ShinyHunters, a financially motivated threat group that emerged in May 2020, has made their return to push a trove of data allegedly stolen from U.S. telecommunications company AT&T, according to Digital Shadows, who could not independently verify the integrity of ShinyHunters’ claims. 

In a new report, The Eeveelution of ShinyHunters: From Data Leaks to Extortions, Digital Shadows retraces their steps and analyzes the threat group’s origin and how they evolved over the past months.

Primarily active on criminal forums, ShinyHunters first emerged in 2020, advertising 91M Tokopedia user records on the Empire Market dark web marketplace. Digital Shadows observed them engaging in the sale and disclosure of data sets obtained from organizations within various sectors, including education, media and technology. Additionally, the group has progressively moved from selling breached data to exposing it for free, thus contributing to its wide popularity among other cybercriminals.

The threat group, according to the Digital Shadows Photon Research Team, has maintained a low level of activity since July 2020, with extensive periods of inactivity that lasted between one or two months and usually followed by a surge of victims being posted on criminal forums. Taking periods of general inactivity is not an uncommon theme within cybercriminals, and typically, these periods are a moment to improve or develop new products and moments of high activity below the surface.

In 2020, the threat group was the protagonist of attacks against rival criminal forum Hackforums when they defaced their website and replaced its material with Pokemon references. Later that month, ShinyHunters also updated their Raidforums bio to brag about that defacement, Digital Shadows reports. 

Undoubtedly a very respected and well-known threat actor in the cybercriminal scene, security researchers have highlighted that ShinyHunters has not been able to amass a great fortune compared to other cybercriminal activities. However, recently, the group has evolved its tactics to include extortion attempts and data breaches, likely due to ransomware gangs’ skyrocketing revenue. 

Now, ShinyHunters are extorting victims that they have successfully infiltrated, especially those within the U.S., putting their data up for auction. This strategy closely aligns with extortion-based threat actors, specifically ransomware groups who exfiltrate data and threaten to expose data unless the victim pays a ransom, the Photon Research Team says. In case you’d need a refresher on how ransomware groups conduct these attacks, here’s Digital Shadows’ Q2 ransomware roll-up.

On Aug. 17, 2021, the group created a post offering data sale for the American telecommunications company AT&T titled “AT&T Database +70M (SSN/DOB)” in an English-language cybercriminal forum. The group put the stolen data up for auction in this post, marking the first time they publicly auctioned data. The auction was initially priced at $200,000 for the starting bid, $30,000 for subsequent offers, and $1,000,000 for the blitz price to bypass the auctions process.

Many users replied to the post expressing interest in the offering, stating that they plan to wait until ShinyHunters leaks it for free (which ShinyHunters has traditionally done after having sold the original data for a while). However, things seem different this time as the threat group replied on the same day, stating that they won’t be leaking the data for free if it is sold.

At the time of writing, the original post has allegedly been deleted by the forum moderators. Security researchers initially imagined this removal confirmed AT&T claims that the data auctioned did not come from their systems. However, according to ShinyHunter’s good friend and known threat actor “pompompurin,” the forum moderators removed the post because it included social security numbers - a practice banned on that forum. 

At the time of writing, Digital Shadows could not corroborate independently whether the auctioned data actually belongs to AT&T. It could well be a P.R. stunt by ShinyHunters. Or, it is also possible that the threat group successfully managed to infiltrate and extract sensitive data from AT&T. “It certainly wouldn’t be the first time a compromised organization denies being breached before admitting it a few weeks later,” Digital Shadows says.

ShinyHunters have proved to be a careful threat actor, focused on developing tactics to build a well-respected persona in the cybercriminal space. Their transition to extortion-based attacks highlights the group’s wish to adapt its tactics and expand revenue streams. Overall, having gained the community's support by sharing troves of data for free, it’s highly likely we’ll eventually hear again from this unique threat group, the Photon Research Team says.