Operator dossier

shinyhunters is a ransomware operator currently active on public leak sites. Darkfield has indexed 108 public victims claimed by this operator between October 3, 2025 and May 12, 2026. Based on the limited publicly available information, shinyhunters appears to be a recently emerged ransomware group first observed in October 2025, primarily motivated by financial gain through extortion activities targeting organizations across multiple sectors. The group's origin and potential affiliations remain unclear due to their recent emergence, and there is insufficient public documentation to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. Their attack methodology and specific technical capabilities have not been extensively documented by major threat intelligence firms, though their targeting pattern suggests a broad opportunistic approach rather than sector-specific specialization. The group has reportedly victimized approximately 77 organizations, with primary targeting focused on the United States, France, Japan, Germany, and Australia, showing particular interest in consumer services, technology, financial services, transportation and logistics, and education sectors. Given the group's very recent emergence in late 2025, there are no widely reported major campaigns or high-profile incidents documented by established security research organizations, and no known law enforcement actions have been publicly reported against this group. The current operational status of shinyhunters remains active based on available reporting, though comprehensive threat intelligence profiles from major security firms like Mandiant, CrowdStrike, or government agencies have not yet been published due to the group's recent appearance in the threat landscape.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

shinyhunters

108 victims indexed · first seen 8 months ago · last activity 8 days ago

108

Victims indexed

#70 of 348 tracked operators

Active period

Oct 2025 → May 2026

Countries hit

top US · 53

At a glance

Status: active
First seen: 8 months ago
Last activity: 8 days ago
Onion sites: 2 known endpoints
Primary sector: Consumer Services · 18 hits

About

Based on the limited publicly available information, shinyhunters appears to be a recently emerged ransomware group first observed in October 2025, primarily motivated by financial gain through extortion activities targeting organizations across multiple sectors. The group's origin and potential affiliations remain unclear due to their recent emergence, and there is insufficient public documentation to determine whether they operate as a Ransomware-as-a-Service model or as an independent entity. Their attack methodology and specific technical capabilities have not been extensively documented by major threat intelligence firms, though their targeting pattern suggests a broad opportunistic approach rather than sector-specific specialization. The group has reportedly victimized approximately 77 organizations, with primary targeting focused on the United States, France, Japan, Germany, and Australia, showing particular interest in consumer services, technology, financial services, transportation and logistics, and education sectors. Given the group's very recent emergence in late 2025, there are no widely reported major campaigns or high-profile incidents documented by established security research organizations, and no known law enforcement actions have been publicly reported against this group. The current operational status of shinyhunters remains active based on available reporting, though comprehensive threat intelligence profiles from major security firms like Mandiant, CrowdStrike, or government agencies have not yet been published due to the group's recent appearance in the threat landscape.

References

1 link

External sources curated by the MISP threat-intel community.

ransomlook.io/group/shinyhunters

Timeline

4 months

2025-10-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 US

🇫🇷 FR

🇯🇵 JP

🇩🇪 DE

🇦🇺 AU

🇳🇱 NL

🇻🇳 VN

🇲🇽 MX

US dossier →FR dossier →JP dossier →DE dossier →

Top sectors

Consumer Services

Technology

Financial Services

Transportation/Logistics

Education

Hospitality and Tourism

Not Found

Business Services

Consumer Services dossier →Technology dossier →Financial Services dossier →Transportation/Logistics dossier →

MITRE ATT&CK

6 techniques · 5 tactics

Tactics

Initial AccessExecutionCollectionExfiltrationImpact

Techniques

T1190Exploit Public-Facing Application
T1566Phishing
T1059Command and Scripting Interpreter
T1005Data from Local System
T1041Exfiltration Over C2 Channel
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

2 known

http://shnyhntww34phqoa6dcgnvps2yu7dlwzmy5lkvejwjdo6z7bmgshzayd.onion
http://toolatedhs5dtr2pv6h5kdraneak5gs3sxrecqhoufc5e45edior7mqd.onion

Source

Updated 8 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.