I have gathered comprehensive information about the ShinyHunters phishing campaign targeting over 100 organizations. Let me now compile this into a complete, professional journalistic article.
A sophisticated voice phishing campaign attributed to the notorious cybercrime group ShinyHunters has targeted more than 100 high-value organizations across multiple industries, marking one of the most extensive identity-theft operations observed in early 2026.
The attacks exploit single sign-on platforms through a combination of real-time social engineering and advanced phishing infrastructure, enabling threat actors to bypass multi-factor authentication protections and exfiltrate sensitive corporate data.
Scale and Scope of the Offensive
Security researchers at Silent Push identified infrastructure deployment patterns indicating that approximately 100 enterprises have been actively targeted within a 30-day period ending in late January 2026.
The victim profile spans critical sectors including financial services, biotechnology, technology, retail, legal services, telecommunications, and healthcare. Notable organizations identified as targets include Canva, Atlassian, Epic Games, HubSpot, Moderna, ZoomInfo, RingCentral, and WeWork.
Mandiant, the incident response division of Google Threat Intelligence Group, confirmed tracking "a new, ongoing ShinyHunters-branded campaign using evolved vishing techniques to successfully compromise SSO credentials from victim organizations, and enroll threat actor controlled devices into victim MFA solutions".
Charles Carmakal, Chief Technology Officer at Mandiant Consulting, characterized the operation as active and ongoing, with attackers pivoting into SaaS environments to exfiltrate sensitive data following initial access.
The campaign has already produced confirmed breaches at several organizations. SoundCloud disclosed a December 2025 breach affecting approximately 20 percent of its user base—roughly 28 million accounts.
Financial advisory firm Betterment confirmed unauthorized access on January 9, 2026, when attackers gained entry through social engineering against marketing and operations teams. Business intelligence platform Crunchbase acknowledged data exfiltration of certain documents from its corporate network, with ShinyHunters claiming theft of more than 2 million records.
Sophisticated Attack Methodology
The operational framework employed by ShinyHunters represents a significant evolution in social engineering tactics. Threat actors initiate voice phishing calls to targeted employees, impersonating IT support personnel while simultaneously manipulating custom phishing sites that victims access during the call.
These phishing kits incorporate real-time command-and-control panels enabling attackers to dynamically alter authentication flow displays in victims' browsers, synchronizing visual prompts with verbal instructions delivered over the phone.
Brett Winterford, Vice President at Okta Threat Intelligence, explained that researchers have observed at least two phishing kits demonstrating real-time capability to mimic authentication flows of major identity providers.
The kits operate as a service model, with credentials and time-based one-time passwords captured and relayed to attackers via Telegram channels. Okta security researcher Moussa Diallo noted that this synchronization enables attackers to defeat any form of MFA that is not phishing-resistant.
The technical execution follows a predictable sequence. Attackers conduct reconnaissance on targeted organizations using publicly available information from LinkedIn and corporate websites.
Initial contact typically involves spoofed caller IDs displaying legitimate corporate numbers, with threat actors claiming urgent IT issues requiring immediate resolution. Victims are directed to adversary-in-the-middle phishing sites that mimic legitimate login portals for Okta, Microsoft Entra, or Google SSO platforms.
As victims enter credentials, attackers simultaneously submit the stolen information to authentic services. When multi-factor authentication challenges appear, the phishing kit updates in real-time to instruct victims to enter verification codes, approve push notifications, or select specific numbers for number-matching MFA.
This orchestrated approach successfully bypasses standard MFA implementations that rely on push notifications, time-based one-time passwords, or SMS codes.
For attacks targeting Salesforce environments specifically, ShinyHunters has employed OAuth authorization abuse. Victims are guided to Salesforce's legitimate connected applications authorization page and instructed to enter connection codes that grant attacker-controlled applications—often modified versions of the Salesforce Data Loader—access to organizational accounts.
Once OAuth tokens are issued, attackers gain direct API access without requiring further user interaction or multi-factor authentication, enabling bulk data exfiltration while avoiding detection mechanisms tied to traditional login events.
Alliance Structure and Operational Network
ShinyHunters operates within a broader criminal alliance known as Scattered LAPSUS$ Hunters (SLSH), which emerged in August 2025 as a federated collaboration between three distinct cybercrime groups: Scattered Spider, LAPSUS$, and ShinyHunters.
This "supergroup" structure combines Scattered Spider's expertise in social engineering and help-desk manipulation, LAPSUS$'s proficiency in insider recruitment and source code theft, and ShinyHunters' refined capabilities in large-scale data harvesting and extortion.
The operational structure functions as a situational alliance rather than a formal merger, with members collaborating across multiple cybercriminal groups while maintaining operational independence.
EclecticIQ analysts assessed with high confidence that ShinyHunters leader ShinyCorp (also known as sp1d3rhunters or shinyc0rp on Telegram) recruited cybercriminals through eCrime communities including Scattered Spider and The Com. This cross-membership integrates ShinyHunters into the broader eCrime ecosystem, enabling exchange of tools, techniques, and operational knowledge that enhances attack effectiveness.
ShinyHunters affiliates have utilized VoIP-based calling services including Twilio, Google Voice, and 3CX for vishing operations. The group has also abused legitimate AI-powered voice call platforms such as Vapi and Bland to automate social engineering calls at scale.
ShinyCorp actively recruits voice call phishing experts through Telegram groups such as Sim Land, an underground community operated by The Com members that enables financially motivated actors to exchange knowledge, sell services, and collaborate on SIM swapping, voice phishing, and financial fraud.
In August 2025, the Telegram channel "scattered LAPSUS$ hunters 4.0," operated by ShinyHunters, posted recruitment messages seeking insiders at enterprise organizations who could provide access to Okta, Microsoft SSO, Citrix VPN, or Git version control solutions like GitHub and GitLab.
ShinyCorp offered financial rewards to employees in finance, insurance, aviation, telecommunications, automotive, retail, hospitality, energy, and investment companies in exchange for providing network access.
Confirmed Victims and Data Exposure
ShinyHunters relaunched its Tor-based data leak site in late January 2026, listing breaches at SoundCloud, Betterment, Crunchbase, and food delivery platform Grubhub.
The group confirmed to media outlets that only Crunchbase and Betterment breaches originated from the SSO vishing campaign, stating that the data leak site features victims from multiple previous and ongoing campaigns.
Data samples published by ShinyHunters include user lists with full names, contact information, addresses, job data, contracts between companies and partner firms, and internal documents detailing business operations.
For Crunchbase specifically, leaked materials allegedly included signed contracts and corporate intelligence extending beyond simple user email addresses. SoundCloud confirmed that compromised data consisted of email addresses and information already visible on public SoundCloud profiles, with passwords and financial information not compromised.
The broader impact of ShinyHunters operations throughout 2025 provides context for the current campaign's significance. In September 2025, the group claimed responsibility for breaching more than 200 organizations via a supply chain attack exploiting OAuth tokens between Gainsight and Salesforce.
Unit 42 researchers reported that ShinyHunters asserted having gained access to an additional 285 Salesforce instances by breaching Gainsight, accomplished using secrets obtained via a supply chain attack targeting Salesloft Drift in August 2025. The group claimed a 2025 victim count of approximately 1,500 organizations, with more than 1,000 publicly reported.
Law enforcement efforts have produced some disruption to the ShinyHunters network. French authorities arrested four members of ShinyHunters in June 2025—known online as ShinyHunters, Hollow, Noct, and Depressed—all in their twenties.
Another suspect known as IntelBroker, a British national, was arrested in February 2025 in a prior operation. Despite these arrests, the group successfully reconstituted operations and launched new campaigns, demonstrating resilience characteristic of decentralized criminal networks.
In January 2026, a disgruntled ShinyHunters member exposed the identities of over 323,000 BreachForums users, revealing usernames, emails, IP addresses, registration dates, and other metadata.
The cybercriminal identified only as "James" reportedly made the disclosure after becoming upset about cyberattacks targeting organizations in France, deciding to demonstrate that former compatriots are no longer able to anonymously launch cyberattacks. The database leak potentially provides law enforcement agencies with investigative leads for identifying members of the syndicate.
Financial Implications and Extortion Tactics
Voice phishing attacks carry substantial economic consequences for targeted organizations. Research indicates that vishing attacks cost organizations $14 million annually on average, with recovery costs from major voice phishing attacks averaging $1.5 million.
Voice phishing attacks increased 442 percent in the second half of 2024 compared to the first half of the year, reflecting the accelerating threat trajectory.
ShinyHunters employs a standard extortion model following data exfiltration. Threat actors approach victim organizations with ransom demands, threatening to publish stolen data if payment is not received.
In communications with companies, ShinyHunters emphasized that Salesforce remains their primary interest and target, with other platforms serving as "benefactors". The group operates a data leak site branded as "Scattered LAPSUS$ Hunters" that publicly shames companies to pressure ransom payments.
Salesforce has consistently stated it will not engage, negotiate with, or pay any extortion demands.
The company emphasized that thefts attributed to ShinyHunters did not originate from vulnerabilities within the core Salesforce platform, but rather from social engineering tactics like vishing and OAuth manipulation that exploit human factors rather than technical security flaws.
Defense Strategies and Mitigation Measures
Security experts universally recommend transitioning to phishing-resistant multi-factor authentication as the most effective technical control against this attack vector.
Phishing-resistant MFA methods include FIDO2 security keys, passkeys, and Okta FastPass, which use asymmetric cryptography and cryptographic origin binding to prevent credential interception. These methods cannot be replayed or intercepted because they rely on cryptographic proof rather than shared secrets or user-entered codes.
Okta specifically recommends organizations enforce phishing-resistant MFA for all access to SSO and integrated applications. During the 2022 phishing campaign that compromised other technology companies, Cloudflare successfully defended against attacks specifically because the company required hardware security keys for all employees.
Despite employees clicking phishing links and entering credentials, attackers could not complete authentication due to the hard key requirement.
Organizations should implement comprehensive monitoring for unauthorized access attempts to SSO dashboards, anomalous login detection and alerting, and review access restrictions to sensitive platforms.
Security teams should monitor for suspicious domains containing the company name plus "internal" (e.g.,
Employee education remains critical despite technical controls. IT and help desk teams require targeted training recognizing they are primary targets for social engineering attempts. Organizations should establish verification protocols for authentication reset requests, particularly those initiated through unexpected phone calls claiming urgency.
Security awareness programs should specifically address vishing scenarios where callers claim to represent internal IT support and request credential entry or application authorization.
Technical controls beyond authentication include setting network zones or tenant access control lists that deny access via anonymizing services favored by threat actors.
Organizations should implement policies requiring existing phishing-resistant authenticators before allowing new authenticator enrollments, and restrict authenticator enrollment by network location using enrollment policy rules. Regular audits of OAuth tokens and connected applications help identify unauthorized integrations that may indicate compromise.
Ongoing Threat Evolution
The ShinyHunters campaign represents broader shifts in cybercriminal operations toward identity-focused attacks that exploit trust mechanisms rather than technical vulnerabilities.
Research from Silent Push characterizes SLSH as a human-led, high-interaction operation designed to bypass even hardened MFA setups, contrasting with standard automated spray-and-pray attacks. The deployment of real-time phishing kits sold as a service enables multiple intrusion actors to conduct similar campaigns, increasing attack scale and frequency.
Security researcher Zach Edwards of Silent Push assessed that "this campaign demonstrates a high level of persistence and adaptability," noting that "the use of live interaction panels means that even organizations with MFA are vulnerable if their employees are successfully socially engineered".
Edwards projected that the targeting list would evolve rapidly as threat actors rotate through different sectors.
Regulatory environments are beginning to respond to identity-based threats. The Cybersecurity and Infrastructure Security Agency and Office of Management and Budget have issued mandates requiring phishing-resistant MFA for federal systems.
The National Institute of Standards and Technology's Digital Identity Guidelines recognize FIDO2 hardware authenticators as achieving the highest assurance level (AAL3). Organizations in regulated industries should evaluate whether traditional MFA implementations meet evolving compliance standards for phishing resistance.
The ShinyHunters campaign demonstrates that single sign-on platforms, while providing operational efficiency and centralized access control, create concentrated targets with expansive lateral movement potential.
Compromise of SSO credentials provides gateway access to every connected enterprise application and service. This architectural reality elevates identity infrastructure to critical infrastructure status, requiring investment in phishing-resistant authentication proportional to the access scope SSO platforms enable.
As voice phishing attacks continue their trajectory—growing 442 percent year-over-year and generating billions in losses globally—organizations face pressure to implement defenses matching attacker sophistication.
The ShinyHunters campaign's success against standard MFA implementations validates security experts' longstanding assessment that shared secrets and user-entered codes represent fundamentally vulnerable authentication paradigms. Cryptographic authentication methods that eliminate these vulnerabilities offer demonstrable protection against even sophisticated, real-time social engineering operations.
