{ "id": "04905a3f-386e-49e2-af4b-9d44c9ab7f4c", "created_at": "2026-04-09T02:23:42.772864Z", "updated_at": "2026-04-10T13:12:59.430316Z", "deleted_at": null, "sha1_hash": "ba1dea5cff18fff646a1a4e7aa1344b8fe869fa1", "title": "Are Scattered Spider and ShinyHunters one group or two? And who did France arrest? (1) - DataBreaches.Net", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 89126, "plain_text": "Are Scattered Spider and ShinyHunters one group or two? And\r\nwho did France arrest? (1) - DataBreaches.Net\r\nPublished: 2025-08-03 · Archived: 2026-04-09 02:09:09 UTC\r\nWhen DataBreaches was a kid, the “new math” they were experimenting with had us learning binary and other\r\nsystems. It didn’t go over well with us, our teachers, or our parents back then. Now the “new math” for me is\r\nUNCs — specifically 6040, 5537, 3944, and 6240.\r\n6040+5537+3944 +6240 = Scattered Spider + ShinyHunters\r\nBut does Scattered Spider = ShinyHunters?\r\nAccording to a statement made by ShinyHunters yesterday, they are one and the same.\r\nWhat a Tangled Web\r\nGoogle Threat Intelligence Group has published several blogs since May that consider whether certain threat\r\nactors might be related to Scattered Spider, ShinyHunters, or both.\r\nThe June 4th post on UNC 6040 seemed somewhat self-contradictory. GITG defines 6040 as\r\n.. a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns\r\nspecifically designed to compromise organizations’ Salesforce instances for large-scale data theft and\r\nsubsequent extortion. Over the past several months, UNC6040 has demonstrated repeated success in\r\nbreaching networks by having its operators impersonate IT support personnel in convincing telephone-based social engineering engagements. This approach has proven particularly effective in tricking\r\nemployees, often within English-speaking branches of multinational corporations, into actions that\r\ngrant the attackers access or lead to the sharing of sensitive credentials, ultimately facilitating the theft\r\nof organization’s Salesforce data. In all observed cases, attackers relied on manipulating end users, not\r\nexploiting any vulnerability inherent to Salesforce.\r\nThe preceding paragraph might suggest that 6040 is linked to ShinyHunters, since that group has claimed\r\nresponsibility for the Salesforce-related attacks and extortion demands to some victims have been signed\r\n“ShinyHunters.” But then, the blog post continues:\r\nIn some instances, extortion activities haven’t been observed until several months after the initial\r\nUNC6040 intrusion activity, which could suggest that UNC6040 has partnered with a second threat\r\nactor that monetizes access to the stolen data. During these extortion attempts, the actor has claimed\r\naffiliation with the well-known hacking group ShinyHunters, likely as a method to increase pressure on\r\ntheir victims.\r\nSo UNC6040 is not ShinyHunters but is Scattered Spider who partners with ShinyHunters? Google tried to clarify\r\nby issuing yet another UNC number: 6240. BleepingComputer reports:\r\nhttps://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/\r\nPage 1 of 6\n\nGTIG attributes multiple incidents impacting Salesforce instances to UNC6040. In at least some cases,\r\nthe follow-on extortion activity, which we attribute to the distinct threat cluster UNC6240, has used the\r\nShinyHunters brand,” Stark told BleepingComputer.\r\nThe extortion activity is attributed to UNC6240 instead of UNC6040 due to a significant time gap\r\nbetween the initial data theft activity and the subsequent extortion activity. We have not confirmed the\r\nnature of the relationship between these intrusions and the prior use of this handle on underground\r\nforums.\r\nAbrams addresses the attribution confusion in a recent post:\r\nThe breaches have caused confusion among the cybersecurity community and the media, including\r\nBleepingComputer, with the attacks attributed to Scattered Spider (tracked by Mandiant as UNC3944),\r\nas those threat actors were also targeting the aviation, retail, and insurance sectors around the same time\r\nand demonstrated similar tactics.\r\nHowever, threat actors associated with Scattered Spider tend to perform full-blown network breaches,\r\nculminating with data theft and, sometimes, ransomware. ShinyHunters, tracked as UNC6040, on the\r\nother hand, tends to focus more on data-theft extortion attacks targeting a particular cloud platform or\r\nweb application.\r\nIt is BleepingComputer’s and some security researchers’ belief that both UNC6040/UNC6240 and\r\nUNC3944 consist of overlapping members that communicate within the same online communities. The\r\nthreat group is also believed to overlap with “The Com,” a network of experienced English-speaking\r\ncybercriminals.\r\nIs the time gap between attack and extortion attempt really significant or an indicator for attribution? According to\r\nsomeone knowledgable about ShinyHunters’ operations, there is a simple explanation for the gap: the threat actors\r\nare planning to do a mass extortion campaign simultaneously on every affected company. Qantas and Allianz Life\r\nwere extorted immediately after they made a public disclosure, but other victims who have not publicly disclosed\r\nhave not been extorted yet.\r\nDataBreaches has also tried to sort out the attribution and whether Scattered Spider and ShinyHunters are\r\ncollaborating or have shared affiliates, or … something.  Was ShinyHunters just providing extortion services for\r\nScattered Spider, or is there more to the relationship?\r\nEnter @Sp1d3rhunters\r\nWhile some news outlets were attributing breaches to DragonForce and Scattered Spider, DataBreaches was\r\nseeing — or thought she was seeing — indications of involvement by ShinyHunters.\r\nDataBreaches’ investigation into the PowerSchool attack and extortion attempt — and then the second round of\r\nextortion attempts — had yielded a ToxID and a BTC wallet used by the threat actors/extortionists.\r\nDataBreaches first reached out to the Tox account on June 11 to ask about the second round of extortions, but\r\nreceived no reply at the time. DataBreaches also attempted to do a blockchain analysis of the BTC wallet that was\r\nhttps://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/\r\nPage 2 of 6\n\nin the extortion demand email. That analysis eventually led to two payments made to the wallet that would be\r\nconsistent with what a source had told me —  PowerSchool paid almost $3 million to the wallet, divided into two\r\npayments over five days. But there was also another payment DataBreaches spotted — one for 4 BTC on June 4.\r\nAt the time, DataBreaches did not know the source of that payment, but later learned from a source with\r\nknowledge of the situation that LVMH had informed law enforcement that they had paid ShinyHunters 4 BTC  in\r\nresponse to extortion demands stemming from attacks on some of its brands, including Dior and Tiffany.\r\nSo ShinyHunters wasn’t just allowing their name to be used as part of extortion demands. They were also\r\nreceiving payments.\r\nOn some date unknown to DataBreaches, a new Telegram account appeared:  @Sp1d3rhunters. Was this an\r\naccount used for collaboration between ShinyHunters and Scattered Spider?  Was it a troll?\r\nDataBreaches messaged that account yesterday with a question: “So.. is there going to be any announcement that\r\nShinyHunters and ScatteredSpider are merging, or will there be any formal acknowledgement of collaboration on\r\nsome activities?’\r\nSomewhat to my surprise, I received an answer. And even more shockingly, it appeared to be from ShinyHunters\r\nhimself — the leader/owner of ShinyHunters who was supposed to be in a prison in France. I will refer to him as\r\n“Shiny” in the following section. As background, DataBreaches has chatted with “Shiny” many times over the\r\npast few years.  Many of the chats occasionally wander off into other matters where only he would know what we\r\nhad discussed and what he had said in the past.\r\nWhoever answered me certainly wrote like Shiny, but given that France had announced his arrest and the person\r\nthey arrested is still currently detained in prison there, I needed to try to authenticate whoever was answering me\r\non this Telegram account. While the obvious inquiry might be for a pgp-signed message, sources had told me that\r\nmore than one person had access to the PGP key, so that would not be conclusive. Over the course of the ensuing\r\nchat, I asked Shiny some questions that only he and I would know the answers to, based on our previous chats\r\nover the past few years.  And because the chat was in real-time, I could see that there was no hesitation or delay in\r\nanswering certain questions. The person I refer to as Shiny is a high-IQ individual, possibly diagnosed with ASD,\r\nand he has an amazing memory for past conversations and events. Towards knowledge-based authentication\r\n(KBA):\r\nhttps://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/\r\nPage 3 of 6\n\nOne of the first questions I asked him was to name someone we both hated. Without hesitation, he correctly\r\nnamed the person and added three aliases the individual used. I’ve redacted his answer in the screengrab, but it\r\nwas correct.\r\nDuring the chat, Shiny also showed me several screengrabs of chats of ours in the past.\r\nAt one point, he spontaneously inquired about someone he had asked me about several times in the past —\r\nsomeone he cares about.. He asked how that person was doing now, which is a question he had often asked me.\r\nShiny also made other statements about his interactions with someone that I won’t describe here except to say that\r\nhis statements were fairly specific and I was able to confirm the accuracy of his claims.\r\nAt another point, I asked him about a former moderator and he abruptly answered that he didn’t care about that\r\nperson. His dismissive response was totally consistent with his past comments to me about that person.\r\nNot once during our chat did Shiny claim he didn’t remember in response to any question I asked him.  And the\r\nwriting style was totally consistent with all of our past chats.\r\nIf I was being trolled, this was the best troll ever.\r\nBut if I wasn’t being trolled and if Shiny isn’t in a French prison and being represented by Juan Branco, then who\r\nis sitting in that prison?  Did French law enforcement really make two incorrect arrests or attributions?\r\nThe media had reported that the lawyer representing the French national accused of being “TriHash” was not\r\n“TriHash,” but was a student. DataBreaches does not know what has happened in that case, but “TriHash,” who is\r\nalso known as “Hollow,” appears to be active on the resurrected BreachForums as an administrator, and Shiny also\r\nvolunteered that French law enforcement had not caught him. That leaves the supposed leader, who Shiny says is\r\nnot him, “Noct” and “Depressed.” DataBreaches does not know what each of those men is actually charged with,\r\nbut Shiny stated that “Noct” was known more recently as Sanggiero on BreachForums. Shiny described Sanggiero\r\nas an “affiliate,” but see the update of August 13 below this post.\r\nhttps://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/\r\nPage 4 of 6\n\nAs to who Juan Branco is representing, Shiny claims that Branco’s client is just an associate, and compared the\r\nsituation to the arrest of “Sezyo” (Sebastien Raoult), where law enforcement made a big deal about someone who\r\nwas not a major factor. In email communications to DataBreaches, Branco agrees with Shiny that his client is not\r\nthe leader of ShinyHunters.\r\nSo Now Back to the Two Groups or One Group Question\r\nBecause it seemed that the person I was chatting with was really the leader of ShinyHunters, I returned to my\r\noriginal question:\r\nDissent: There is talk that SH is coming up with its own ransomware. Is that true, or were they talking\r\nabout Scattered Spider? I think the two groups are getting mixed up sometimes.\r\nShiny: Both groups are the same now.\r\nDissent: But no wedding announcement and wedding invites? OK. 🙂\r\nShiny: They’ve always been the same.\r\nShiny: Who says PowerSchool wasn’t done by Scattered Spider lol\r\nDataBreaches does not know whether they truly have always been the same, but the question about Scattered\r\nSpider being involved in PowerSchool gave me pause. Matthew Lane had acquired an employee’s credentials\r\nfrom an infostealer, a method that is frequently seen in Scattered Spider attacks. Was Lane overlapping with\r\nScattered Spider or someone in “The Com?” DataBreaches does not know, but Shiny also commented to\r\nDataBreaches that the second extortion attempts had not been authorized by him:\r\nI’ve had some affiliates who don’t listen. I didn’t extort PS clients, the affiliates took it upon themselves to extort\r\nPS clients for more money.\r\nIs Your Head Spinning Yet?\r\nEven though “Sp1d3rhunters” doesn’t seem to be any official name for the combination, it may be the most\r\naccurate way to think of them going forward.\r\nDataBreaches has been shown some of the recent court injunctions stemming from cyberattacks on Qantas in\r\nAustralia and the Legal Aid Agency (LAA) in the UK. Both injunctions were served on ShinyHunters.  If\r\nScattered  Spider was also involved and if the two entities are not really one group, are the injunctions somewhat\r\ndeficient if they don’t also name Scattered Spider as defendants to be bound by the terms of the injunction?\r\nBut for now:  did France really arrest the man who is the leader of ShinyHunters? If they did, who has taken over\r\nand who was able to answer so many questions yesterday on Telegram?  And if France didn’t arrest the leader as\r\nthey had claimed to have done, do they know they didn’t get him?\r\nDataBreaches has tried to reach out to the FBI to see if they believe that France has arrested the leader of\r\nShinyHunters. If a response is received, this post will be updated.\r\nhttps://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/\r\nPage 5 of 6\n\nUpdate of August 13:  In a Telegram channel today, a voice chat purportedly involving Baphomet, Sanggiero,\r\nand others was posted. Shiny wrote, “Here we go again, another episode of (fed) BreachForums. I’m sure we all\r\nknow that Baphomet and some know Sanggiero were feds.”  This seems to contradict what he said recently that\r\n“Noct” was “Sanggiero,” and “Sangierro” was an “affiliate.” DataBreaches asked Shiny to explain what seemed\r\nlike a contradiction, and he explained that when he called someone a “fed,” it didn’t necessarily mean an\r\nemployee of the FBI. The term is also used to describe someone who may have been raided or caught and then\r\nsnitches or reveals information on others to the FBI during interrogations.\r\nSource: https://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/\r\nhttps://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/" ], "report_names": [ "are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-10T02:00:03.482199Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-10T02:00:03.657424Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "70929bd1-2bf9-4689-bfff-2bc6b113d3ed", "created_at": "2026-01-20T02:00:03.666874Z", "updated_at": "2026-04-10T02:00:03.916254Z", "deleted_at": null, "main_name": "UNC6040", "aliases": [], "source_name": "MISPGALAXY:UNC6040", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775701422, "ts_updated_at": 1775826779, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba1dea5cff18fff646a1a4e7aa1344b8fe869fa1.pdf", "text": "https://archive.orkl.eu/ba1dea5cff18fff646a1a4e7aa1344b8fe869fa1.txt", "img": "https://archive.orkl.eu/ba1dea5cff18fff646a1a4e7aa1344b8fe869fa1.jpg" } }