ShinyHunters Expands Its Leak Infrastructure and Vows to Keep Stolen Data Online “Until the End of Time”: Why Cybercrime's Most Resilient Extortion Group Cannot Be Stopped

On 18 June 2026, the extortion group ShinyHunters announced on its leak site a significant infrastructure expansion: new mirror servers, torrent-based file distribution, and a Proof-of-Work queue system to manage download demand. The group's message was direct: “these files will remain publicly accessible with ease till the end of time.” The announcement coincides with a report published the same day by Cato Networks, documenting how ShinyHunters has survived multiple arrests, forum seizures and the conviction of its alleged founder since the group first appeared in 2019. For Spanish businesses, the case is relevant beyond the anecdotal: ShinyHunters is the same group behind the Oracle PeopleSoft zero-day exploitation campaign (CVE-2026-35273) we analysed last week, and it represents the most persistent and adaptable extortion pattern in today's threat landscape.

‍

What did ShinyHunters announce, and what does Cato Networks' research say?

Facts documented by Cybernews, Cato Networks and BankInfoSecurity:

• Infrastructure expansion: ShinyHunters deployed multiple mirror servers for its leaked files, with the stated goal of improving download speed and reliability, particularly during traffic spikes that occur when a high-profile victim is listed.
• Torrent distribution: the group plans to offer torrent links for all hosted files, creating a distribution network far harder to dismantle than a single centralised server.
• Proof-of-Work queue system: before downloading leaked data, a user's computer must solve a small computational puzzle, a technique typically used to prevent automated abuse and server overload.
• Data persistence: the group stated no data was lost during the upgrade, maintaining backups of everything leaked since day one.
• Resilience history documented by Cato Networks: despite multiple forum seizures (RaidForums, BreachForums), surviving targeted honeypots, the 2023 conviction of alleged founder Sébastien Raoult, and the arrests of several high-profile administrators in France last year, the “ShinyHunters” brand has systematically reemerged within days or weeks of each blow.
• Evolution into Scattered LAPSUS$ Hunters (SLH): in 2025, ShinyHunters merged with other collectives to form SLH, combining ShinyHunters' brand recognition, Scattered Spider's social engineering expertise, and LAPSUS$'s aggressive tactics.
• Methodology shift: the group has evolved from a database-driven profile toward business-logic abuse: exploiting trusted SaaS integrations, OAuth-connected applications, and help-desk social engineering, rather than relying solely on traditional phishing or intrusion.
• Victims claimed in June 2026 alone: Kodak (2 million records), JCPenney, Madison Square Garden, Sysco (61 million records via Salesforce), and, on the same Thursday as the announcement, Amazon One Medical, with 8.8TB of claimed data and a 22 June deadline before publication.
• Active campaign since September 2025: the group has accumulated hundreds of high-profile corporate victims, most linked to a worldwide campaign exploiting over 1.5 million records from misconfigured Salesforce instances, plus attacks on Snowflake, Okta, Drift and Salesloft.

‍

Why ShinyHunters' resilience is the most important lesson for businesses in 2026

The real risk of ShinyHunters is not a single attack: it is proof that an extortion model can survive indefinitely against the combined effort of law enforcement across multiple countries. Four factors explain why this should concern any security leader:

1. Law enforcement is no longer sufficient deterrence. Forum seizures, administrator arrests and the founder's conviction have not stopped the group. If the hardest possible legal blows do not work, no company's defensive strategy can rely on the expectation that “sooner or later these groups will be stopped.”
2. The brand model outlives the individuals. ShinyHunters is not a closed group of specific people: it is a recognisable cybercrime brand that attracts new operators when previous ones are arrested or retire. This makes it a structural threat, not an isolated incident resolved by an arrest.
3. The attack vector has shifted from technical to organisational. The pivot toward SaaS integration abuse, OAuth tokens and help-desk social engineering means traditional perimeter defences (firewalls, antivirus, patches) are increasingly less relevant. The typical entry point is now a misconfigured third-party integration or a support agent tricked into resetting credentials.
4. Extortion infrastructure professionalises at the same pace as the businesses it targets. Mirror servers, torrent distribution and Proof-of-Work anti-abuse systems are product engineering measures, not hacking. ShinyHunters runs its leak site with the same operational logic as a legitimate content distribution company.

‍

ShinyHunters' attack pattern: from SaaS integration to public extortion

While each campaign varies in initial technical vector, ShinyHunters' operational pattern, documented by Cato Networks and recent campaign coverage, follows a consistent structure:

1. Initial access via trusted integrations. Rather than attacking the victim's systems directly, the group exploits connected SaaS applications (such as misconfigured Salesforce instances), third-party OAuth tokens, or uses social engineering against technical support staff to obtain fraudulent credential resets.
2. Large-scale data exfiltration. Once inside, the group extracts the largest possible volume of data before detection, prioritising personal information, financial records and sensitive data with high extortion value.
3. Listing on the leak site with a deadline. The victim is added to the group's Data Leak Site with a specific payment deadline (22 June in Amazon One Medical's case), accompanied by an explicit threat of publication and additional “annoying digital problems” if there is no contact.
4. Mass publication and distribution if no payment. If the victim does not negotiate, the data is published on the leak site, now with the expanded mirror and torrent infrastructure that ensures distribution more resistant to subsequent takedowns.

‍

Key lessons for Spanish businesses: protecting against a group that cannot be legally stopped

Since legal response is insufficient, practical defence must focus on closing the vectors ShinyHunters systematically exploits:

• Audit all SaaS integrations connected to critical systems. Regularly review which third-party applications have OAuth access to Salesforce, Microsoft 365, Google Workspace or other corporate SaaS platforms, and remove integrations no longer in use or with excessive permissions.
• Strengthen help-desk verification protocols. Social engineering against technical support staff to reset passwords or MFA tokens is one of ShinyHunters' and affiliated groups' most-used entry vectors. Implement multi-layer verification before any sensitive credential reset.
• Monitor Salesforce and SaaS platform instances for misconfigurations. Over 1.5 million compromised records in ShinyHunters' Salesforce campaign originated from misconfigured instances. A permissions and security configuration audit on SaaS platforms should be a recurring, not one-off, practice.
• Prepare a deadline-extortion response protocol. Companies need a predefined plan for when they receive an extortion notice with a deadline, including who to notify (AEPD, law enforcement, legal counsel) and how to assess the real scope of compromised data without negotiating directly with the group.
• Assume leaked data is permanent. With mirror servers and torrent distribution, the option of a leak “disappearing” over time is no longer realistic. Incident response planning must assume any exfiltrated data will remain publicly available indefinitely.

‍

Cybersecurity as a strategic priority

ShinyHunters is the clearest example of a trend the industry has been documenting throughout 2026: the most dangerous extortion groups are no longer those with the most sophisticated technical tools, but those that have built an operational model resilient to legal pressure and able to reinvent themselves faster than law enforcement can respond. For Spanish businesses, the lesson is not to wait for the group to be stopped. It is to assume SaaS integrations, OAuth tokens and help-desk processes are the new priority attack surface, and act accordingly before appearing on the next extortion deadline.

‍

Apolo Cybersecurity: protection against data extortion and SaaS integration auditing

At Apolo Cybersecurity we help organisations reduce their exposure to extortion groups like ShinyHunters: auditing SaaS integrations and OAuth tokens connected to critical systems, strengthening verification protocols in technical support teams, reviewing security configuration on platforms like Salesforce, designing response protocols for deadline-based extortion notices, and assessing sensitive data exposure in third-party integrations.

If your organisation uses SaaS integrations connected to systems with sensitive data and you have not audited OAuth permissions in the last quarter, the ShinyHunters pattern is the signal to do it now.

‍