Multiple French news outlets are reporting that four men in their 20’s, alleged to be members of the ShinyHunters hacking group, have been arrested. Their real names have not been released publicly, but their online monikers were “ShinyHunters,” “Noct,” “Depressed,” and “Hollow.”
French law enforcement has not issued any official statement confirming any arrests or providing any details but news outlets, citing unnamed police sources, report that arrests were made in three areas of France: Hauts-de-Seine, Seine-Maritime, and Réunion (a French island in the Indian Ocean). They also report that a fifth person known as “IntelBroker” was previously arrested in February.
ShinyHunters has been engaged in cybercrime since 2020. The name “ShinyHunters” has been used to refer to the group, but also to the individual founder and head of the group who controlled the Jabber account, Telegram account, and was the owner of the second version of BreachForums. When ShinyHunters claimed to “retire,” they turned over ownership of the forum to Intelbroker, who seemed to be mainly an owner in name only. He, too, eventually announced his “retirement.” It is not clear if he has been charged with being involved in any of the group’s hacking activities or if he was arrested for his role as a forum moderator and owner, or if he was arrested for his own hacking activities, which targeted some high-profile entities.
Wikipedia provides a listing of many of the group’s victims and activities.
Although ShinyHunters victimized a number of U.S. entities, French law prohibits the extradition of any French national. It is not known if that will protect any of the group’s members from being extradited to the U.S. to stand trial as their real names and nationalities have not been disclosed.
Some of the group’s most recent activities include the Tiffany and Dior breaches as well as possible involvement in extorting PowerSchool and PowerSchool clients. Google Threat Intelligence also published a recent analysis linking the group tracked as UNC6040 that uses vishing attacks to ShinyHunters during UNC6040’s extortion attempts and attacks involving Salesforce.
