Background
ShinyHunters is a prolific cybercriminal group that emerged in early 2020 and rapidly became one of the most active data breach operators in the underground economy. The group initially gained notoriety through a rapid series of high-profile breaches targeting technology companies, stealing and selling massive databases containing hundreds of millions of user records. Their name is derived from the practice of hunting for "shiny" (rare) Pokemon in the popular video game franchise, reflecting the youthful internet culture of the group's members.
The group operates primarily as data brokers, specializing in identifying and exploiting misconfigured cloud infrastructure, exposed code repositories, and stolen credentials to gain access to corporate databases. Rather than deploying ransomware or conducting destructive attacks, ShinyHunters focuses on exfiltrating large datasets and monetizing them through dark web marketplaces, particularly BreachForums, where key members held administrator roles. Their business model is straightforward: steal data at scale, sell it for profit, and use free leaks to build reputation and attract buyers for premium offerings.
The actor known as "Sezyo Kaizen" (Sebastien Raoult), a French national, was arrested in Morocco in June 2022, extradited to the United States, and sentenced to three years in prison in January 2024 for his role in the group. He was also ordered to pay over $5 million in restitution. Despite this and other law enforcement actions, ShinyHunters has demonstrated remarkable resilience and continued operations with shifting membership. The group's organizational structure appears loosely federated, with members collaborating across borders and cycling through various underground forums and aliases.
Their 2024 Snowflake campaign, conducted in collaboration with or as part of the group Mandiant tracks as UNC5537, represented a significant escalation in both scale and sophistication, affecting over 165 organizations through a single attack vector and resulting in the theft of billions of records. This campaign cemented ShinyHunters as one of the most consequential data breach actors of the decade.
Notable Campaigns
Tokopedia and Early Breach Spree (May 2020)
ShinyHunters announced their arrival by breaching Tokopedia, Indonesia's largest e-commerce platform, and leaking 91 million user records. In the same month, they claimed breaches of Microsoft's private GitHub repositories (500GB of source code), Wishbone (40 million records), and over a dozen other companies including Zoosk, Chatbooks, and HomeChef. The rapid succession of breaches within a single month established ShinyHunters as a major threat actor. The Microsoft GitHub breach was particularly notable as it included Azure, Office, and Windows source code repositories, though Microsoft stated no customer data was exposed.
Mashable, Pixlr, and Bonobos (2020-2021)
Throughout late 2020 and into 2021, ShinyHunters continued targeting consumer-facing platforms with relentless consistency. They breached Mashable (5.2 million records), Pixlr (1.9 million records), and men's clothing retailer Bonobos (7 million shipping addresses, 3.5 million partial credit card records). Other victims during this period included Minted (5 million records), Dave.com (7.5 million records), and Promo.com (22 million records). Many of these databases were initially offered for sale at prices ranging from $500 to $3,500 before being released freely on hacking forums to build reputation and drive forum traffic.
AT&T Data Breach (2022-2024)
ShinyHunters was linked to the massive AT&T data breach that exposed call and text metadata records of approximately 110 million customers. The stolen data included phone numbers, call durations, and cell site identification numbers spanning a six-month period from May to October 2022. The breach exploited AT&T's Snowflake environment. AT&T reportedly paid a $370,000 ransom in Bitcoin to have the data deleted, though the effectiveness of this payment remains questionable given that the data had likely already been copied multiple times. AT&T disclosed the breach in July 2024 after being compelled by SEC reporting requirements.
Snowflake Customer Campaign (April-June 2024)
In what became one of the most impactful supply-chain-adjacent campaigns of 2024, ShinyHunters (overlapping with the group Mandiant tracks as UNC5537) systematically targeted Snowflake customer environments using credentials harvested from infostealer malware. At least 165 organizations were affected, including Ticketmaster/Live Nation (560 million records), Santander Bank (30 million records), Advance Auto Parts (79 million records), LendingTree, Pure Storage, and Neiman Marcus.
The attackers exploited the absence of multi-factor authentication on Snowflake customer accounts, using legitimate credentials obtained from Vidar, RisePro, Redline, Raccoon Stealer, Lumma, and MetaStealer infostealer logs. Many of the compromised credentials were months or years old but had never been rotated. The campaign generated ransom demands ranging from $300,000 to $5 million per victim. Connor Moucka ("judische") and John Binns were arrested in late 2024 in connection with this campaign.
BreachForums Administration (2023-2024)
Beyond conducting breaches, ShinyHunters members operated and administered BreachForums (breachforums.st), one of the largest English-language cybercrime marketplaces and the successor to the original RaidForums. After the FBI seized BreachForums in May 2024 and arrested its previous administrator ("Baphomet"), ShinyHunters rapidly relaunched the forum under new infrastructure within days, demonstrating their central role in the data breach underground economy and their ability to maintain operational continuity despite law enforcement pressure.
Tactics, Techniques & Procedures
ShinyHunters' operational methodology centers on exploiting cloud misconfigurations and credential-based access rather than sophisticated zero-day exploitation. Their attack chain typically follows a consistent and repeatable pattern.
Initial Access is most commonly achieved through exposed Git repositories and
cloud credentials (T1078 Valid Accounts, T1190 Exploit Public-Facing Application).
The group scans for misconfigured cloud storage buckets, exposed .env files,
hardcoded API keys in public repositories, and credentials harvested by infostealer
malware. During the Snowflake campaign, initial access was entirely credential-based,
using usernames and passwords stolen by multiple infostealer families. They also
exploit exposed remote access services (T1133 External Remote Services) such as
VPN gateways and cloud management consoles with compromised credentials.
Collection and Exfiltration represents the core of their operations (T1530
Data from Cloud Storage, T1213 Data from Information Repositories, T1048
Exfiltration Over Alternative Protocol). Once inside a cloud environment,
ShinyHunters systematically identifies and extracts databases, focusing on user
records containing email addresses, passwords (hashed or plaintext), personal
information, and financial data. They use native cloud tools and database
utilities to dump and compress data before exfiltration. In Snowflake environments,
they used COPY INTO commands to stage data in internal stages, then downloaded
it using the Snowflake client or rclone.
Credential Harvesting plays a critical supporting role (T1552 Unsecured Credentials). The group actively monitors infostealer logs available on underground markets, purchasing or acquiring credentials specifically targeting cloud service providers and SaaS platforms. This supply chain of stolen credentials allows them to compromise organizations without sending a single phishing email or deploying any malware, making their initial access extremely difficult to detect with traditional security controls.
Monetization follows a multi-track approach. High-value datasets are initially offered for private sale at premium prices, often in the tens of thousands to hundreds of thousands of dollars. The Ticketmaster data was initially listed for $500,000. Data that does not sell at premium prices or that is used to build reputation is later released freely on forums. In some cases, direct extortion of the victim organization is pursued, as seen with the AT&T and multiple Snowflake campaign victims. The group also monetizes through forum administration fees and marketplace commissions on BreachForums.
Tools & Malware
ShinyHunters is not known for developing custom malware. Their toolkit is primarily composed of legitimate tools and scripts repurposed for offensive operations:
- Cloud CLI Tools: Native AWS CLI, Azure CLI, and Snowflake client utilities (SnowSQL) used to interact with compromised cloud environments and extract data from storage services and databases.
- rclone: Open-source command line program used to manage and transfer files from cloud storage, frequently observed in the Snowflake campaign for bulk data exfiltration. Configured with Snowflake stage credentials to download staged data.
- Custom Database Dumping Scripts: Bespoke scripts tailored to efficiently extract and package large database tables from various database engines including MySQL, PostgreSQL, MongoDB, and Snowflake warehouses.
- Credential Stuffing Frameworks: Automated tools for testing stolen credentials against cloud service login portals, often incorporating proxy rotation, CAPTCHA solving services, and rate limit evasion techniques.
- Infostealer Log Parsers: Custom scripts to parse and filter bulk infostealer log purchases for credentials matching specific cloud service providers, corporate SSO portals, and target organizations.
- Git Repository Scrapers: Automated scanners that search public and accidentally exposed Git repositories for hardcoded credentials, API keys, database connection strings, and configuration files containing secrets.
- DBeaver / Database Management Tools: Legitimate database management applications used to connect to compromised database instances, browse schemas, and export data in bulk.
Indicators & Detection
Detecting ShinyHunters activity requires a cloud-centric monitoring approach, as their operations rarely touch traditional endpoint security controls.
Cloud Access Monitoring: Monitor for anomalous login patterns to cloud services, particularly Snowflake, AWS, and Azure environments. Key indicators include logins from unexpected geographic locations, connections from known VPN/proxy/hosting provider IP addresses, and authentication events occurring outside normal business hours. The Snowflake campaign revealed that many victims lacked MFA entirely, making credential-based access trivial to execute and virtually indistinguishable from legitimate use without behavioral analytics.
Data Exfiltration Indicators: Alert on unusually large data transfers from
cloud storage and database services. Specific patterns to monitor include bulk
SELECT * queries against large tables, COPY INTO operations creating staged
files in Snowflake, abnormal S3/Blob storage download volumes, and rclone traffic
signatures. Baseline normal data access patterns and alert on deviations that
exceed established thresholds.
Credential Exposure Monitoring: Proactively monitor for organizational credentials appearing in infostealer logs and breach databases. Services such as SpyCloud, Flare, Hudson Rock, and Have I Been Pwned can provide early warning before attackers leverage stolen credentials. Implement automated credential rotation when exposure is detected, and cross-reference compromised accounts against cloud service access logs.
Repository Security: Scan all code repositories (public and private) for hardcoded credentials, API keys, database connection strings, and configuration files using tools like truffleHog, GitLeaks, or GitHub secret scanning. Implement pre-commit hooks and CI/CD pipeline checks to prevent credential leakage. Rotate any credentials found to have been exposed immediately.
Preventive Controls: Enforce MFA on all cloud service accounts without
exception. This is the single most effective control against ShinyHunters'
primary attack vector. Implement IP allowlisting where feasible to restrict
cloud access to known corporate networks. Use cloud-native audit logging
(CloudTrail, Snowflake Access History, Azure Monitor) and forward logs to a
SIEM for correlation and alerting. Establish credential rotation policies that
ensure passwords are changed regularly, especially for service accounts with
access to sensitive data stores. Disable or restrict the use of COPY INTO
and bulk export commands to authorized service accounts only.