Cybercrime Groups ShinyHunters and Scattered Spider Collaborate on Business Extortion Attacks

An ongoing data extortion campaign targeting Salesforce customers is reportedly shifting its focus towards financial services and technology service providers, as ShinyHunters and Scattered Spider appear to be collaborating closely. Recent findings from ReliaQuest indicate a significant change in ShinyHunters’ tactics, moving away from their previous methods of credential theft and database exploitation. The new strategies include highly-targeted vishing, social engineering attacks, and the use of applications that disguise themselves as legitimate tools. Additionally, they employ Okta-themed phishing pages to deceive victims into entering their credentials during vishing attempts, alongside VPN obfuscation techniques for data exfiltration. ShinyHunters, which emerged in 2020, has been involved in numerous data breaches affecting major corporations, monetising the stolen data on cybercrime forums such as RaidForums and BreachForums.

The ShinyHunters persona has played a significant role in these forums, both as a contributor and administrator. They partnered with Baphomet to relaunch BreachForums in June 2023 and later initiated a new version alone in June 2025. Despite the brief existence of the forum, ShinyHunters has been linked to a series of global attacks on Salesforce instances, which Google is tracking under the designation UNC6240. Concurrently, French law enforcement arrested four individuals suspected of operating BreachForums, including members of ShinyHunters. However, the group has claimed that these arrests were rushed and inaccurate. Furthermore, a new Telegram channel emerged, combining ShinyHunters, Scattered Spider, and LAPSUS$, which claimed to be developing a ransomware-as-a-service solution named ShinySp1d3r. This channel, however, disappeared shortly after its creation. Both Scattered Spider and LAPSUS$ are associated with a larger network known as The Com, which is infamous for a variety of cybercriminal activities, including SIM swapping and extortion. ReliaQuest has identified a coordinated set of phishing domains and Salesforce credential harvesting pages likely aimed at high-profile companies across various industries. 

Categories: Cybercrime Tactics, Data Extortion Campaigns, Phishing and Social Engineering 

Tags: Data Extortion, Salesforce, Financial Services, Technology Service Providers, ShinyHunters, Scattered Spider, Vishing, Social Engineering, Ransomware-as-a-Service, Credential Harvesting