Rising Threats: The Emergence of ShinyHunters and Scattered Spider
The cybersecurity landscape is witnessing a disturbing evolution as the data extortion campaign led by ShinyHunters targets Salesforce customers and sets its sights on financial services and technology providers. Recent intelligence suggests a collaboration between ShinyHunters and another group, Scattered Spider, revealing a significant shift in tactics that merits alarm.
A Shift in Attack Strategies
According to a report from ReliaQuest, the recent operations attributed to ShinyHunters signal a departure from their earlier focus on credential theft and database exploitation. The group has adopted strategies akin to those of Scattered Spider, primarily engaging in highly targeted vishing—also known as voice phishing—and social engineering.
Victims are being misled through applications that appear legitimate and Okta-themed phishing pages designed to extract user credentials during vishing calls. Additionally, these attacks employ VPN obfuscation techniques to mask data exfiltration efforts, further complicating detection.
ShinyHunters: A Closer Look
Having emerged in 2020, ShinyHunters operates as a financially incentivized threat group known for orchestrating high-profile data breaches. They have successfully monetized stolen data across cybercrime forums such as RaidForums and BreachForums. Intriguingly, this group has played pivotal roles not only as contributors but also as administrators on these platforms.
In June 2023, ShinyHunters collaborated with another threat actor to reboot BreachForums, which had briefly paused operations after a prior version went offline. This discussion about their reinvention points toward the group’s ongoing resilience despite setbacks.
Recent Developments in Law Enforcement
In a surprising turn of events, four individuals suspected of managing BreachForums, including members linked to ShinyHunters, were apprehended by French law enforcement. However, ShinyHunters countered these claims, labeling them as misleading. The situation complicates further when considering the recent popularity of a Telegram channel that combined the identities of ShinyHunters, Scattered Spider, and LAPSUS$ to create a new entity dubbed "scattered lapsu$ hunters." This channel hinted at developing a ransomware-as-a-service product called ShinySp1d3r aimed at competing with established forces like LockBit.
The Convergence of Threat Actors
Scattered Spider and LAPSUS$ are part of a broader network known as The Com, a group notorious for various cybercriminal activities such as SIM swapping and extortion. According to FalconFeeds, the formation of the "Scattered LAPSUS$ Hunters" marks a novel phase in cyber extortion where the emphasis is not just on financial gain but also on creating chaos within the cyber landscape.
Recently, ReliaQuest identified a series of phishing domains and Salesforce credential harvesting pages presumably set up to target major companies across multiple sectors. These domains were created using infrastructures commonly associated with phishing kits—which are often used to design single sign-on (SSO) login pages, a trademark of Scattered Spider’s tactics.
Targeting Financial Institutions
Analyzing over 700 domains registered in 2025 revealed a noticeable uptick in phishing attempts aimed at financial companies, increasing by 12% since July. Conversely, efforts targeting technology firms dipped by 5%. This trend highlights the increasing risk faced by banks, insurance companies, and other financial entities.
The coordinated efforts of ShinyHunters and Scattered Spider are becoming evident as they both focus on similar industries—retail, insurance, and aviation—simultaneously. Insights from cybersecurity researchers suggest that the overlap in tactics and targeted sectors indicates a potentially long-standing collaboration between these two threat actors.
A Warning from ShinyHunters
In a recent announcement, ShinyHunters declared that BreachForums has been compromised and is now functioning as a honeypot for international law enforcement. They claimed that agencies such as the FBI and the U.S. Department of Justice are behind this operation.
ShinyHunters further warned that any revival of BreachForums should be taken as a sign of law enforcement entrapment. Their comments reflect a broader context of the evolving dynamics in cybercrime where traditional forums may become tools for law enforcement to gather intelligence on cybercriminals.
As the landscape of cyber threats continues to evolve, the collaboration between ShinyHunters and Scattered Spider represents a troubling indication of what lies ahead for businesses and individuals alike, particularly in sectors dealing with sensitive financial data. Understanding these dynamics is crucial for developing more robust defenses against these emerging threats.
