Who Actually Is ShinyHunters? Inside Cybersecurity's Messiest Attribution Fight of 2026
If you've followed cybersecurity headlines at all in the first half of 2026, you've seen the name ShinyHunters attached to an almost absurd number of breaches: Salesforce customers across more than a thousand organizations, Canvas/Instructure, Oracle PeopleSoft servers, SoundCloud, Grubhub, Panera Bread, Carnival, ADT, Charter, Kemper, McGraw-Hill, Rockstar Games, Telus, even the European Commission. By any measure, that volume of claimed activity should be impossible for a single group. And that's precisely the controversy: a growing body of researchers now believe ShinyHunters isn't really one group at all, and the implications of that uncertainty are reshaping how the entire industry talks about attribution, accountability, and what a "hacker group" even is anymore.
A brand, not necessarily an organization
Google-owned threat intelligence firm Mandiant made waves in January 2026 by publicly describing ShinyHunters as "multiple threat clusters" operating under a single shared brand, rather than a coherent, centrally directed organization. Journalist Kim Zetter's subsequent analysis described ShinyHunters and its peer groups as "loose-knit cells" of a broader community known as The Com — a sprawling network of largely English-speaking, often very young cybercriminals who move fluidly between identities, projects, and alliances.
This isn't just academic hairsplitting. It matters enormously for victims, law enforcement, and the public trying to make sense of who is actually responsible when their data shows up on a leak site. Consider the case of Vercel, the cloud platform company: in April 2026, an entity claiming to be ShinyHunters took credit for breaching Vercel, but the leadership associated with what researchers consider the "real" ShinyHunters publicly denied any involvement. Something similar happened with PowerSchool customers — someone using the ShinyHunters name extorted school districts, while a person identifying as the group's actual leader told reporters the culprit was an impersonating affiliate, not the core group at all.
If even the people inside the criminal ecosystem can't agree on who is and isn't really "ShinyHunters" on any given day, what does that mean for the rest of us trying to assess risk, hold someone accountable, or even just write an accurate incident report?
The supergroup that may or may not exist
Compounding the confusion is the emergence of "Scattered LAPSUS$ Hunters" (sometimes SLH or SLSH), a name that surfaced on Telegram in August 2025 and exploded into prominence through 2026. The name itself is a mashup referencing three previously distinct, already-notorious criminal brands: ShinyHunters (data theft and extortion), Scattered Spider (social engineering and initial access, also tracked by researchers as Octo Tempest or UNC3944), and Lapsus$ (source-code leaks and brazen public extortion, the group once responsible for breaches at Nvidia, Samsung, LG, Microsoft, and Okta).
Different research teams have reached genuinely different conclusions about what this means. Trustwave SpiderLabs published an advisory arguing that SLH represents a real, coordinated alliance — not just loose collaboration but a deliberately constructed federated brand, with fewer than five core operators reportedly running roughly 30 different personas, built specifically to recycle the reputational fear factor of three well-known names into something larger and more intimidating. Other researchers, including analysts at LevelBlue, have pushed back on the "merger" framing entirely, describing SLH instead as a "situational alliance" — clusters that temporarily align under a shared banner for a particular campaign (citing the October 2025 Red Hat incident, where a group called Crimson Collective initially claimed the breach before SLH became the dominant public voice during the extortion phase) without representing any kind of permanent, centralized organization.
Even the criminals themselves contradict each other on camera, so to speak. One SLH-affiliated persona using the handle "unc3944" has claimed that Scattered Spider, ShinyHunters, and Lapsus$ are simply "branches" of SLH, and that SLH itself is "parent-owned by ShinyHunters" — a claim multiple research teams explicitly flag as unverified and impossible to confirm independently.
Why the uncertainty itself is the story
This isn't merely an academic dispute for threat intel nerds. The scale of what's being attributed to this ecosystem, confirmed or not, is staggering. ShinyHunters alone has claimed over 1.5 billion stolen records from a single sustained campaign against Salesforce customers spanning more than 1,000 organizations, building on voice-phishing techniques where attackers impersonate IT support staff to trick employees into authorizing a malicious connected app that mimics Salesforce's legitimate Data Loader tool. Google's threat intelligence team has tracked distinct phases of this campaign under different cluster names — UNC6040 for the initial vishing-based intrusions, UNC6395 for a separate wave that abused stolen OAuth tokens from Salesloft and Drift integrations to pull data directly from Salesforce APIs without ever breaching Salesforce's own infrastructure, and UNC6240 for the extortion phase where actors using the ShinyHunters name made contact with victims, sometimes weeks or months after the original theft.
The most economically damaging single incident linked to this broader ecosystem, the ransomware attack on Jaguar Land Rover, illustrates just how high the stakes of attribution have become. That attack shut down JLR's global production line for over three weeks and was serious enough that the UK government underwrote a $1.5 billion loan to stabilize the company's supply chain — reportedly the most economically consequential cyberattack ever recorded against a G7 economy. Resecurity's research suggests this attack may have had no direct link to the broader Salesforce campaign at all, despite carrying the same Scattered Spider/ShinyHunters/Lapsus$ branding, which only deepens the question of whether the name on a leak site tells you anything reliable about who actually did the work, what capability they had, or whether paying attention to "the group" is even the right unit of analysis anymore.
Researchers have also documented the speed at which more recent campaigns in this ecosystem now execute — Unit 42 found related clusters moving from initial compromise to complete data exfiltration in under an hour, fast enough that any detection approach relying on a human security operations team noticing and responding in real time will, by definition, always be too late. That operational tempo, combined with the identity confusion at the branding level, has created a genuinely uncomfortable situation for defenders: you may not know who's attacking you, and even if you did, you wouldn't have time to look it up before the data is already gone.
The law enforcement paradox
\Perhaps the most darkly ironic thread running through this whole saga is how little arrests have actually slowed things down. French authorities arrested four alleged administrators connected to BreachForums and ShinyHunters, and individual members have faced prosecution before — Sébastien Raoult, a French programmer suspected of belonging to the group, was arrested in Morocco and extradited to the US back in 2022. None of it has meaningfully interrupted the broader campaign. When the SLH brand's Telegram channels get taken down, researchers have documented the group rebuilding within hours under a new name, cycling through at least 16 distinct channel identities by some counts. The group even announced it was "retiring" or "going dark" at one point in 2025 — an announcement that, predictably, several researchers treated with open skepticism, and which did not meaningfully reduce the volume of new claimed victims in the months that followed.
This pattern — fluid identity, theatrical public messaging reminiscent of hacktivist groups despite being purely financially motivated, near-total resilience to takedowns, and a roster of claimed victims that keeps growing regardless of who gets arrested — has led some analysts to argue that the entire framework the industry uses to talk about "threat actor groups" is becoming obsolete. If a name can be claimed by anyone, denied by its supposed leadership, used as a service that smaller affiliates rent access to, and rebuilt overnight after every disruption, then writing an incident report that says "ShinyHunters did this" may convey a false sense of certainty about something that is, in reality, a loosely affiliated, branded criminal service industry.
What this means going forward
The controversy here isn't really about whether breaches happened — the breaches are devastatingly well-documented, down to the billions of records and the specific organizations affected. The controversy is about what we're actually naming when we name the attacker, and whether the entire industry practice of attribution-by-brand is giving boards, regulators, and the public a misleadingly tidy story about an ecosystem that is, by every credible account, considerably messier, more fluid, and more resilient than any single "group" framing can capture. Until that gets sorted out — and there's little sign it will be anytime soon — every new headline naming ShinyHunters as the culprit behind the next mega-breach should probably come with an asterisk.
Comments