ShinyHunters
Financially motivated threat group known for large-scale data theft and extortion, responsible for numerous high-profile database breaches sold on criminal forums.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
33 mentions · 11 sources"The credential harvesting domains attributed to UNC6661 commonly, but not exclusively, use the format sso.com or internal.com and have often been registered with NICENIC."
"ShinyHunters claimed responsibility and said it stole more than 600,000 Salesforce records containing personal and corporate information"
"GTIG has continued to track an expansive extortion campaign by UNC6671, a threat actor operating under the "BlackFile" brand"
"Mandiant has observed incidents where attackers impersonate support personnel from third-party vendors to gain access."
"Technical controls such as detection of caller ID spoofing, and deepfake audio (which has been used by the ShinyHunters group)."
"In January 2026, the ShinyHunters threat group demonstrated a bypass technique that compromised authentication apps and tokens across more than 100 organizations"
"GTIG assesses that the group has targeted dozens of organizations across North America, Australia, and the UK."
"GTIG assesses that the operations are independent."
"Hackers using the name ShinyHunters claimed responsibility for the breach"
Hedge terms observed