August 12, 2025 – A major shift in the cybercrime landscape may be unfolding as two well-known threat actors — ShinyHunters and Scattered Spider — appear to be joining forces to target businesses, according to new intelligence.

Recent findings suggest that an ongoing data extortion campaign aimed at Salesforce customers could soon expand to include financial services and technology providers. This marks a notable change in approach for ShinyHunters, historically known for credential theft and database exploitation.

Evolving Tactics Beyond Credential Theft

According to a report by ReliaQuest, the latest activity attributed to ShinyHunters reflects a significant tactical evolution. These operations now incorporate methods commonly associated with Scattered Spider, such as:

• Highly targeted vishing (voice phishing) campaigns combined with social engineering.
• Use of malicious apps disguised as legitimate software.
• Deployment of Okta-branded phishing pages to capture credentials during vishing calls.
• VPN-based obfuscation to conceal data exfiltration.

ShinyHunters, active since 2020, has built a reputation for large-scale corporate data breaches, often selling stolen data on underground forums like RaidForums and BreachForums. Notably, the persona has played both participant and administrator roles on these platforms, partnering in the past with figures like “Baphomet” to relaunch BreachForums.

Links to Salesforce-Targeted Campaigns

Although the most recent relaunch of BreachForums in June 2025 was short-lived, with the site going offline within days, ShinyHunters has since been tied to a string of global extortion incidents targeting Salesforce environments. Google is tracking this activity under the identifier UNC6240.

These developments occurred around the same time French authorities arrested four individuals suspected of operating BreachForums — allegedly including ShinyHunters. The threat actor, however, has denied the charges, suggesting that an associate may have been apprehended instead.

Emergence of “ShinySp1d3r” and Ransomware Ambitions

On August 8, a Telegram channel titled “scattered lapsu$ hunters” appeared, linking ShinyHunters, Scattered Spider, and the LAPSUS$ group. Members claimed they were developing a ransomware-as-a-service platform named ShinySp1d3r, intended to compete with LockBit and DragonForce. The channel vanished only three days later.

Both Scattered Spider and LAPSUS$ have ties to The Com, a loosely organized but experienced English-speaking cybercriminal network engaged in SIM swapping, extortion, and physical crimes.

Phishing Infrastructure Analysis

ReliaQuest identified a coordinated setup of phishing domains imitating Salesforce login pages, designed to steal credentials from employees at major organizations. The infrastructure resembles that used in Scattered Spider campaigns impersonating Okta SSO portals.

A review of over 700 domains registered in 2025 that match Scattered Spider’s phishing patterns revealed a 12% rise in domains targeting financial institutions since July, coupled with a 5% decrease in those targeting tech companies. This suggests banks, insurers, and financial services may be the next primary targets.

Evidence of a Long-Running Partnership

Indicators of collaboration between ShinyHunters and Scattered Spider include:

• Overlapping target sectors such as retail, insurance, and aviation.
• Similar timing of past attacks.
• A BreachForums account named “Sp1d3rHunters”, linked to prior ShinyHunters incidents and created in May 2024.

If these connections hold, researchers believe the groups may have been working together for over a year, aligning operations for maximum impact.

Source: https://thehackernews.com/2025/08/cybercrime-groups-shinyhunters.html