{
	"id": "07929c85-168c-4a4f-8410-93282df75882",
	"created_at": "2026-04-06T00:21:15.557016Z",
	"updated_at": "2026-04-10T13:12:12.125725Z",
	"deleted_at": null,
	"sha1_hash": "657072896963c2c34c16e16a6365c60a23adb5b4",
	"title": "A cybercriminal is sentenced, will it make a difference? - Help Net Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1564261,
	"plain_text": "A cybercriminal is sentenced, will it make a difference? - Help Net\r\nSecurity\r\nBy Help Net Security\r\nPublished: 2024-03-07 · Archived: 2026-04-02 12:24:50 UTC\r\nThe darknet is home to many underground hacking forums in which cybercriminals convene, freely sharing\r\nstories, tactics, success stories and failures. Their unguarded discussions allow our team to peek into the politics\r\nand ethics behind recent adversary activities. The threat intelligence we gather is harnessed to continuously\r\nenhance protections for Cynet partners and customers.\r\nIn this piece, we’ll probe a notorious ransomware gang, ShinyHunters, to shed light on cybercriminal incentives\r\nand the objectives they pursue, as well as the effects for victims — and steps your team can take to reduce risk.\r\nYou can also use the “Ransomware Readiness Assessment Guide” to quickly evaluate your current exposure.\r\nThe sentencing of a cybercriminal\r\nOn January 10, a French citizen was sentenced to 3 years in prison plus a fine of $5 million. He had pleaded guilty\r\nto conspiracy to commit wire fraud and aggravated identity theft. The 22-year-old had originally faced 29 years\r\nbehind bars.\r\nThe charges stemmed his involvement with a shadowy hacker group called ShinyHunters, believed to have\r\nformed in 2020. ShinyHunters is responsible for stealing data from over 60 organizations. The stolen data, which\r\noften PII (Personal Identifiable Information) and financial credentials, is then held for ransom. If ShinyHunters’s\r\ndemands for payment are not met, the victim’s data is sold or leaked across various dark web marketplaces. This\r\nbehavior indicates financial motivation; their activities appear unaffiliated with a political or activist agenda.\r\nHis role in ShinyHunters was to create specialized phishing pages masquerading as a target company’s login\r\nportal to lure employees to enter their credentials. With these stolen credentials, the group infiltrated company\r\nnetworks and stole data from any assets that could later be leveraged for extortion.\r\nRansomware rampage\r\nShinyHunters hit the scene with a massive exfiltration of account data from Tokopedia, Indonesia’s largest e-commerce company. ShinyHunters posted for sale the information of 15 million Tokopedia accounts for a meager\r\n€2.13 on May 2, 2020. Later, the full database of 91 million Tokopedia accounts was offered for $5,000.\r\nThe account data included email addresses, full names and birth dates, as well as hashed user passwords that other\r\nthreat actors dehashed, or cracked, before sharing publicly.\r\nhttps://www.helpnetsecurity.com/2024/03/07/shinyhunters-group/\r\nPage 1 of 4\n\nAnother notable breach attributed to ShinyHunters targeted the apparel company Bonobos, a subsidiary of\r\nExpress, Inc. On January 17th, 2021, a Bonobos database in the form of a 70GB SQL file was offered for free\r\ndownload on the hacker forum RaidForums. The database included millions of email addresses, phone numbers,\r\nthe last four digits of credit card numbers, hashed passwords, and user password history. As with the Tokopedia\r\nleak, threat actors dehashed or cracked the passwords for use in credential stuffing attacks.\r\nBonobos believes that the group exfiltrated the data by exploiting access to a backup file that was hosted outside\r\nthe company’s internal network, on an external cloud environment, back in August 2020.\r\nThe most recently confirmed ShinyHunters victim is Aditya Birla Fashion and Retail (ABFRL), based in India,\r\none of the world’s largest fashion retail companies.\r\nOn January 11, 2022, after ransom negotiations for an undisclosed sum broke down, ShinyHunters dropped a\r\nmajor leak for free on RaidForums. Its 700GB of stolen data included:\r\nSensitive ABFRL employee and customer data (full name, email, birth date, physical address, gender, age,\r\nmarital status, salary, religion, and more).\r\nThis includes around 5.4 million unique email addresses and passwords hashed in the long\r\ndeprecated MD5 hashing algorithm.\r\n21 GB of ABFRL invoices containing sensitive customer payment details.\r\nABFRL’s website source code and server reports.\r\nhttps://www.helpnetsecurity.com/2024/03/07/shinyhunters-group/\r\nPage 2 of 4\n\nAlthough ABFRL detected ShinyHunters while the attack was in progress, the hacking group says they still had\r\nuninterrupted access to the company’s sensitive data.\r\nShinyHunters techniques\r\nA ShinyHunters staple is spear-phishing, where phishing emails and fake login pages are crafted to target specific\r\ncompanies and collect credentials for later use to exfiltrate data — usually sensitive customer or employee\r\ninformation — from the victim’s network and environments. After exfiltration, any further credentials that are\r\nfound are used to expand access the victim’s network or third-party services. The group then holds exfiltrated data\r\nfor ransom, urging the victim to pay or spectate as their data is sold in various darknet forums and marketplaces,\r\nor even released publicly for free.\r\nIt was also reported that, in some instances, the group breached companies’ cloud computing providers and hijack\r\nthem to mine for cryptocurrency, causing the victim companies to get stuck with the bill.\r\nFallout\r\nThe effects of ShinyHunters’s attacks transcend the technical damage to the internal operations of its victims, such\r\nas through source code exfiltration. By compromising the customer databases of companies lacking sufficient\r\nsecurity measures, ShinyHunters caused reputational damage on victims and, in severe cases, left them exposed to\r\nlegal actions. Indeed, several ShinyHunters victims currently face class action lawsuits stemming from the theft of\r\nsensitive customer that was distributed amongst threat actors.\r\nConclusion\r\nIt remains to be seen if the aforementioned sentencing will deter his coconspirators in ShinyHunters from further\r\nillicit activity. Regardless of their life decisions, what we know for certain is that ransomware risk as a global\r\nliability is rising rapidly.\r\nhttps://www.helpnetsecurity.com/2024/03/07/shinyhunters-group/\r\nPage 3 of 4\n\nAfter attack volume increased by 50% in 2023, security teams must take action to reduce their risk of ransomware.\r\nThis is especially true for small-to-medium enterprises (SMEs) with lean security teams. 82% of ransomware\r\nattacks target SMEs.\r\nCynet’s all-in-one cybersecurity solution is purpose-built to help small teams fight back. It’s affordable, easy to\r\nuse and backed by CyOps, Cynet’s built-in MDR service. We’re available 24/7 to monitor your environment,\r\naccelerate incident response or simply answer your questions.\r\nSource: https://www.helpnetsecurity.com/2024/03/07/shinyhunters-group/\r\nhttps://www.helpnetsecurity.com/2024/03/07/shinyhunters-group/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.helpnetsecurity.com/2024/03/07/shinyhunters-group/"
	],
	"report_names": [
		"shinyhunters-group"
	],
	"threat_actors": [
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434875,
	"ts_updated_at": 1775826732,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/657072896963c2c34c16e16a6365c60a23adb5b4.pdf",
		"text": "https://archive.orkl.eu/657072896963c2c34c16e16a6365c60a23adb5b4.txt",
		"img": "https://archive.orkl.eu/657072896963c2c34c16e16a6365c60a23adb5b4.jpg"
	}
}