Cyber Threat Actor: ShinyHunters
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
60 incidents |
|---|
Profile
ShinyHunters is a threat actor known by that alias and has been linked to operations originating from Russia. The group has been observed releasing, selling, or extorting stolen data from a variety of online services, often posting databases on hacker forums or dark web markets. Their activities have affected companies across multiple sectors including e‑commerce, dating platforms, cloud‑based services, cryptocurrency exchanges, and online gaming or virtual worlds.
Initial access has been achieved through a range of techniques that rely on exploiting weaknesses rather than deploying custom malware. These include social engineering such as phishing calls or fake login pages, taking advantage of cloud misconfigurations, leveraging publicly accessible administration scripts like Adminer.php with hard‑coded credentials, compromising AWS buckets or Slack channels to obtain cloud keys, targeting unsecured MongoDB instances, and infiltrating third‑party cloud databases or partner services. After gaining access, the actor frequently exfiltrates user data, cracks weakly hashed passwords, and uses the resulting credential lists for credential‑stuffing attacks against other sites.
Public attribution points to a Russian base, but no explicit connection to a state sponsor or a larger criminal consortium has been documented in the sources. ShinyHunters operates as an independent entity that treats stolen data as a commodity, offering it for sale, leaking it for free, or using it to extort victims for payment.
Representative operations illustrate the group’s pattern: in 2026 they claimed responsibility for a large CarGurus breach exposing millions of records obtained via phishing; in 2024 they were linked to a Ticketmaster incident involving unauthorized access to a third‑party cloud database; in 2023 they exploited a cloud misconfiguration at RentoMojo and subsequently used the stolen data to blackmail customers; in 2021 they leaked a massive BigBasket user database and later sold Bonobos cloud backup files containing millions of customer records; in 2020 they accessed Animal Jam’s AWS keys through a compromised Slack server, leading to the exposure of tens of millions of accounts, and they also claimed to have stolen private repositories from Microsoft’s GitHub account. These examples show a consistent focus on data theft for financial gain or extortion, achieved through exploiting misconfigurations, credential exposure, and third‑party trust relationships.
