Chief Executive Officer
Published: February 12, 2026
ShinyHunters is a financially motivated data-extortion group that attacks people and identity, not software flaws.
Its playbook: vishing, real-time phishing kits, MFA bombing, then lateral movement across SSO-linked SaaS apps.
Netarx closes the gap with continuous blockchain-anchored identity, 75+ live signals, and real-time deepfake voice and video detection.
ShinyHunters is a financially motivated cybercriminal and data-extortion group that has been active since around 2020. According to the U.S. Department of Justice, members hacked into the protected computers of corporate entities, stole confidential customer and corporate records, and advertised the stolen data for sale on dark web forums, sometimes threatening to leak or sell the files unless the victim paid a ransom. Federal prosecutors have linked the group to data taken from more than 60 companies across technology, finance, retail, and other sectors.
More recently, the FBI’s Internet Crime Complaint Center (IC3) has warned that ShinyHunters-linked activity has shifted toward identity-based intrusions into cloud and SaaS platforms, using voice phishing to impersonate IT support and gain access to enterprise applications. This pivot, from exploiting software flaws to exploiting people and identity, is what makes the campaign so difficult for traditional, perimeter-based defenses to stop, and it is the focus of this article.
Identity is the attack surface. ShinyHunters breaks in through people and credentials, not software exploits.
Vishing starts the breach. Callers posing as internal IT or Help Desk pressure employees into handing over logins.
MFA alone is not enough. MFA bombing and stolen session tokens slip past legacy multi-factor authentication.
One login opens many doors. Valid SSO access lets attackers move laterally across connected SaaS apps.
Continuous validation is the fix. Netarx pairs blockchain-anchored identity, 75+ live signals, and real-time deepfake detection across every channel.
In This Article
The ShinyHunters data extortion campaign exemplifies a fundamental evolution in cyberattack methodology, exploiting SaaS platforms through identity compromise, advanced social engineering, and bypass of traditional controls. As credential-driven threats intensify, organizations need robust, active defenses that move beyond static or piecemeal solutions. Netarx offers an integrated platform that addresses the root causes of modern identity attacks with industry-leading persistence, coverage, and accuracy.
The ShinyHunters campaign is a prime illustration of how determined attackers systematically undermine SaaS security—and why traditional methods fall short. Their approach is not based on exploiting technical software flaws, but rather on manipulating the human element and abusing identity access to infiltrate organizations at scale.
Vishing and Social Engineering
ShinyHunters initiate their infiltration with vishing (voice phishing) attacks that rely on psychological manipulation. Attackers contact employees while posing as internal IT or Help Desk staff. They employ urgency and authority, claiming to need to "update MFA settings" or resolve "SSO issues," prompting the target to reveal sensitive login information or take risky actions. This human-centric tactic preys on trust and compliance, often circumventing users’ natural skepticism and established security training especially under stress.
Real-Time Phishing Kits and Credential Harvesting
Once engaged, victims are directed to look-alike login portals crafted by ShinyHunters. These phishing kits are sophisticated, using URLs nearly identical to legitimate internal portals (e.g., sso-company-internal.com). The key innovation is real-time harvesting: as the target enters credentials or authenticates, the kit captures login details and session tokens instantly.
This enables attackers to access enterprise applications as if they were the legitimate user, bypassing many perimeter-based defenses.
MFA Bypass through MFA Bombing and Session Hijacking
ShinyHunters overcome legacy Multi-Factor Authentication (MFA) methods using several techniques: Both methods illustrate why static MFA, especially push-based, can be insufficient when users themselves are under active manipulation and adversaries operate in real time.
MFA Bombing
Attackers trigger repeated MFA requests, bombarding users with notifications until they relent and approve a fraudulent login.
Session Token Theft
By capturing session tokens during the real-time login, the attackers sidestep secondary authentication without user awareness.
Lateral Movement Across SaaS Environments
With valid credentials and tokens, ShinyHunters move laterally inside Single Sign-On (SSO) environments such as Okta or Microsoft Entra. They leverage this access to enter a wide array of interconnected SaaS applications—collaboration tools (Slack), storage (Google Drive), CRM (Salesforce), and more.
This lateral movement allows for discreet collection of personally identifiable information (PII), intellectual property, and internal documents, greatly increasing the blast radius of any compromise. The campaign’s impact is not limited to customer data; it encompasses strategic plans, legal documents, and private employee data—raising compliance, operational, and reputational stakes.
These advanced tactics create several profound risks:
Internal Exposure: Loss of confidential company documents and strategic information.
Legal & Regulatory Fallout: Lawsuits and regulatory penalties, particularly for companies with prior breaches.
Reputational Damage: Erosion of customer trust, intensified for brands handling sensitive personal interactions (e.g., dating platforms or consumer-facing services).
Crucially, these attacks thrive in environments where identity verification is a one-time event, where user sessions are not continuously validated, and where SaaS integrations form gaps between security controls.
Unlike legacy products or point solutions, Netarx’s security architecture establishes continuous, immutable user validation across all SaaS environments. The platform’s distinguishing capabilities directly mitigate each tactic employed by ShinyHunters:
Every Netarx user session and activity is anchored by a tamper-proof, blockchain-encrypted digital signature. This persistent identity record cryptographically verifies every interaction, making impersonation, session hijacking, and identity replay impossible—not just at login, but throughout each session across all channels. This closes the window exploited by attackers who rely on single-point-in-time validation.
Netarx continuously ingests and analyzes over 75 metadata streams—including device, behavioral, network, and historical patterns—using adaptive machine learning. AI-driven consensus models identify inconsistencies, session anomalies, or deviations in user behavior, exposing even the most sophisticated social engineering and credential abuse that evade static detection.
Behavioral Profiling: Real-time aggregation and scoring of user actions create an up-to-the-moment “Social Profile Signal” validated against an immutable identity.
Proactive Anomaly Detection: Continuous validation catches mid-session takeovers, abnormal SaaS app usage, and lateral movement, instantly alerting security teams before attackers can escalate or exfiltrate data.
Netarx incorporates best-in-class AI algorithms with it's own proprietary models to identify synthetic voice, video, and digital content during collaboration sessions, correlating detected anomalies directly to blockchain-authenticated users and contextual metadata. This ensures deepfakes and fraudulent interactions are decisively flagged and stopped across any SaaS medium, thwarting the weaponization of voice and video used in vishing and deepfake-driven social engineering.
Deployment is streamlined—Netarx instantly enforces unified security across all collaboration and messaging platforms without cumbersome API integrations or custom engineering. This cross-channel persistence eliminates the patchwork gaps and operational complexity of siloed approaches, thwarting the multi-vector tactics exploited by groups like ShinyHunters.
Adopting Netarx delivers quantifiable security and business value:
Unforgeable Identity at Every Interaction: Only blockchain-authenticated, continuously-verified users gain or retain SaaS access, neutralizing identity replay and session hijacking.
Persistent Threat Detection: Multi-model AI monitors and halts impersonation, lateral movement, social engineering, and deepfake attempts as they occur...not after damage is done.
No Integration Gaps: Enterprise-wide, cross-channel coverage eliminates blind spots exploited in hybrid social engineering and synthetic media attacks.
Frictionless User Experience: Visual policy indicators empower users to verify interactions in real time, transforming the human layer into an active component of defense.
The ShinyHunters campaign demonstrates that modern threats target the seams between tools, people, and processes. The era of piecemeal, reactive controls is over. Successful extortion campaigns like ShinyHunters demand a platform that delivers continuous, cross-channel validation, with machine intelligence and immutable cryptography at its core. Netarx is the only solution that unifies blockchain-backed identity, metadata-rich behavioral analytics, and AI-driven media detection, ensuring not only compliance and operational resilience, but true digital trust at cloud scale.
Strengthen your defenses, enforce compliance, and secure your organization’s future. Choose Netarx for uncompromising protection against the next generation of SaaS and identity threats.
SOURCES & REFERENCES
Alleged French Cybercriminal to Appear in Seattle on Indictment, U.S. Department of Justice, Western District of Washington (January 26, 2023). Federal indictment of a member of the “ShinyHunters Group” for hacking 60+ companies through fake login pages. Available at: https://www.justice.gov/usao-wdwa/pr/alleged-french-cybercriminal-appear-seattle-indictment-conspiracy-computer-intrusion
Member of Notorious International Hacking Crew Sentenced to Prison, U.S. Department of Justice, Western District of Washington (January 9, 2024). ShinyHunters member Sebastien Raoult sentenced to three years in prison and over $5 million in restitution. Available at: https://www.justice.gov/usao-wdwa/pr/member-notorious-international-hacking-crew-sentenced-prison
Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion (FLASH), FBI Internet Crime Complaint Center / IC3 (September 12, 2025). Vishing-based SaaS intrusions with extortion emails from the ShinyHunters group. Available at: https://www.ic3.gov/CSA/2025/250912.pdf
ShinyHunters: Cyber Criminal Group Attacks Learning Management System (PSA I-051526-PSA), FBI Internet Crime Complaint Center / IC3 (May 15, 2026). Warns of ShinyHunters breach and extortion tactics, with guidance for affected individuals. Available at: https://www.ic3.gov/PSA/2026/PSA260515
VerifiedChief Executive Officer
CEO/Founder of Netarx LLC, Real-time detection of deepfake and social engineering threats via enterprise video, voice and email. Managing Partner of Koach Capital, a Private Equity firm managing a multitude of commercial real estate (CRE) funds whose focus is retail sale-leasebacks. Sandy's entrepreneurial success began by founding a network integration and services provider that served large enterprises. We focused on advanced technologies including Business Intelligence (BI), Network & Information Security, Virtualization, Storage Area Networks, Unified Communications and Data Center Services. In 2009, Netarx acquired the VAR business of Analysts International (including Sequoia and Entree Systems). In 2011 Netarx was acquired by Logicalis (a division of Datatec - Symbol LSE: DTC) and stayed on as its Chief Technology Officer. He continued to build by founding Verge.io (Formerly Yottabyte) and Service.com. Also, Sandy served as a General Partner of Ludlow Ventures, a venture capital fund focusing on investments in early-stage tech companies. Sandy contributes to the community via lectures, publications and developing new technologies - he currently holds 8 Patents.
ShinyHunters is a financially motivated hacking and data-extortion group known for large-scale data breaches. It steals customer and corporate records and then pressures victims by threatening to leak or sell the data unless a ransom is paid. U.S. authorities have tied the group to data stolen from more than 60 companies.
blog
Impersonation attacks are cyberattacks in which a threat actor pretends to be a trusted person, brand, or system to manipulate a target into transferring money, sharing credentials, or granting access. In 2026, generative AI has turned these attacks from clumsy email spoofs into real-time deepfake video and cloned voices that are nearly impossible to detect by eye or ear. This guide explains how impersonation attacks work, the main types, why traditional defenses miss them, and how to prevent them.
blog
A social engineering attack is a cyberattack that manipulates people, rather than software, into giving up information, money, or access. Instead of breaking through a firewall, the attacker tricks a human being into opening the door. In 2026 these attacks are the dominant breach vector, and generative AI has made them faster, cheaper, and far more convincing. This guide covers the main types of social engineering attacks, recent real-world examples, why they succeed, and how to prevent them.
blog
TrustOps, or trust operations, is a strategic discipline for protecting an organization's trustworthiness, reputation, and information integrity, and digital identity verification is its foundation. As generative AI makes it possible to fake a voice, a face, or a document in real time, organizations can no longer assume that a familiar person on a call or an authenticated login is genuine. TrustOps closes that gap by combining real-time detection, strong digital identity verification, and cross-functional governance. This guide explains what TrustOps is, why it matters now, and how digital identity verification anchors the whole model.
