{ "id": "81e11986-7cad-47bb-95bc-a0565cef4840", "created_at": "2026-04-09T02:22:41.743115Z", "updated_at": "2026-04-10T03:34:59.488471Z", "deleted_at": null, "sha1_hash": "13e8ba8ed046fc9091257f931cd358c7e0b5623c", "title": "Updating: Two Telegram channels and two accounts banned, one bounty offered, and BreachForums goes down - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41530, "plain_text": "Updating: Two Telegram channels and two accounts banned, one\r\nbounty offered, and BreachForums goes down - DataBreaches.Net\r\nPublished: 2025-08-12 · Archived: 2026-04-09 02:18:10 UTC\r\nIf you were glued to a Telegram channel the other day watching people associated with ShinyHunters, Scattered\r\nSpider, and Lapsu$ leak data and rant about Mandiant, the NCA, the FBI, and demand that some arrested folks be\r\nset free, then you might want to think of yesterday and today as the next episode to the daytime drama.\r\nBut first: it looks like FalconFeeds.io has a detailed timeline of the Telegram channel in question. I am\r\nunabashedly jealous of people who have the time and resources to produce detailed and documented reports that\r\ntake 18 minutes to read. View the following as a TL;DR version of developments since this site’s previous post\r\nabout the Telegram channel that appeared on August 8.\r\nBy yesterday morning, the channel that had been  leaking hacked data, offering data for sale, and making threats\r\nagainst Mandiant had been banned, as was the account recently used by “Shiny” (the individual and seeming\r\nleader of ShinyHunters).  A backup channel for the group’s main channel was now being used, but it seemed that\r\nusers who had been so active previously (including ShinyCorp, Yuka, UNC3944, UNC5537, Rey, zzz, Famous\r\nPORNSTAR, and others)  were now pretty quiet. There was no flood of leaks or much of anything yesterday\r\nmorning, but maybe everyone was just re-grouping after losing the main channel and were getting ready to\r\nbecome active again. If so, their plans were derailed in the afternoon.\r\nA Bounty Offered on Yukari\r\nSomewhat surprisingly (to DataBreaches, anyway),  yesterday afternoon an announcement appeared on\r\nBreachForums offering a $500,000.00 bounty, payable in XMR, for information on the individual known as\r\n“Yukari.”  DataBreaches was surprised because the individual known as Yukari is a long-time friend and ally of\r\nShinyHunters. That a bounty would be posted on BreachForums made this blogger wonder if there had suddenly\r\nbeen a serious falling out between friends, or if ShinyHunters was just trolling with the reward announcement, or\r\nif there was some other explanation.\r\nThe reward offer pointed people to a Telegram account set up specifically for information on Yukari. That account\r\ndoes not appear to have been banned or deleted.\r\nCompromised\r\nAbout 30 minutes after someone posted, “We are back,”  Shiny posted, “Hey, it’s me Shiny again, tonight I’m here\r\nto share some really bad news I found out while being banned.”\r\nWhat followed was a pgp-signed message, a copy of which was also uploaded to Pastebin. The gist of the message\r\nwas that BreachForums was compromised and is allegedly under the control of law enforcement in France and\r\nhttps://databreaches.net/2025/08/12/updating-two-telegram-channels-and-two-accounts-banned-one-bounty-offered-and-breachforums-goes-down/\r\nPage 1 of 2\n\nU.S. law enforcement. The BreachForums accounts of “ShinyHunters” and “Hollow” had been compromised,\r\nShiny claimed, and the new founder, “N/A,” was allegedly “a fed.”\r\n[DataBreaches is reporting the claims, but has no way of verifying or refuting any of them. DataBreaches is\r\nreporting them simply because they help explain what happened next.]\r\nShiny also claimed that the bounty post that had been posted by the ShinyHunters account on BreachForums was\r\nnot by ShinyHunters and was a result of the compromise.\r\nShortly after Shiny posted on Telegram, BreachForums went down and is still down. Who took it down has not\r\nbeen confirmed, and whether it will stay down and whether a seizure notice will appear is unknown at this time. A\r\ncheck of the nameservers for the forum does not indicate any change to nameservers owned by the government as\r\nof this publication.\r\nPlaying Whack-A-Mole\r\nCompared to the weekend’s frenzied posting on the main Telegram channel, the backup/discussion Telegram\r\nchannel was relatively quiet. Then someone posted  a few redacted screenshots that appear to be redacted requests\r\nfrom U.S. Interpol (NCB) to France in June 2024 concerning ShinyHunters. And then they also  threatened\r\nFalconFeeds with a DDoS attack because their reporting cited content that angered the posters. Since everyone\r\nand their grandmother had to know that everybody in law enforcement and every intel firm would be scraping\r\neverything in the channel, it seems a tad unreasonable for posters to blame FalconFeeds or anyone else for\r\nreporting or re-posting what they themselves had posted.\r\nAnd then, of course, there was also the fact that they threatened a DDoS attack.\r\nHours later, the backup channel was banned too. Whether it was banned because of the redacted NCB images or\r\nbecause of DDoS threat or for some other other reason is not known to DataBreaches.\r\nBy publication time, though, another channel had been opened.\r\nIn messages that appear to be written by Shiny, we read:\r\nAfter I leaked that BF was compromised by law enforcement a few hours later they took the site down\r\nand they just got the Telegram channel @sp1d3rlapsushunters banned.\r\nWe are in literal war.\r\nI don’t know what they don’t understand but they aren’t winning this at all lol\r\nAt this point, I think they may have lost sight of a bigger picture. What were they trying to accomplish with this\r\nchannel and activity? And what impression have they really created for future targets?\r\nSource: https://databreaches.net/2025/08/12/updating-two-telegram-channels-and-two-accounts-banned-one-bounty-offered-and-breachforums\r\n-goes-down/\r\nhttps://databreaches.net/2025/08/12/updating-two-telegram-channels-and-two-accounts-banned-one-bounty-offered-and-breachforums-goes-down/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://databreaches.net/2025/08/12/updating-two-telegram-channels-and-two-accounts-banned-one-bounty-offered-and-breachforums-goes-down/" ], "report_names": [ "updating-two-telegram-channels-and-two-accounts-banned-one-bounty-offered-and-breachforums-goes-down" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "358432a9-d927-43c7-9201-b7aa7d184c26", "created_at": "2024-06-20T02:02:10.317536Z", "updated_at": "2026-04-10T02:00:05.043265Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "ETDA:UNC5537", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "c3c24777-7c0f-4772-b273-2163ac5a6b67", "created_at": "2024-06-19T02:00:04.373472Z", "updated_at": "2026-04-10T02:00:03.651748Z", "deleted_at": null, "main_name": "UNC5537", "aliases": [], "source_name": "MISPGALAXY:UNC5537", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701361, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/13e8ba8ed046fc9091257f931cd358c7e0b5623c.pdf", "text": "https://archive.orkl.eu/13e8ba8ed046fc9091257f931cd358c7e0b5623c.txt", "img": "https://archive.orkl.eu/13e8ba8ed046fc9091257f931cd358c7e0b5623c.jpg" } }