HOMETHREATSshinyhunters
RANSOMWARE OPERATION💰 FINANCIAL

shinyhunters

1
campaigns
1
aliases

Intelligence Profile

ShinyHunters is a financially motivated data-theft and extortion group active since 2020, responsible for high-profile breaches including Ticketmaster (via Snowflake) and PowerSchool; by 2025 they launched a RaaS offering called "shinysp1d3r," and in August 2025 French authorities arrested four members.

Threat Analysis

shinyhunters is a ransomware operation that deploys encryption-based extortion against organizations globally. This group maintains a data leak site (DLS) to pressure victims into paying ransom demands.

Financially motivated threat actors like shinyhunters prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.

Known Campaigns

Shinyhunters — Active Campaign April 2026

Shinyhunters is conducting an active ransomware campaign targeting organizations across 1 country. Primary targets: Business Services, Consumer Services, Education. 34 confirmed victims recorded in the last 45 days. Campaign status: ACTIVE (last activity 11 Apr 2026).

🎯 Business Services🎯 Consumer Services🎯 Education
ACTIVECRITICAL2026

Intelligence Reports Mentioning shinyhunters

External References

Quick Facts

TypeRansomware Operation
Motivation💰 financial
Aliases1

Also Known As

shinyhunters

DLS Infrastructure

○ OFFLINEtoolatedhs5dtr2pv6h5kdraneak5gs3sxrecqhoufc5e45edior7mqd.onion
○ OFFLINEshinypogk4jjniry5qi7247tznop6mxdrdte2k6pdu5cyo43vdzmrwid.onion
○ OFFLINE91.215.85.22.
○ OFFLINEshnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion
○ OFFLINEshinyhunte.rs

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
shinyhunters — Ransomware Operation | Threat Intelligence | CTIWATCH.COM