ShinyHunters Cybercriminals Expand Cloud-Targeting Extortion Operations

ShinyHunters exploit cloud systems with voice phishing, stealing credentials to demand Bitcoin ransoms. Learn how to protect your data.

By Content Team

Feb 2, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

The ShinyHunters threat group has ramped up sophisticated extortion attacks targeting cloud-based systems across multiple organizations. Google Cloud analysts discovered the criminals use voice phishing calls, pretending to be IT staff, to trick employees into visiting fake login websites that steal credentials and multi-factor authentication codes.

Once inside company systems, attackers access platforms like SharePoint, Salesforce, and Slack to steal confidential documents. They specifically search for files containing terms like "confidential" and "internal." The group then demands Bitcoin payments within 72 hours, providing stolen data samples as proof.

Google tracks this activity under three threat clusters: UNC6661, UNC6671, and UNC6240. Security experts recommend phishing-resistant authentication like FIDO2 security keys to prevent these social engineering attacks.

Source: Cybersecurity News

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

North Korean Hackers Breach Popular Axios NPM Package in Supply Chain Attack

Apr 1, 2026

New 'CrashFix' Scam Intentionally Crashes Browsers to Deliver Malware

Jan 21, 2026

ICO Says Sultana's Unauthorised Party Launch May Be Criminal Matter for Police

Jan 10, 2026

Adobe Patches Zero-Day Vulnerability Exploited for Months

Apr 14, 2026