Extortion-as-a-Service operating as a brand and a collective. AI-enabled vishing as primary access vector. 400+ organizations breached since 2020. The criminal operational model has been redesigned — and it scales.
By Thorsten Meyer — May 2026 · Software Security · Part 5
The previous pieces documented the offensive capability cascade (Copy Fail and Mythos), the disclosure framework collapse, the defensive deployment gap, and the OAuth permission apocalypse with shadow AI as multiplier. This piece is about who is operationally executing on the attacker side, and why their organizational model is structurally different from anything the threat-intelligence community has previously tracked.
ShinyHunters first surfaced in May 2020 as a database-theft collective. Six years later, the group has been linked to over 400 organizational compromises including Snowflake (165 customer environments, 2024), Salesforce (1,000+ orgs and 1.5 billion records, 2025-2026), Vercel/Context.ai (April 2026), Instructure/Canvas (275 million records across ~9,000 educational institutions, ongoing through May 12 as I write this), and dozens of consumer platforms — SoundCloud (29.8M users), Telus ($65M ransom demand), Wynn Resorts (800K+ records), Panera Bread, Grubhub, Pornhub, OpenAI’s Mixpanel analytics. The cumulative impact is larger than the operational scale of most nation-state APT groups in the historical threat-intelligence record.
But ShinyHunters is not a nation-state APT, and it is not even a traditional financially-motivated criminal organization. It is something new operationally. A criminal brand operating as a distributed collective within “The Com” alongside Scattered Spider, LAPSUS$, and other affiliated clusters. An Extortion-as-a-Service (EaaS) program with affiliate revenue share. AI-enabled voice phishing as primary access vector. A tiered monetization model spanning direct extortion, bulk data sales at up to $1 million per company, BreachForums administration fees, and crowd-sourced victim pressure campaigns. The operational model is structurally innovative in ways that prior threat intelligence frameworks struggle to capture.
This piece is the read on why ShinyHunters represents a new APT category, the operational evolution from 2020 to 2026, the AI capability layer making this scale possible, why traditional defensive frameworks are misaligned with this model, and what enterprise security leaders need to internalize about the threat actor landscape going forward.
The headline finding: the traditional APT framework — sophisticated state actor with proprietary capabilities, narrow target list, mission-driven persistence — has been replaced as the dominant enterprise threat by something operationally different. ShinyHunters is the canonical example of the new model: a brand, a collective, an affiliate program, an AI-enabled capability stack, and a monetization architecture that scales through the criminal economy. The defenders’ threat models need to update.
The Drift/Salesloft breach (1,000+ orgs, 1.5 billion records, July 2025-March 2026) was the proof-point at scale. The Vercel cascade (April 2026) was the AI-productivity-tool variant. The Canvas extortion campaign (April 25 – May 12 2026, 275 million records, ~9,000 educational institutions) is the current operational expression — happening in real time as this piece is being written. The next instance is already being staged.
ShinyHunters.
The new APT model.
Extortion-as-a-Service operating as a brand and a collective. AI-enabled vishing as primary access vector. 400+ organizations breached since 2020.
The criminal operational model has been redesigned. Not a hierarchical organization. A brand within “The Com” with affiliated clusters, 25-30% affiliate revenue share, multi-stream business model spanning direct extortion ($65M Telus demand), bulk data sales ($1M per company), BreachForums administration, and crowd-sourced pressure. AI voice cloning crossed the indistinguishable threshold. The defensive frameworks have not yet caught up.
Five eras. Each adds capability the previous era couldn’t execute.
From database theft on forums (2020) to AI-vishing-driven SaaS cascade (2026). Each era preserves prior capabilities while adding new ones. The current ShinyHunters operational stack spans all five.
Microsoft Sentinel Security Operations: Build Real SOC Skills in Threat Detection, KQL Querying, and Security Automation for Cybersecurity
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Not a gang. A brand operating a collective.
Traditional threat intelligence describes APT groups in terms of attribution to specific named organizations. ShinyHunters doesn’t fit that framework. A criminal brand within “The Com” alongside Scattered Spider, LAPSUS$, Cordial Spider, Snarky Spider, CoinbaseCartel.
The actual operational threat is the playbook itself — vishing → SSO compromise → SaaS exfiltration → extortion — replicated across dozens of clusters within The Com. Defending against ShinyHunters specifically is the wrong threat model. Defending against the playbook is the right one.
![WavePad Audio Editing Software - Professional Audio and Music Editor for Anyone [Download]](https://m.media-amazon.com/images/I/B1fcLEGCs6S._SL500_.png)
WavePad Audio Editing Software – Professional Audio and Music Editor for Anyone [Download]
Full-featured professional audio and music editor that lets you record and edit music, voice and other audio recordings
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Voice cloning crossed the indistinguishable threshold.
The technical innovation enabling industrial-scale operations. 3 seconds of audio is sufficient. Voice biometrics are bypassed. Sub-1-hour compromise-to-exfiltration. IT helpdesks are the primary attack surface.
The IT helpdesk is the primary attack surface because helpdesks exist to help. Their service-oriented design makes them inherently vulnerable to social engineering. Hardening requires removing helpfulness from the trust model. Mandatory video verification. Multi-person approval. Dedicated security channels.
data breach response kits
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Four revenue streams. A platform business.
ShinyHunters operates a multi-stream business model with revenue from direct extortion, bulk data sales, BreachForums administration, and affiliate revenue share. Structurally similar to legitimate platform economics, applied to extortion-without-encryption.
Cybersecurity Leadership: Powering the Modern Organization (Global Cybersecurity Thought Leader)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Defending against the playbook, not the actor.
Enterprise security needs to operate at AI-vs-AI speed against AI-enabled adversaries. Identity infrastructure hardening is the primary defense layer — not network perimeter, not endpoint detection. Structural shift from the 2010s defensive posture.
HIGHEST LEVERAGE
HELPDESK HARDENING
SAAS OBSERVABILITY
UserAgent capture for PowerShell-based access. Without visibility, detection is structurally impossible.WORKFORCE AWARENESS
IR READINESS
The traditional APT framework has been replaced. ShinyHunters is the canonical example of the new model — a brand, a collective, an affiliate program, an AI-enabled capability stack, a multi-revenue-stream business operation. The defenders’ threat models need to update.
I · The operational evolution · five capability eras
Understanding ShinyHunters requires understanding the capability progression. The group has gone through five distinct operational eras, each adding capability that the previous era couldn’t execute:
Era 1 · 2020-2022 · Bulk database theft + forum monetization
The original ShinyHunters model. Find SQL injection vulnerabilities or exposed database servers, exfiltrate data, sell on cybercrime forums. Targets included Tokopedia (91M records), Wishbone (40M), Animal Jam, Microsoft GitHub repositories, Dave (7.5M), Mathway (25M), Wattpad (270M), and dozens of others. The model was opportunistic and technical, not yet organized around extortion at scale.
Operationally: small group, individual contributors, technical exploitation focused. Revenue from forum sales of stolen databases — typically tens of thousands per dataset. Law enforcement actions against named members happened across France, Morocco, Canada, Turkey, and the United States between 2022 and 2025. Arrests focused on administrators, not the core capability developers. Operations continued uninterrupted after each enforcement action.
Era 2 · 2023-2024 · Credential stuffing at cloud scale
The transition era. The group recognized that stolen credentials from infostealer logs could be combined with weak or absent MFA on cloud platforms to gain mass enterprise access. The Snowflake campaign of 2024 was the proof-of-concept: approximately 165 Snowflake customer environments compromised through credential reuse against Snowflake accounts that hadn’t enabled MFA. Verified victims included AT&T (109M customer call records), Ticketmaster (560M records), Santander Bank, Advance Auto Parts, Pure Storage, Neiman Marcus.
Operational shift: the group moved from “find vulnerable database servers” to “find configuration gaps in cloud platforms used at enterprise scale.” The capability requirement was lower (no novel exploitation needed); the scale of impact was orders of magnitude larger. The economic model shifted from per-database forum sales to multi-million-dollar extortion demands per company.
Era 3 · 2024-2025 · OAuth supply chain and SaaS integration abuse
Building on Era 2, the group recognized that compromised third-party SaaS integrations could provide downstream access to enterprise data without requiring direct compromise of the enterprise itself. The Drift/Salesloft campaign of August 2025 was the canonical example (documented in detail in Part 4).
Operational chain: compromise a third-party SaaS vendor → extract their OAuth tokens for Salesforce → query 700+ customer Salesforce environments → exfiltrate Accounts, Opportunities, Cases, and embedded secrets (AWS keys, Snowflake credentials, other access tokens). The group attempted to extort Salesforce itself as part of the campaign — an indication of the operational ambition. Salesforce refused; the data was published on October 7, 2025 to mass coverage.
Verified victims: Cloudflare, Google, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Zscaler, BeyondTrust. 1.5 billion records affected. 70+ lawsuits filed. FBI Cybersecurity Advisory CSA-2025-250912 specifically warned of UNC6395 targeting Salesforce instances via compromised SaaS integrations.
Era 4 · Late 2025-Early 2026 · AI-enabled vishing + SSO compromise
The capability expansion that defines the current ShinyHunters operational model. AI voice cloning, combined with sophisticated victim-branded credential harvesting infrastructure, enables SSO compromise at unprecedented scale.
The technical chain (documented by Mandiant in their January 2026 GTIG analysis):
- AI voice cloning trained on publicly available audio of IT staff (LinkedIn videos, conference recordings, podcast appearances, executive interviews) — Microsoft VALL-E research demonstrates 3 seconds of audio is sufficient for convincing replication
- Vishing calls impersonating IT staff directing employees to “MFA reset” pages or “scheduled password update” portals
- Victim-branded credential harvesting sites that capture SSO credentials AND MFA codes in real-time, often using Tucows-registered domains following predictable patterns
- Automated SSO platform access using harvested credentials before MFA expiration — leveraging Okta, Microsoft Entra, and other identity providers
- Device enrollment — attackers enroll their own devices into victim MFA solutions for persistent access
- PowerShell-based SharePoint/OneDrive exfiltration with predictable UserAgent strings
- Mass SaaS exfiltration across whatever cloud platforms the victim has integrated with their identity provider
Operational scale: the ReliaQuest/Computer Weekly analysis of the late-2025-into-2026 ShinyHunters campaign tracked 760+ target organizations. Mandiant tracks the activity across multiple threat clusters (UNC6661, UNC6671, UNC6240, UNC6395) reflecting both genuine operational complexity and impersonation activity by adjacent groups.
The AI capability is what makes this scale possible. A human-operated vishing call against an IT helpdesk takes 10-30 minutes and requires social engineering skill. AI-enabled vishing can run thousands of calls per day with conversational quality that the Fortune 2026 deepfake outlook describes as having “crossed the indistinguishable threshold.” Some retail organizations report receiving 1,000+ AI scam calls per day. The industrial-scale application of generative models within adversarial workflows is operational.
Era 5 · 2026 · Third-party supply chain cascade + AI-productivity-tool abuse
The current era, defined by the operational pattern documented in Part 4 — OAuth supply chain abuse weaponized via AI productivity tools that employees install voluntarily with broad permissions.
The Vercel/Context.ai cascade (April 19, 2026) is the canonical example. The Anodot supply chain compromise extension — confirmed breaches at Vimeo (119,000 users), Rockstar Games (78.6 million records), Zara/Inditex (197,000 people) — demonstrates the pattern’s continued operational productivity. Each compromised vendor produces downstream cascade across all customers with active integrations.
The Canvas/Instructure extortion (ongoing through May 12 as this piece is published) is the current real-time expression: 3.65 TB of data, 275 million records, ~9,000 educational institutions, post-deadline defacement of ~330 Canvas login portals during finals week, school-by-school extortion as escalation pattern.
The structural evolution: from “find vulnerabilities” (Era 1) to “exploit configuration gaps” (Era 2) to “abuse OAuth integrations” (Era 3) to “industrialize via AI vishing” (Era 4) to “cascade through AI-productivity-tool supply chains” (Era 5). Each era adds capability without abandoning prior capabilities. The current ShinyHunters operational stack spans all five.
II · The organizational structure · brand, collective, affiliate program
Traditional threat intelligence frameworks describe APT groups in terms of capability, attribution, mission, and operational structure. ShinyHunters does not fit any of these traditional categorizations cleanly. Specifically:
Not a hierarchical organization
Multiple security analysts (Mandiant, Halcyon, EclecticIQ, Push Security, CrowdStrike) characterize ShinyHunters as a brand encompassing multiple threat clusters and affiliated actors rather than a single hierarchical gang. Google Threat Intelligence Group tracks the activity under multiple cluster designations (UNC6661, UNC6671, UNC6240, UNC6395) reflecting both operational complexity and ambiguity about which activity should be attributed to ShinyHunters core versus impersonating actors.
The pattern: members of the broader Scattered Lapsus$ Hunters (SLSH) collective conduct vishing operations under various branded campaigns. Some are clearly ShinyHunters operations. Some are by adjacent groups using ShinyHunters branding. Some involve genuine collaboration between named groups. Attribution is structurally probabilistic, not deterministic.
Operating within “The Com”
The Com is the broader network of English-speaking cybercriminals that includes Scattered Spider, LAPSUS$, ShinyHunters, Cordial Spider, Snarky Spider, CoinbaseCartel (which shares infrastructure with ShinyHunters including the affiliateshinysp1d3r[.]com domain), and other clusters. The Com operates more like a loose professional community than a criminal hierarchy. Members collaborate across phishing, initial access, data theft, and extortion operations as opportunity arises. Operators rotate between affiliations. Branding decisions are situational.
This structural feature has direct implications for defensive frameworks: “who ShinyHunters is” is not a stable answer. It’s a brand applied to a varying set of operators executing a shared operational playbook. Defensive infrastructure that focuses on attribution to specific named individuals or groups misses the actual structural threat — which is the operational playbook itself, replicated across a distributed criminal community.
Extortion-as-a-Service business model
The most structurally innovative feature. ShinyHunters operates a formal Extortion-as-a-Service (EaaS) program with 25-30% affiliate revenue share per Halcyon’s threat intelligence reporting. The program enables affiliates to access ShinyHunters’ infrastructure (BreachForums administration, extortion negotiation accounts, victim communication channels) in exchange for revenue share on successful extortions.
The revenue stack:
- Direct extortion: payment from compromised organizations in exchange for not publishing data — typical demands range from $500K to $65M (the Telus ransom demand)
- Bulk data sales: stolen datasets sold to ransomware affiliates and other criminal actors at up to $1 million per company per EclecticIQ analysis
- BreachForums administration fees: revenue from operating the cybercrime marketplace that hosts both ShinyHunters’ own data and third-party criminal data
- EaaS affiliate revenue: 25-30% share of extortion proceeds from affiliates using ShinyHunters infrastructure
- Crowd-sourced pressure campaigns: organized harassment of victim personnel via the SLSH collective to increase payment pressure
This is a multi-revenue-stream business operation, structurally similar in some ways to legitimate platform economics. The affiliate model in particular mirrors what Ransomware-as-a-Service (RaaS) operators (LockBit, ALPHV, others) did for ransomware — but applied to extortion-without-encryption. ShinyHunters operates explicitly “pay or leak” rather than “pay or decrypt,” which removes the operational complexity of ransomware deployment while maintaining the extortion leverage.
ShinySp1d3r · the ransomware platform under development
Worth noting: ShinyHunters is also developing ShinySp1d3r, a ransomware platform under the SLSH banner with Windows (ChaCha20 + RSA-2048), Linux, and ESXi (AES-256 with VMDK encryption, esxcli VM enumeration, snapshot disabling for rollback prevention) modules. No confirmed deployment at scale has been documented as of early 2026. The platform exists as an escalation option rather than the core business model — extortion-without-encryption remains operationally preferred for now.
The trajectory matters strategically: if extortion-without-encryption stops producing payments at acceptable rates, ShinyHunters has a ransomware option ready. The defensive posture needs to account for this evolutionary possibility.
III · The AI capability layer · why vishing at this scale is now operational
The technical innovation enabling the current ShinyHunters operational scale is AI-enabled voice phishing. This deserves specific structural analysis because it changes the threat model in ways that defensive frameworks have not yet fully absorbed.
The capability stack
Modern AI vishing operations integrate several capability layers:
Voice cloning models — VALL-E and similar models can produce convincing voice replicas from 3 seconds of source audio. Public sources for target IT staff include LinkedIn videos, conference recordings, podcast appearances, executive interviews, internal training materials leaked through unrelated breaches.
Conversational AI — LLMs trained on customer service interactions can carry contextual conversations, respond to questions, handle pushback, adapt to unexpected user behavior. The conversational layer is what makes the cloned voice operationally useful — voice cloning without conversational AI produces a static recording; voice cloning with conversational AI produces a dynamic agent.
Reconnaissance automation — AI scraping of public sources (company directories, LinkedIn, social media, leaked breach data) builds target profiles. Each call can reference the employee’s manager, current projects, recent acquisitions, internal terminology — all from publicly available reconnaissance.
Real-time MFA interception — vishing-driven SSO phishing pages capture authentication tokens in real-time. Cordial Spider campaigns (CrowdStrike documentation) move from initial vishing call to complete data exfiltration in under an hour. Fast enough that any detection strategy relying on human SOC triage will arrive after the data has already left the building.
Multi-vector coordination — modern campaigns combine email phishing, SMS smishing, and voice vishing in coordinated sequences. The email arrives first to prime the target. The SMS follows up with urgency. The vishing call closes the loop with verbal authorization request. 3.4 billion phishing emails per day globally; AI-generated content now appears in 82.6% per KnowBe4/SlashNext analysis.
Why this defeats traditional defenses
Three structural reasons AI vishing defeats defenses that worked against earlier social engineering:
1. No grammatical, idiomatic, or contextual errors. Pre-AI phishing relied on imperfect translation, generic content, and grammatical clues for detection. AI-generated content has eliminated these tells. Hoxhunt reports 40% of BEC emails are primarily AI-generated. The “spot the typo” defense layer is no longer effective.
2. Voice biometrics no longer reliable. AI voice clones bypass voice biometric authentication systems per Nature Machine Intelligence research. Background noise simulation (office sounds, traffic, echo) adds contextual credibility. The Group-IB Anatomy of a Deepfake Voice Phishing Attack analysis documents the operational defeat of voice-biometric checks.
3. Speed exceeds human SOC response. Unit 42 documented Cordial Spider campaigns moving from initial compromise to complete data exfiltration in under an hour. Traditional SOC operations measured in human triage time cannot keep pace. The Arctic Wolf RSAC 2026 framing applies: “AI alone produces volume. Humans alone cannot keep pace. When they’re paired together, they produce trustworthy outcomes.” Organizations operating SOCs without AI-augmented capability are operating in a different speed regime than the attackers.
The IT helpdesk as primary attack surface
The pattern documented across the late-2025-into-2026 campaigns: IT helpdesk and frontline support staff are the primary attack surface because they hold the access, permissions, and institutional knowledge to make critical authentication changes. The vishing call typically claims an MFA reset or scheduled authentication update. The IT staff member, trying to be helpful, walks the caller through the reset process. By the time legitimate verification could happen, the attacker has unauthorized device enrollment in the victim’s MFA solution.
This is a structural vulnerability. IT helpdesks exist to help. Their service-oriented design makes them inherently vulnerable to social engineering. Hardening requires removing helpfulness from the trust model — implementing mandatory video verification for password and MFA resets, multi-person approval for high-privilege changes, dedicated security channels for authentication change requests. Most enterprises have not implemented these controls.
IV · Why traditional APT frameworks miss this
The threat-intelligence community developed the APT framework in the late 2000s and early 2010s based on observed nation-state activity (PLA Unit 61398, GRU operations, Iranian APT groups, North Korean Lazarus). The framework’s structural assumptions:
- Mission-driven: state-aligned objectives (intelligence collection, military preparation, regime preservation)
- Long-term persistence: years of operations against specific targets
- Proprietary capabilities: custom malware, novel exploits, advanced TTPs developed for specific operations
- Narrow target list: high-value strategic targets aligned to state objectives
- Hierarchical organization: state intelligence services with formal operational structure
ShinyHunters fits none of these structural assumptions. Specifically:
Financial motivation, not strategic. Mission is revenue maximization, not intelligence collection. Targets are chosen by extortion leverage potential, not by strategic value.
Short-term per-target operations. Move from initial compromise to data exfiltration to extortion within days or weeks. Persistence is not the goal; speed of monetization is.
Capability stack assembled from commodity components. Voice cloning is publicly available. LLMs are commercially accessible. Phishing infrastructure is rented. Custom capability development is minimal. ShinySp1d3r is the exception (custom ransomware development), and even that uses standard cryptographic primitives.
Mass target list. 400+ organizations claimed since 2020, growing by hundreds per year. Targeting is opportunistic rather than strategic. Anyone with high-value data and exploitable identity infrastructure is a potential target.
Brand-based organization, not hierarchical. Distributed collective, affiliate program, situational branding. Not a unified organization at all.
The APT framework was built to track different threat actors than ShinyHunters represents. This is not a criticism of the framework — it accurately described the threat landscape of its era. But the dominant threat actor model has shifted, and the framework has not yet caught up.
The implication for defenders: threat-intelligence consumers who organize their defensive posture around tracking specific named APT groups are mis-allocating attention. The actual operational threat is the playbook (vishing → SSO compromise → SaaS exfiltration → extortion), not the actor (ShinyHunters specifically). The playbook is being executed by dozens of operationally adjacent groups within The Com and its broader criminal community. Defending against ShinyHunters specifically is the wrong threat model. Defending against the playbook is the right one.
V · The new defensive framework · what enterprise security needs
Given the operational reality, the defensive framework needs structural updates. Specific implications by category:
Identity infrastructure hardening
The single highest-leverage defensive intervention. Specifically:
Phishing-resistant MFA: FIDO2 security keys, passkeys, Windows Hello. These resist the vishing-driven MFA bypass that current ShinyHunters operations rely on. SMS-based and push-based MFA are no longer adequate against AI-enabled vishing campaigns. Mandiant’s January 2026 guidance explicitly recommends this transition.
Helpdesk hardening: live video verification for password and MFA resets; multi-person approval for high-privilege identity changes; dedicated authentication change channels separate from general support; mandatory ticketing systems for all authentication operations. Most enterprises have not implemented these controls. They feel inefficient and slow user experience down. The operational reality is that they are the most effective defense against AI vishing.
Device enrollment auditing: MFA device additions are a primary attacker objective. Monitor all device enrollment events in your identity provider. Flag enrollments from new IP addresses, unusual times, or following recent password resets. Alert on enrollment patterns that match known attacker TTPs.
Session lifetime reduction: shorter session lifetimes mean compromised credentials have shorter operational utility. Target 1-8 hour session lifetimes for high-privilege accounts; 12-24 hour for general access. Force re-authentication for sensitive operations regardless of session age.
SaaS observability infrastructure
Without visibility into SaaS authentication, MFA changes, and data export operations, detection is structurally impossible. The infrastructure investments:
Identity Provider logging: comprehensive Okta and Entra ID audit log ingestion into SIEM. Authentication events (successful and failed), MFA lifecycle events (enrollment, changes), administrative identity events. These are the first reliable signals when AI vishing succeeds.
SaaS application logging: file download/access events in SharePoint, OneDrive, Google Drive. Mass export events in Salesforce (SOQL query volume), HubSpot, ServiceNow, other CRM/SaaS platforms. User-agent capture to identify PowerShell-based access patterns that are characteristic of automated post-compromise exfiltration.
Anomalous data access detection: behavioral baselines for individual user data access patterns. Mass exports outside normal patterns. Access from unusual locations or times. Data flows to unexpected destinations.
OAuth grant inventory (covered in Part 4 but bears repeating in this context): every OAuth grant is a potential cascade entry point. Inventory, audit, restrict.
Workforce risk awareness · AI vishing specifically
The training is not technical. It is risk awareness about a specific operational pattern that the workforce will encounter. Key points:
- Any incoming call requesting MFA codes, password resets, or authentication changes is a security event regardless of who the caller claims to be. Even if it sounds like the CTO’s voice. Even if they reference internal project names. Even if they know your manager’s name.
- All authentication change requests must go through verified channels. Hangup, call back via known internal phone tree, verify through the ticketing system. Never accept inbound calls for authentication operations.
- AI voice cloning means voice familiarity is not authentication. “It sounds like my IT contact” is no longer evidence of legitimacy.
- Time pressure is an attacker tactic. Legitimate IT changes don’t have urgent deadlines. Pressure to act quickly is itself a red flag.
The training cost is low. The risk reduction is substantial. The Mandiant playbook recommendations include treating periods of heightened threat activity as triggering mandatory verification protocols for all authentication operations — a model that should probably extend to default operation during ongoing campaign periods.
Incident response readiness for extortion scenarios
ShinyHunters operations follow a predictable extortion lifecycle: initial compromise → data exfiltration → extortion demand to victim organization → if refused, escalation to crowd-sourced pressure or direct customer/employee extortion → if still refused, public publication on data leak site.
Each stage requires defined response. Specifically:
- Initial compromise detection: incident response activation, scope assessment, containment, credential rotation, OAuth grant revocation across all affected paths
- Extortion demand receipt: legal counsel engagement, executive notification, regulatory disclosure assessment (varies by jurisdiction and data type), law enforcement engagement (FBI for US, NCSC/ICO for UK, BfV/BSI for Germany), payment decision framework
- Escalation response: communication strategy with potentially affected stakeholders (customers, employees, partners), media response preparation, regulatory notification preparation
- Publication scenario: complete external disclosure, affected-party notification, regulatory filings, lawsuit preparation, brand recovery operations
Most enterprises have ransomware playbooks but not extortion-without-encryption playbooks. The operational responses differ substantially. Extortion-without-encryption doesn’t lock systems but does require immediate public-affairs response. The decision tree on payment differs (no decryption keys to recover, just publication suppression). The regulatory landscape is different (different statutes apply, different disclosure timelines).
The structural shift in defensive posture
The aggregate implication: enterprise security needs to operate at AI-vs-AI speed against AI-enabled adversaries, with identity infrastructure hardening as the primary defense layer rather than network perimeter or endpoint detection. This represents a structural shift from the network-centric defensive posture of the 2010s.
The infrastructure investments are substantial. The capability gap between organizations that have made these investments and those that have not is widening. Each ShinyHunters-class campaign produces hundreds of victim organizations. Most of those victims will share the structural property of having operated traditional defensive infrastructure against AI-enabled attackers operating at orders-of-magnitude greater scale and speed.
VI · What policymakers need to understand about this
The criminal operational model that ShinyHunters represents has policy implications that extend beyond enterprise security:
Law enforcement model mismatch
Arrests across France, Morocco, Canada, Turkey, and the United States between 2022 and 2025 disrupted individual ShinyHunters members. Operations continued uninterrupted. This is not unusual — the same pattern applies to Scattered Spider, LAPSUS$, and other Com-affiliated groups. Arrests focus on administrators, not on capability developers, and not on the distributed network of operators executing the playbook.
The structural issue: traditional law enforcement is structured around prosecuting individuals. Distributed criminal collectives operating across multiple jurisdictions don’t fit the prosecutorial framework cleanly. Each named member arrested can be replaced by another within the collective. The collective itself is not a legal entity that can be prosecuted as a unit.
Policy implications: existing frameworks like RICO in the US, organized crime statutes in EU member states, and international cooperation mechanisms need to evolve to address distributed criminal collectives operating across borders. The current framework is well-suited to hierarchical organized crime but poorly suited to The Com’s structural model.
International coordination requirements
ShinyHunters operates from across the English-speaking criminal community, with operators in the US, UK, Canada, and other countries. Infrastructure is hosted across multiple jurisdictions. Banking and cryptocurrency movements span international boundaries.
Current international coordination through Europol, MLAT processes, the Budapest Convention, and bilateral law enforcement cooperation is functional but slow. The operational speed of ShinyHunters campaigns (under one hour from compromise to exfiltration) is incompatible with month-long international evidence requests. Real-time coordination mechanisms specifically for distributed criminal collective response are absent.
AI capability proliferation
The voice cloning, conversational AI, and reconnaissance automation that enables ShinyHunters’ scale is built on commercially available AI capability. Policy frameworks need to address the proliferation question. Specifically:
- Voice authentication model deployment standards: financial services, government services, healthcare authentication systems should be required to use phishing-resistant authentication rather than voice biometrics
- AI capability export controls: voice cloning models that produce indistinguishable replication may warrant the same export framework that applies to cryptographic capability
- Mandatory disclosure of AI-enabled attack patterns: similar to vulnerability disclosure frameworks, AI-enabled attack pattern disclosure to authorities for coordinated defensive response
These are politically difficult. They impose costs on legitimate AI capability development. They require international coordination. But the alternative is an indefinite continuation of the current asymmetry, where defenders operate at human speed while attackers operate at AI-augmented industrial scale.
Regulatory framework updates
Sector-specific regulations need updates to address the specific operational reality:
- Financial services: phishing-resistant authentication should be mandated for all customer-facing financial services authentication, not just optional. Current FFIEC guidance treats it as recommended; the operational reality requires mandate
- Healthcare: HIPAA-equivalent breach notification frameworks for OAuth supply chain compromises specifically. The current framework was designed for direct compromise scenarios; cascade compromises through SaaS integrations are under-addressed
- Education sector: the Canvas/Instructure breach is the canonical example. Educational sector breach notification frameworks vary widely by state and country; structural updates for SaaS supply chain scenarios would help
- Critical infrastructure: CISA’s existing guidance on identity infrastructure should be elevated from recommendation to mandate for sectors designated as critical infrastructure
VII · The structural close · what comes next
ShinyHunters is not a unique operational anomaly. It is the canonical example of an emerging threat actor category that the security community needs to internalize:
- Brand-based criminal collectives operating as distributed affiliates rather than hierarchical organizations
- AI-enabled capability stacks (voice cloning, conversational AI, reconnaissance automation, real-time credential interception) as the primary access vector
- Multi-revenue-stream business models combining direct extortion, bulk data sales, affiliate revenue, and infrastructure operation
- Cross-cluster cooperation within broader criminal communities like The Com
- Operational speed measured in minutes to hours rather than days to weeks
- Mass target lists with hundreds of organizations breached per year by each capable cluster
The defensive infrastructure for this threat category is operationally behind. Most enterprises operate identity infrastructure designed for human-paced threats. Most SOCs operate at speeds that don’t match AI-augmented adversary operational tempo. Most threat intelligence frameworks focus on individual named groups rather than the playbook those groups execute.
The 12-18 months ahead will determine whether enterprise defensive infrastructure adapts fast enough to operate at the new threat tempo. The capability investments required are substantial — phishing-resistant MFA at scale, SaaS observability infrastructure, AI-augmented SOC capability, identity-centric defensive posture. Each enterprise that makes these investments removes themselves from being the next campaign victim. Each enterprise that doesn’t continues operating as part of the structural attack surface.
The Canvas/Instructure campaign ends May 12 with its current deadline. ShinyHunters will move to the next campaign. The structural playbook continues. The defensive infrastructure question is whether enterprise security operates at AI-vs-AI speed by 2027, or whether the gap continues to widen as the operational tempo accelerates.
ShinyHunters is the canonical example because they were first to operationalize the new model at scale. They will not be the last. The Com includes Scattered Spider, LAPSUS$, and other clusters at varying stages of the same operational evolution. Other criminal communities globally are observing the model’s success and adapting it. The structural threat is the operational architecture, not the specific actors executing it.
That’s the read on where we are. The next piece in this series will look at the bug bounty market collapse — the economic restructuring underway as AI-driven vulnerability discovery makes the historical bug bounty economics non-viable, and what that means for the defensive talent pipeline over the next decade.
About the Author
Thorsten Meyer is a Munich-based futurist, post-labor economist, and recipient of OpenAI’s 10 Billion Token Award. He spent two decades managing €1B+ portfolios in enterprise ICT before deciding that writing about the transition was more useful than managing quarterly slides through it. More at ThorstenMeyerAI.com.
Related Reading · the software security franchise
- 732 Bytes to Root · the cost-curve collapse · Part 1
- The 90-Day Window Closed · the disclosure collapse · Part 2
- The Defender’s Counter-Cascade · the deployment gap · Part 3
- The OAuth Permission Apocalypse · “Allow All” as the new SQL injection · Part 4
Sources
- Halcyon · ShinyHunters threat actor profile · operational structure and EaaS affiliate model
- Halcyon · Education Sector in the Crosshairs: ShinyHunters’ Extortion Campaign Against Instructure · May 2026
- Google Cloud Threat Intelligence Group · Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft · January 2026
- Google Cloud Threat Intelligence Group · Proactive Defense Against ShinyHunters-Branded Data Theft Targeting SaaS · January 2026
- Mandiant · UNC6661, UNC6671, UNC6240, UNC6395 cluster designations
- EclecticIQ · ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications
- Push Security · How three techniques are behind ShinyHunters’ 2026 campaigns · May 2026
- SecurityWeek · ShinyHunters-Branded Extortion Activity Expands, Escalates · February 2026
- Wikipedia · ShinyHunters · comprehensive operational history
- MayhemCode · ShinyHunters Hacking Group Explained: 400 Companies Breached and Still Counting · March 2026
- ReliaQuest / Computer Weekly · 760+ target organizations in late-2025-into-2026 campaign
- CrowdStrike · Cordial Spider campaign analysis · sub-1-hour compromise-to-exfiltration
- Microsoft VALL-E research · 3-second voice cloning sufficient for convincing replication
- Fortune 2026 deepfake outlook · “indistinguishable threshold”
- FBI PSA250515 · May 2025 warning on AI-generated voice impersonation
- Group-IB · The Anatomy of a Deepfake Voice Phishing Attack · August 2025
- Vectra AI · How Vishing Works and How to Stop It · 2026 statistics
- Vectra AI · AI scams in 2026: how they work and how to detect them · enterprise threat categorization
- KnowBe4 / SlashNext · 82.6% of phishing emails now contain AI-generated content
- Hoxhunt · 40% of BEC emails primarily AI-generated
- Huntress · What is AI Phishing? Evolving Phishing Attacks in 2026
- FBI Cybersecurity Advisory CSA-2025-250912 · UNC6395 targeting Salesforce
- Salesforce Drift/Salesloft campaign · 700+ orgs · 1.5B records · 70+ lawsuits
- Snowflake 2024 campaign · 165 customer environments · AT&T, Ticketmaster, Santander, others
- Anodot supply chain · Vimeo, Rockstar Games, Zara/Inditex downstream breaches
- Canvas/Instructure breach · 275M records · ~9,000 institutions · ongoing through May 12 2026
- The Com / SLSH (Scattered Lapsus$ Hunters) collective structure
- ShinySp1d3r ransomware platform · Windows ChaCha20+RSA-2048, Linux, ESXi modules · early 2026 status
