Salesforce-related narratives tied to ShinyHunters claims and reporting. · ref
T1005 Data from Local System TA0009
  • 2025-09-18 — Bulk extraction of SaaS tenant data (records) is described in Salesforce-related extortion narratives. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2025-09-18 — Extortion narratives imply exfiltration of data prior to pressure/publication; mechanisms vary and are campaign-dependent. · ref
T1567.002 Exfiltration to Cloud Storage TA0010
  • 2025-10-20 — INFERENCE (confidence: medium): stolen data is commonly distributed/monetized via public platforms and underground ecosystems; ShinyHunters is repeatedly discussed in leak/marketplace contexts. · ref
T1654 Log Enumeration TA0007
  • 2026-01-26 — Extortion pressure and disclosure dynamics are discussed in the BreachForums leak context and ShinyHunters dispute narrative; pressure mechanics are central to the group’s model. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-03-06T00:08:40+00:00

ShinyHunters — Cybercrime group / data theft + extortion (EaaS-style), with strong social-engineering and SaaS-tenant targeting patterns

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — ShinyHunters

Classification: Unclassified / OSINT — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — ShinyHunters

Focus: identity-first compromise, OAuth/SSO abuse, SaaS tenant exports, and extortion pressure workflows. This playbook prioritizes early detection before bulk export and disclosure pressure.

Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-03-05T23:57:34+00:00

IOC Appendix — ShinyHunters

Classification: Unclassified / OSINT — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-03-05T23:54:53+00:00

OSINT Library — ShinyHunters


2024-01-09 — U.S. DOJ (W.D. Washington) — “Member of notorious international hacking crew sentenced…”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/7
Address Verification SOCMINT
x.com/Shi********** Restricted Not integrated
Address Verification SOCMINT
t.me/Shi********* Restricted Not integrated
t.me/Shi********** Restricted Not integrated
t.me/shi************ Restricted Not integrated
t.me/fre*************** Restricted Not integrated
t.me/esh********** Restricted Not integrated
t.me/Shi************* Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–1 of 1 images
Propaganda Free Preview
Propaganda