Cato CTRL™ Threat Actor Profile: ShinyHunters – The Brand That Outlasts the Takedowns

Executive Summary 

Despite three forum seizures, five administrator arrests across three operations, and the conviction of its founder, ShinyHunters remains active.

The real story of ShinyHunters in 2026 is not just persistence, but the evolution of a cybercrime brand that adapts faster than defenders and law enforcement can respond. The 2025–2026 tactics make this persistence especially dangerous. Organizations using Salesforce, Salesloft Drift, Gainsight, or similar third-party SaaS integrations are at risk. ShinyHunters can bypass MFA by exploiting help-desk vishing, malicious OAuth-connected apps, and stolen SaaS integration tokens.

The Playbook That Walks Past MFA

The most significant change is strategic. ShinyHunters no longer relies solely on obvious intrusion chains or basic phishing. Instead, it exploits trusted identity flows and business logic.

During the UNC6040 campaign, the attacker called the help desk, impersonated internal IT, and guided an employee through a “connectivity troubleshooting” process that resulted in approval of a malicious Salesforce connected app. Once approved, the attacker obtained an OAuth token with the user’s permissions. This method required no password spraying, exploit chains, or compromised MFA.

A related cluster, UNC6395, eliminated the social engineering step entirely. Instead of deceiving users, it used stolen OAuth tokens linked to trusted integrations such as Salesloft Drift. This approach provided access without malware, login prompts, or suspicious endpoint artifacts, relying solely on integrations already trusted by the environment.

For this reason, strengthening user MFA alone is insufficient. Defenders who focus only on password hygiene and phishing-resistant authentication may overlook vulnerabilities in connected applications.

Why ShinyHunters Keeps Surviving

ShinyHunters first built its name in 2020 through high-volume database brokerage. Since then, the ecosystem around it has been hit repeatedly: RaidForums was seized, BreachForums was seized twice, founder Sébastien Raoult was extradited and sentenced, and multiple high-profile admins were arrested in France in 2025.

However, the brand consistently reemerged within days or weeks.

This resilience is primarily organizational rather than technical. ShinyHunters has become a reusable identity capable of withstanding arrests, platform losses, and operator turnover. By 2025, this identity expanded through the Scattered LAPSUS$ Hunters (SLH) federation, combining the brand recognition of ShinyHunters, the social engineering expertise of Scattered Spider, and the aggressive tactics of LAPSUS$.

The implication is clear: dismantling infrastructure does not eliminate the brand, and arresting operators does not end the underlying tactics.

What Defenders Need to Fix First

The primary defensive goal is not to stop ShinyHunters as a single group, but to address the conditions that enable its tactics to succeed.

That means:

• Enforcing phishing-resistant MFA for privileged SaaS roles.
• Auditing and allow-listing OAuth-connected apps across Salesforce, Google Workspace, and Microsoft 365.
• Alerting on every new third-party authorization in real time.
• Running help-desk vishing simulations based on documented “connectivity troubleshooting” scenarios.
• Restricting sensitive API access by IP and monitoring bulk export behavior.
• Treating dark-web listings and SLH-linked extortion activity as incident triggers, not PR problems.

If the security model assumes that perimeter controls and MFA alone can prevent bulk data theft, the threat model needs to be revised.

Read the Full Report

The full Cato CTRL threat actor profile of ShinyHunters covers the six-year operational timeline, the merger with Scattered Spider and LAPSUS$, the UNC5537/UNC6040/UNC6395/UNC6661 cluster evolution, the law-enforcement timeline, the attribution problem, and the specific Monday-morning changes required for OAuth governance and help-desk defense.
Read the full report to learn how the ShinyHunters brand evolved and why its tactics remain effective in 2026: The full report