Jan 12, 2026, 12:28 AM
It is worth noting that "Shiny Hunters" (tricked by our team with a honeytrap), or more accurately, their rebranded version involving new members, which calls itself "Scattered Lapsus$ Hunters" (SLH) or "Scattered Lapsus$ Shiny Hunters (SLSH)," is linked to 'The Com' (short for 'The Community'), a predominantly English-speaking cybercriminal ecosystem. In the context of this threat research publication, Resecurity is using the name "Shiny Hunters" as a collaborative alias to illustrate the phenomenon of involving young IT professionals in questionable acts, but more importantly, to prevent others from doing the same.
In fact, the naming of such groups is changing very frequently and intentionally, typically by the actors themselves, who wish to obscure attribution. They use different spellings, sometimes attach themselves to specific group names and detach later, which should not be taken into consideration, as some of them serve as "role players." It is important to note that members present in some online chats, channels and groups associated with these collectives should not necessarily be attributed to them.
This loosely organized network operates more like a cybercrime youth movement, encompassing a broad and constantly shifting range of actors, mainly teenagers. Some announcements of successful data breaches by these actors were published on the associated Telegram channel, "The Comm Leaks," along with many other posts that were created, later deleted, and re-created again under new names. The FBI issued a Public Service Announcement (PSA) last year warning about the risks associated with joining such movements.
In November 2024, Canadian police arrested Moucka on charges tied to the theft of terabytes of data from clients of the cloud-based data warehousing platform Snowflake. The Snowflake data breach refers to a large-scale cybersecurity incident involving unauthorized access to customer cloud environments. The breach affected numerous high-profile clients and has been regarded as one of the most significant data security incidents of the decade.
At least 160 organizations were reportedly targeted through vulnerabilities in the configuration and access to their Snowflake environments. Affected companies included AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. The breach resulted in the theft of a wide range of sensitive data, such as:
- Personally Identifiable Information (PII)
- Medical prescriber DEA numbers
- Digital event tickets
- Over 50 billion call records from AT&T
Security investigations revealed that the attackers accessed customer environments by exploiting stolen credentials obtained via infostealer malware. These credentials, which lacked multi-factor authentication (MFA) in many cases, allowed attackers to log in directly to Snowflake customer instances using only a username and password. Based on that pattern, Resecurity has designed a method to trick attackers into deliberately creating honeytraps, enabling us to log actionable network intelligence.
Read more on source: https://www.resecurity.com/blog/article/...ny-hunters
In fact, the naming of such groups is changing very frequently and intentionally, typically by the actors themselves, who wish to obscure attribution. They use different spellings, sometimes attach themselves to specific group names and detach later, which should not be taken into consideration, as some of them serve as "role players." It is important to note that members present in some online chats, channels and groups associated with these collectives should not necessarily be attributed to them.
This loosely organized network operates more like a cybercrime youth movement, encompassing a broad and constantly shifting range of actors, mainly teenagers. Some announcements of successful data breaches by these actors were published on the associated Telegram channel, "The Comm Leaks," along with many other posts that were created, later deleted, and re-created again under new names. The FBI issued a Public Service Announcement (PSA) last year warning about the risks associated with joining such movements.
In November 2024, Canadian police arrested Moucka on charges tied to the theft of terabytes of data from clients of the cloud-based data warehousing platform Snowflake. The Snowflake data breach refers to a large-scale cybersecurity incident involving unauthorized access to customer cloud environments. The breach affected numerous high-profile clients and has been regarded as one of the most significant data security incidents of the decade.
At least 160 organizations were reportedly targeted through vulnerabilities in the configuration and access to their Snowflake environments. Affected companies included AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. The breach resulted in the theft of a wide range of sensitive data, such as:
- Personally Identifiable Information (PII)
- Medical prescriber DEA numbers
- Digital event tickets
- Over 50 billion call records from AT&T
Security investigations revealed that the attackers accessed customer environments by exploiting stolen credentials obtained via infostealer malware. These credentials, which lacked multi-factor authentication (MFA) in many cases, allowed attackers to log in directly to Snowflake customer instances using only a username and password. Based on that pattern, Resecurity has designed a method to trick attackers into deliberately creating honeytraps, enabling us to log actionable network intelligence.
Read more on source: https://www.resecurity.com/blog/article/...ny-hunters
