{ "id": "b386454c-8aa9-48ea-abfc-efc0fd9306a0", "created_at": "2026-04-09T02:23:47.653411Z", "updated_at": "2026-04-10T03:34:59.557121Z", "deleted_at": null, "sha1_hash": "5ad03e660c6312289bb7d76fc420484d5a1e3338", "title": "ShinyHunters sent Google an extortion demand; Shiny comments on current activities - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 84779, "plain_text": "ShinyHunters sent Google an extortion demand; Shiny comments\r\non current activities - DataBreaches.Net\r\nPublished: 2025-08-08 · Archived: 2026-04-09 02:21:24 UTC\r\nYesterday morning, DataBreaches woke up to a message on Telegram:\r\nEven the NSA can’t stop or identify us anymore. The FBI and everyone else is irrelevant and\r\nincompetent as far as we’re concerned :).\r\nWhen DataBreaches asked ShinyHunters if anything in particular had inspired that statement, “Shiny1”\r\nresponded:\r\nI heard the NSA is investigating and analyzing voice call recordings from companies who were affected\r\nand attempts by us. The companies that are receiving SE calls are Scattered Spider then providing us\r\nthe access to dump these companies if successful.\r\nDataBreaches followed up by asking Shiny why he thought the voice analyses would be nonproductive and that\r\nNSA was incompetent. He replied:\r\nThose are AI generated voices. For example, they won’t be able to locate anyone based off background\r\nnoises such as powerline humming noise that you can’t hear. They can’t cross reference the power\r\ncompanies logs with time frames of us calling these companies since theres fluctuations in the\r\nfrequencies, it’s not always 60hz but ours is consistently 60-12hz. They can use such information to get\r\nan approximate location but in our case no, not possible. Forget about triangulation technology too, that\r\nwouldn’t work. We were providing state of the art SIP providers.\r\nNote: Less than 24 hours after publication, a several people claimed that the above statement was factually\r\ninaccurate (although that is not the words they used). They claimed that Scattered Spider is using their real voices\r\non the calls. Could their opsec really be that bad?  DataBreaches does not know. \r\nThere were other topics also discussed in the chat yesterday, and some of what we discussed is reported below.\r\nFrance\r\nShiny was not only mad at law enforcement and Google, it seems, but also LVMH, the parent company of Dior\r\nand Tiffany, two brands that were attacked as part of the Salesforce campaign. At one point, Shiny commented\r\nthat he didn’t think law enforcement would be going after them so hard if it wasn’t for pressure by LVMH. \r\nDataBreaches asked if Shiny really thought that LVMH had that much effect and were making a difference.\r\nYes, those multi hundred billionaires think they have a say and power but they don’t.\r\nIf trillionaires like Google can’t stop us then billionaires are nothing. Law enforcement doesn’t have\r\nsuch funding or massive budgets either. They will forget about us in a month or two once we’re done.\r\nhttps://databreaches.net/2025/08/08/shinyhunters-sent-google-an-extortion-demand-shiny-comments-on-current-activities/\r\nPage 1 of 5\n\nThen we’ll come back and launch another several months to year long sophisticated campaign,\r\nSnowflake 3.0. Next time it’s going to be much much worse.\r\nDataBreaches asked Shiny if he thought that pressure from LVMH had pushed French law enforcement into\r\nmaking faster arrests?\r\n“France rushed to make FALSE, INACCURATE arrests,” he replied, adding, “I, personally, am not no where near\r\nFrance.” But of course, we would expect him to say that even if he is in France.\r\nIt is not obvious to DataBreaches why LVMH would be so allegedly aggressive in pursuing ShinyHunters.\r\nCertainly a lot of companies have been hit a lot worse. Sources with knowledge of the attacks and LVMH’s\r\nresponse had previously told DataBreaches that LVMH had paid about 4 BTC in extortion to cover all of their\r\nbreached brands, meaning Dior, Tiffany, and (although it has not been publicly disclosed by LVMH or the brand),\r\nCeline.\r\nBut Shiny clearly has a lot of anger towards France, and states that they are aggressively targeting France now:\r\n“My only directives are to target the USA, UK, AU, CA, and France. And to not touch Russia, China, and North\r\nKorea at all.”\r\nAustralia\r\nTargeting Australia seems to be related to Scattered Spider members. During the chat, Shiny stated:\r\nHalf of the Scattered Spider is in the USA, UK, or Australia. Why do you think we suddenly hit Qantas\r\nand other major Australian companies? Some kid was begging us to hack them.\r\nAny significant arrests yield from our counterpart, Scattered Spider? No. Forget the four UK arrests,\r\nthose guys were retards hence why I didn’t ransom M\u0026S for them, amoung others.\r\nBut mentioning Qantas apparently reminded Shiny of the injunction they had been sent, and he shared a copy of\r\ntheir response to Qantas with DataBreaches, saying it had been emailed to Qantas:\r\nThank you but we will not be complying with any court orders as we have no obligation to do so since\r\nwe reside outside of your jurisdiction. Even if we resided within your jurisdiction, we do not care, and\r\nwe wouldn’t comply. Keep in mind this data will be going public very soon. We gave you a chance and\r\nwe are willing to give one last chance for you to comply, negotiate, and resolve this situation.\r\nWhen we start leaking the data, we will first start off by leaking the data of every federal judge and\r\nevery federal officer of Australia. If you do not comply at that point we will leak the entire thing.\r\nStop doing what you did with Optus, AFP. This time injunction orders won’t stop us. You are irrelevant,\r\nweak, and incompetent. Good luck with the “external parties” you redacted from the documents, as we\r\nalready know who they are.\r\nYou have 24 hours to start negotiating, we dropped the price by another $1m. The offer now remains at\r\n$1m. Stop this nonsense and make the correct decision and pay the ransom. If you keep stalling, it will\r\nbe leaked. Do not waste time.\r\nhttps://databreaches.net/2025/08/08/shinyhunters-sent-google-an-extortion-demand-shiny-comments-on-current-activities/\r\nPage 2 of 5\n\nShiny states they also emailed the following to the AFP, ASD, and Home Affairs of Australia:\r\nHello, we are responsible for the Qantas Airways Limited cyber attack as you know and we will be\r\nresponsible for the many forthcoming cyber incidents affecting various Australian industries in the\r\ncoming days and weeks ahead.\r\nWe wanted to let you know this ourselves to expose what we view as systemic ignorance and arrogance\r\nwithin Australia’s cyber security landscape: – this message is being issued directly to highlight the\r\nconsequences of the decision to not to meet our demands in Qantas Airways Limited settlement which\r\nwas intended to prevent widespread disruption across Australia. Once our campaign concludes, we will\r\nbegin contacting the affected organizations individually.\r\nWe trust this will serve as a clear demonstration of the impact of that decision and hope our future\r\ndemands are met, which would put a stop to our widespread disruption campaign across Australia.\r\n– ShinyHunters\r\n“Complete idiots to think such court orders have any relevancy or affect,” Shiny commented after sharing the\r\ncorrespondence.\r\nShinyHunters’ response to the injunction actually makes a point DataBreaches had raised in a July 18 commentary\r\non such injunctions in general. DataBreaches had written:\r\nThe reality is that criminals who would leak the data or sell it via the internet generally don’t give\r\na damn about any court injunctions and will leak it anyway. The only ones who are then really\r\naffected by injunctions or superinjunctions are media outlets who would want to report on the situation\r\nto inform the public and members of the public who might be affected by a breach but not know about\r\nit if the entity has not been transparent in any disclosure.\r\nMore on Google\r\nYesterday morning, ShinyHunters also stated that they had sent Google an extortion demand. He didn’t not reveal\r\nthe exact time, but it was after Google had publicly revealed the breach in an update on their blog. The extortion\r\ndemand reportedly included attached samples of files. DataBreaches was not shown any copy of the email or\r\ndemand.\r\n“Within 1 hour [of sending the email] they saw our email and downloaded the samples multiple times,” Shiny\r\nstated, adding, “I bet they were waiting for the email LOL. I purposely sent it from my main email… I hope I\r\ndon’t get banned again.”\r\nShiny later commented, “I wasn’t going to ransom them because when we start leaking the data of companies who\r\nhaven’t paid I wanted to drop Google’s database first aince its the most hottest one.”\r\nHe declined to reveal how much the demand was and what deadline Google had been given.\r\nMinutes later, Shiny somewhat casually announced, “Going to attack them again \u003e.\u003e”\r\nhttps://databreaches.net/2025/08/08/shinyhunters-sent-google-an-extortion-demand-shiny-comments-on-current-activities/\r\nPage 3 of 5\n\nWhen DataBreaches asked if he was serious, he replied, “Yes why wouldn’t I? They are not stopping this. We are\r\nstill dumping more companies by the day. And those poor companies have no idea.”\r\nShiny posted this graphic during the chat with a comment, “GTIG and FBI\r\nlooking at me (Scattered Spider) drastically changing the TTPs and IoCs right\r\nwhen they post an update LOL.”\r\nShiny would not indicate when the next attack on Google would be, but DataBreaches contacted GITG to alert\r\nthem of Shiny’s claim because Shiny’s past claims about hacking Google had proven true.\r\nDataBreaches also emailed Google’s press contact to ask if they would comment on the claims about the extortion\r\ndemand and ShinyHunters’ statement that they would be attacking Google again.   Google responded that they\r\nwill not be providing comment. but thanks for updating them and the communications.\r\n1\r\n  A note on “Shiny:”\r\nDataBreaches uses the name”Shiny” to refer to the individual who this blogger has communicated via Telegram\r\nover the past few years. Although French police claim to have arrested the leader of ShinyHunters on June 23,\r\ndoubts have been raised by this blogger and a number of people who have communicated with “Shiny” before and\r\nafter the arrest date, and who are convinced that the person they are communicating with now on the\r\nSp1d34hunters account is the same individual (and head of ShinyHunters) that they communicated with for years\r\non various Telegram accounts or on Jabber. Keep in mind that for some accounts, more than one person could be\r\nposting or writing on a Telegram account or Jabber account, but all of us recognize the person who is currently\r\nposting on the Sp1d3rhunters account.\r\nBecause someone is still detained in a French prison and is supposedly the leader of ShinyHunters, all\r\nDataBreaches can say at this time, then, is that we are curious as to who the French have arrested. Shiny has told\r\nDataBreaches that it is an “associate” and to think of the individual or arrest as another “Sezyo” (referring to the\r\narrest of Sebastien Raoult).\r\nDataBreaches also knows that some people believe we have not been communicating with the head of\r\nShinyHunters but a close associate like “Hollow” (aka TriHash, aka Clownpiece, aka Felix) or “Anastasia”\r\n(another account that has been used by more than one person). We also know that one or more other people used\r\nhttps://databreaches.net/2025/08/08/shinyhunters-sent-google-an-extortion-demand-shiny-comments-on-current-activities/\r\nPage 4 of 5\n\nthe Sp1d3rhunters account in the past. But we all recognize the person currently on Sp1d3rhunters as the same\r\nperson we dealt with in the past.\r\nEither we are all wrong or the French prosecutors are. Time will tell.\r\nAs with many things Shiny has told me over the years, DataBreaches does not always have the ability to confirm\r\nor refute claims made during a chat by a threat actor, but notes that Shiny’s statements about the attack on Google,\r\nSalesforce attacks, and Scattered Spider have all subsequently been verified directly or indirectly — in some cases\r\nby updates to Google’s Threat Intelligence Group blog entries.\r\nIntel analysts and intel firms will likely treat all of the claims and statements reported about Shiny in this post as\r\n“low confidence” resports.  That’s perfectly understandable and appropriate. I am putting this all out there so that\r\nothers can pursue it and try to verify it or disconfirm it using their own tools and methods.]\r\nThis post was updated to add Google’s response and then updated again to add a note that several people who\r\nhad read this article claimed that Shiny’s claims were not true and that Scattered Spider was using their real\r\nvoices on calls. \r\nSource: https://databreaches.net/2025/08/08/shinyhunters-sent-google-an-extortion-demand-shiny-comments-on-current-activities/\r\nhttps://databreaches.net/2025/08/08/shinyhunters-sent-google-an-extortion-demand-shiny-comments-on-current-activities/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://databreaches.net/2025/08/08/shinyhunters-sent-google-an-extortion-demand-shiny-comments-on-current-activities/" ], "report_names": [ "shinyhunters-sent-google-an-extortion-demand-shiny-comments-on-current-activities" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775701427, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5ad03e660c6312289bb7d76fc420484d5a1e3338.pdf", "text": "https://archive.orkl.eu/5ad03e660c6312289bb7d76fc420484d5a1e3338.txt", "img": "https://archive.orkl.eu/5ad03e660c6312289bb7d76fc420484d5a1e3338.jpg" } }