An ongoing data extortion campaign targeting Salesforce customers may soon turn its attention to financial services and technology service providers, as ShinyHunters and Scattered Spider appear to be working hand in hand, new findings show.
"This latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group's previous credential theft and database exploitation," ReliaQuest said in a report shared with The Hacker News.
These include the use of adoption of tactics that mirror those of Scattered Spider, such as highly-targeted vishing (aka voice phishing) and social engineering attacks, leveraging apps that masquerade as legitimate tools, employing Okta-themed phishing pages to trick victims into entering credentials during vishing, and VPN obfuscation for data exfiltration.
ShinyHunters, which first emerged in 2020, is a financially motivated threat group that has orchestrated a series of data breaches targeting major corporations and monetizing them on cybercrime forums like RaidForums and BreachForums. Interestingly, the ShinyHunters persona has been a key participant in these platforms both as a contributor and administrator.
"The ShinyHunters persona partnered with Baphomet to relaunch the second instance of BreachForums (v2) in June 2023 and later launched the June 2025 instance (v4) alone," Sophos noted in a recent report. "The interim version (v3) abruptly disappeared in April 2025, and the cause is unclear."
While the relaunch of the forum was short-lived and the bulletin board went offline around June 9, the threat actor has since been linked to attacks targeting Salesforce instances globally, a cluster of extortion-related activity that Google is tracking under the moniker UNC6240.
Coinciding with these developments was the arrest of four individuals suspected of running BreachForums, including ShinyHunters, by French law enforcement authorities. However, the threat actor told DataBreaches.Net that "France rushed to make FALSE, INACCURATE arrests," raising the possibility that an "associate" member may have been caught.
And that's not all. On August 8, a new Telegram channel conflating ShinyHunters, Scattered Spider, and LAPSUS$ called "scattered lapsu$ hunters" emerged, with the channel members also claiming to be developing a ransomware-as-a-service solution called ShinySp1d3r that they said will rival LockBit and DragonForce. Three days later, the channel disappeared.
Both Scattered Spider and LAPSUS$ have ties to a broader, nebulous collective dubbed The Com, a notorious network of experienced English-speaking cybercriminals that's known to engage in a wide range of malicious activities, including SIM swapping, extortion, and physical crime.
ReliaQuest said it has identified a coordinated set of ticket-themed phishing domains and Salesforce credential harvesting pages that are likely created for similar campaigns targeting Salesforce that are aimed at high-profile companies across various industry verticals.
These domains, the company said, were registered using infrastructure typically associated with phishing kits commonly used to host single sign-on (SSO) login pages -- a hallmark of Scattered Spider's attacks impersonating Okta sign-in pages.
Furthermore, an analysis of over 700 domains registered in 2025 that matched Scattered Spider phishing patterns has revealed that domain registrations targeting financial companies have increased by 12% since July 2025, while targeting of technology firms has decreased by 5%, suggesting that banks, insurance companies and financial services could be next in line.
The tactical overlaps aside, that the two groups may be collaborating is borne out by the fact that they have targeted the same sectors (i.e., retail, insurance, and aviation) around the same time.
"Supporting this theory is evidence such as the appearance of a BreachForums' user with the alias 'Sp1d3rHunters,' who was linked to a past ShinyHunters breach, as well as overlapping domain registration patterns," researchers Kimberley Bromley and Ivan Righi said, adding the account was created in May 2024.
"If these connections are legitimate, they suggest that collaboration or overlap between ShinyHunters and Scattered Spider may have been ongoing for more than a year. The synchronized timing and similar targeting of these previous attacks strongly support the likelihood of coordinated efforts between the two groups."
