Cyber Threat Actor: ShinyHunters

ExpertData, also associated with the threat actor ShinyHunters, emerged in connection with a November 2020 incident involving the unauthorized acquisition and distribution of multiple organizational databases. The actor’s activities centered on illicit data markets, where stolen information was monetized through exclusive sales agreements. A dispute with a data broker—also named ExpertData—triggered retaliatory leaks after the broker accused ShinyHunters of violating exclusivity terms, alleging financial losses from non-exclusive redistribution. This conflict underscored the actor’s involvement in financially motivated operations, leveraging stolen data as a commodity within cybercrime forums.

The actor targeted a broad range of sectors, including e-commerce (Scentbird, Eatigo, Peatix, Redmart), entertainment (Animal Jam, Pluto.tv, Indabamusic), education, and financial services (Dave.com, Minted). Geographic specificity was not evident, though victim organizations spanned multiple regions. Strategic objectives were explicitly financial, revolving around the sale of stolen databases to intermediaries or buyers in underground markets. The November 2020 campaign exemplified this model, where a failed transaction led to public dumping of at least 16 databases on a Russian-language forum. This incident highlighted secondary risks in illicit data markets, as intermediary disputes escalated into uncontrolled data dissemination affecting entities like LiveAuctioneers and Revelo.com.br, some of which were reportedly unaware of prior compromises.

Notable TTPs included forum-based distribution of stolen data and reliance on intermediary brokers to monetize breaches. While initial access vectors and malware families were not detailed in available reports, the actor’s post-compromise behavior focused on negotiating exclusive sales and retaliating against buyers who alleged fraud. The operation’s lifecycle—from private sale to public leak—demonstrated a pattern of leveraging forum infrastructure for distribution, followed by rapid deletion of leaked data and account deactivations. No state affiliation or criminal consortium ties were explicitly cited. The November 2020 leaks remain the most documented operation, illustrating how transactional conflicts within illicit ecosystems can amplify exposure for victim organizations.