{ "id": "178e736d-0104-4cb5-909c-8af3b21913b2", "created_at": "2026-04-06T00:11:18.6503Z", "updated_at": "2026-04-10T03:34:59.52069Z", "deleted_at": null, "sha1_hash": "8dd7b07f8e3a88f0a51d3601de7f553698420827", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 109482, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 17:41:42 UTC\n Other threat group: ShinyHunters\nNames ShinyHunters (self given)\nCountry [Unknown]\nMotivation Financial gain\nFirst seen 2020\nDescription\n(ZeroFOX) ShinyHunters is taking a page out of the book of Gnosticplayers, the\nbreach data broker who in 2018-2019 pilfered billions of records from dozens of\ncompanies and sold them online. Due to the verification of the Tokopedia breach by\nmultiple researchers and the company itself, ZeroFOX Alpha Team has HIGH\nconfidence that these new breaches are legitimate, and will most likely be available\non other breach marketplaces at lower prices in the near future. It is likely that this\nactor will continue to breach companies and post their content for sale. These tactics\nproved both successful and profitable for gnosticplayers, and it is likely they will\ncontinue to appeal to other breach brokers for these reasons.\nAround July 2025, ShinyHunters teamed up or merged with Subgroup: Scattered\nSpider. They share their Telegram channel also with Lapsus$, so they may all work\ntogether now – see the DataBreaches.net references in the Information section\nbelow.\nObserved\nTools used\nOperations performed\nJan 2020\nHacker leaks 40 million user records from popular Wishbone app\nJan 2020\n25 million user records leak online from popular math app Mathway\nMar 2020 Hacker leaks 15 million records from Tokopedia, Indonesia's largest\nonline store\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92cc31c7-3c18-4ae2-9f9b-649b6cb029e1\nPage 1 of 7\n\nMar 2020\nA hacker claims to have stolen over 500GB of data from Microsoft's\nprivate GitHub repositories, BleepingComputer has learned.\nMar 2020\nHackers sell stolen user data from HomeChef, ChatBooks, and\nChronicle\nMay 2020\nOnline learning platform Unacademy has suffered a data breach after a\nhacker gained access to their database and started selling the account\ninformation for close to 22 million users.\nJun 2020\nHavenly discloses data breach after 1.3M accounts leaked online\nJul 2020\nAn allegedly stolen Wattpad database containing 270 million records\nwere being sold in private sales for over $100,000. Now it is being\noffered for free on hacker forums.\nJul 2020\nTech unicorn Dave admits to security breach impacting 7.5 million\nusers\nJul 2020\nPromo.com discloses data breach after 22M user records leaked online\nNov 2020\nShinyHunters hacker leaks 5.22GB worth of Mashable.com database\nNov 2020\nPopular stock photo service hit by data breach, 8.3M records for sale\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92cc31c7-3c18-4ae2-9f9b-649b6cb029e1\nPage 2 of 7\n\nNov 2020\nHacker posts 1.9 million Pixlr user records for free on forum\nJan 2021\nHacker leaks full database of 77 million Nitro PDF user records\nJan 2021\nHacker leaks data of millions of Teespring users\nJan 2021\nBonobos clothing store suffers a data breach, hacker leaks 70GB\ndatabase\nJan 2021\nHacker leaks data of 2.28 million dating site users\nApr 2021\nShifting Strategies: ShinyHunters and Known Cyber Threat Actors\nChange Tactics\nApr 2021\nShinyHunters dump partial database of broker firm Upstox\nApr 2021\nHacker leaks 20 million alleged BigBasket user records for free\nMay 2021\nShinyHunters leak database of Indian wedding portal WedMeGood\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92cc31c7-3c18-4ae2-9f9b-649b6cb029e1\nPage 3 of 7\n\nAug 2021\nAT\u0026T denies data breach after hacker auctions 70 million user\ndatabase\nDec 2021\nThis time, the victim is a Fortune India 500 List company: Mumbai-headquartered Aditya Birla Group (ABG).\nJun 2023\nBreachForums Returns Under the Control of ShinyHunters Hackers\nAug 2023\nPizza Hut Australia customer data hacked; ShinyHunters claims to\nhave more than 1 million customers’ information\nApr 2024\nMassive AT\u0026T data breach exposes call logs of 109 million customers\nApr 2024\nAdvance Auto Parts data breach impacts 2.3 million people\nMay 2025\nNeiman Marcus data breach: 31 million email addresses found\nexposed\nMay 2024\nShinyHunters claims Santander breach, selling data for 30M\ncustomers\nMay 2024 Data of 560 million Ticketmaster customers for sale after alleged\nbreach\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92cc31c7-3c18-4ae2-9f9b-649b6cb029e1\nPage 4 of 7\n\nMay 2024\nBreachForums Returns Just Weeks After FBI Seizure - Honeypot or\nBlunder?\nJun 2024\nCylance confirms data breach linked to 'third-party' platform\nDec 2024\nPowerSchool hacker now extorting individual school districts\nJan 2025\nDior begins sending data breach notifications to U.S. customers\nMay 2025\nNow it’s Tiffany: Another LVMH luxury brand hit by hackers\nMay 2025\nAdidas Data Breach Linked to Third-Party Vendor\nJun 2025\nGoogle: Hackers target Salesforce accounts in data extortion attacks\nJun 2025\nAllianz Life confirms data breach impacts majority of 1.4 million\ncustomers\nJun 2025\nFashion giant Chanel hit in wave of Salesforce data theft attacks\nJun 2025\nLouis Vuitton says regional data breaches tied to same cyberattack\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92cc31c7-3c18-4ae2-9f9b-649b6cb029e1\nPage 5 of 7\n\nJun 2025\nPandora confirms data breach amid ongoing Salesforce data theft\nattacks\nJun 2025\nGoogle suffers data breach in ongoing Salesforce data theft attacks\nJun 2025\nAir France and KLM disclose data breaches impacting customers\nJul 2025\nBreachForums Resurfaces on Original Dark Web (.onion) Address\nAug 2025\nUpdating: Two Telegram channels and two accounts banned, one\nbounty offered, and BreachForums goes down\nCounter operations\nJun 2022\nAlleged member of ShinyHunters held in Morocco on Interpol Red\nNotice, U.S. seeking extradition\nSep 2023\nFrench cybercriminal pleads guilty to fraud and aggravated identity\ntheft for hacking private information\nJan 2024\nShinyHunters member gets 3 years in prison for breaching 60 firms\nMay 2024\nFBI seize BreachForums hacking forum used to leak stolen data\nJun 2025\nBreachForums hacking forum operators reportedly arrested in France\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92cc31c7-3c18-4ae2-9f9b-649b6cb029e1\nPage 6 of 7\n\nInformation\nLast change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=92cc31c7-3c18-4ae2-9f9b-649b6cb029e1\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=92cc31c7-3c18-4ae2-9f9b-649b6cb029e1\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=92cc31c7-3c18-4ae2-9f9b-649b6cb029e1" ], "report_names": [ "showcard.cgi?u=92cc31c7-3c18-4ae2-9f9b-649b6cb029e1" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "1609af91-e258-4058-9caa-59e7d171aecb", "created_at": "2022-10-25T16:07:24.491691Z", "updated_at": "2026-04-10T02:00:05.008935Z", "deleted_at": null, "main_name": "Gnosticplayers", "aliases": [], "source_name": "ETDA:Gnosticplayers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "56d15cc7-f9c1-451f-bdde-8c283e3cf15b", "created_at": "2023-01-06T13:46:39.015288Z", "updated_at": "2026-04-10T02:00:03.181411Z", "deleted_at": null, "main_name": "Gnosticplayers", "aliases": [], "source_name": "MISPGALAXY:Gnosticplayers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434278, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8dd7b07f8e3a88f0a51d3601de7f553698420827.pdf", "text": "https://archive.orkl.eu/8dd7b07f8e3a88f0a51d3601de7f553698420827.txt", "img": "https://archive.orkl.eu/8dd7b07f8e3a88f0a51d3601de7f553698420827.jpg" } }