Group profile
shinyhunters
ShinyHunters is a financially motivated data-theft and extortion group active since 2020, responsible for high-profile breaches including Ticketmaster (via Snowflake) and PowerSchool; by 2025 they launched a RaaS offering called "shinysp1d3r," and in August 2025 French authorities arrested four members.
Sectors hit
- Education
- Unspecified
- Healthcare
- Consumer Services
- Business Services
- Telecommunication
- Technology
- Manufacturing
Countries hit
MITRE ATT&CK · observed TTPs
- TA0001Initial Access
- TA0005Defense Evasion
- T1550.001Use Alternate Authentication Material: Application Access Token
Use of malicious "Connected" OAuth applications to maintain persistent access to Salesforce and Microsoft 365 environments without needing passwords.
- TA0009Collection
- T1213Data from Information Repositories
Frequent targets include Confluence, Jira, and SharePoint to collect internal documentation and plaintext credentials.
- TA0010Exfiltration
- T1567Exfiltration Over Web Service
Use of legitimate cloud tools and native APIs to "drain" data from CRMs (Salesforce) directly to C2 servers.
- TA0040Impact
- T1486Data Encrypted for Impact
- TA0043Reconnaissance
- T1598.002Phishing for Information: Spearphishing Attachment