Skip to main content

Operator dossier

shinyhunters is a ransomware operator currently active on public leak sites. Darkfield has indexed 139 public victims claimed by this operator between October 3, 2025 and July 15, 2026. Based on the limited publicly available information, shinyhunters appears to be a recently emerged ransomware group first observed in October 2025, primarily motivated by financial gain through extortion activities targeting organizations across multiple sectors. The group's origin and potential affiliations remain unclear due to their recent emergence, and there is insufficient public documentation to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. Their attack methodology and specific technical capabilities have not been extensively documented by major threat intelligence firms, though their targeting pattern suggests a broad opportunistic approach rather than sector-specific specialization. The group has reportedly victimized approximately 77 organizations, with primary targeting focused on the United States, France, Japan, Germany, and Australia, showing particular interest in consumer services, technology, financial services, transportation and logistics, and education sectors. Given the group's very recent emergence in late 2025, there are no widely reported major campaigns or high-profile incidents documented by established security research organizations, and no known law enforcement actions have been publicly reported against this group. The current operational status of shinyhunters remains active based on available reporting, though comprehensive threat intelligence profiles from major security firms like Mandiant, CrowdStrike, or government agencies have not yet been published due to the group's recent appearance in the threat landscape.

Most-targeted sectors

Most-affected countries

Recent disclosures by shinyhunters

All 139 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for shinyhunters

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

shinyhunters

139 victims indexed · first seen 9 months ago · last activity 10 hours ago

139
Victims indexed
#61 of 364 tracked operators
9m
Active period
Oct 2025 → Jul 2026
10
Countries hit
top US · 53

At a glance

Status
active
First seen
9 months ago
Last activity
10 hours ago
Onion sites
2 known endpoints
Primary sector
Consumer Services · 18 hits

About

Based on the limited publicly available information, shinyhunters appears to be a recently emerged ransomware group first observed in October 2025, primarily motivated by financial gain through extortion activities targeting organizations across multiple sectors. The group's origin and potential affiliations remain unclear due to their recent emergence, and there is insufficient public documentation to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. Their attack methodology and specific technical capabilities have not been extensively documented by major threat intelligence firms, though their targeting pattern suggests a broad opportunistic approach rather than sector-specific specialization. The group has reportedly victimized approximately 77 organizations, with primary targeting focused on the United States, France, Japan, Germany, and Australia, showing particular interest in consumer services, technology, financial services, transportation and logistics, and education sectors. Given the group's very recent emergence in late 2025, there are no widely reported major campaigns or high-profile incidents documented by established security research organizations, and no known law enforcement actions have been publicly reported against this group. The current operational status of shinyhunters remains active based on available reporting, though comprehensive threat intelligence profiles from major security firms like Mandiant, CrowdStrike, or government agencies have not yet been published due to the group's recent appearance in the threat landscape.

References

1 link

External sources curated by the MISP threat-intel community.

Timeline

4 months
2025-10-01T00:00:00+00:00 · 462026-01-01T00:00:00+00:00 · 82026-02-01T00:00:00+00:00 · 92026-03-01T00:00:00+00:00 · 14
2025-10-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States
53
🇫🇷 France
4
🇯🇵 Japan
3
🇩🇪 Germany
3
🇦🇺 Australia
3
🇳🇱 Netherlands
2
🇻🇳 Vietnam
2
🇲🇽 Mexico
1

Top sectors

Consumer Services
18
Technology
17
Financial Services
13
Transportation/Logistics
7
Education
5
Hospitality and Tourism
4
Business Services
2
Energy
2

MITRE ATT&CK

6 techniques · 5 tactics

Tactics

Initial AccessExecutionCollectionExfiltrationImpact

Techniques

  • T1190Exploit Public-Facing Application
  • T1566Phishing
  • T1059Command and Scripting Interpreter
  • T1005Data from Local System
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known
  • http://shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion
  • http://toolatedhs5dtr2pv6h5kdraneak5gs3sxrecqhoufc5e45edior7mqd.onion

Source

Updated 10 hours ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time shinyhunters posts a victim.

Add shinyhunters to your watchlist — Pro pings you within 5 minutes of any new shinyhunters leak-site post, Telegram callout, or affiliate-rebrand inference.