Despite years of arrests, seizures, and takedowns, the ShinyHunters extortion gang on Thursday expanded its "pay or leak" operation – rolling out new mirrors, torrent downloads, and promising to keep stolen files online “until the end of time.”

Leak site gets major upgrade

ShinyHunters, in a fresh post on its leak site, announced it had completed new infrastructure upgrades to streamline access to leaked data for interested parties, adding multiple mirrors and plans to distribute files through torrents.

“To improve your downloading experience, we are currently deploying multiple data mirrors to ensure faster, more reliable download speeds,” the group said the day before.

The English-speaking hacker gang also said it would eventually offer torrent links for all hosted files in its possession “to provide a more robust distribution network.”

Now, when one clicks a download link in a victim entry, all mirror sites will use a queue system with a Proof of Work (PoW) feature, meaning that before someone can download the leaked data, their computer must solve a small computational puzzle.

By providing multiple mirrors – essentially copycat download servers that host the same leaked files – users can avoid slow download speeds during traffic spikes, which often occur when high-profile victims are first listed on the site.

The new mirrors will also likely prove useful for research and incident response teams whose job it is to comb through recently published data to better understand what the files contain.

Reminding its users not to use Tor to download stolen files because the browser is not built to handle very large file downloads, the group also assured users that none of its stores of leaked data were lost during the upgrade.

“No data has been lost as we keep several backups of everything that has been leaked on here since Day 1,” the post said.

“These files will remain publicly accessible with ease till the end of time,” it said.

Why ShinyHunters keeps coming back

The infrastructure expansion announcement coincides with new research published Thursday from Cato Networks, which says “the real story of ShinyHunters in 2026 is not just persistence, but the evolution of a cybercrime brand that adapts faster than defenders and law enforcement can respond.”

According to the report, ShinyHunters has evolved beyond a single hacking crew into a cybercrime brand capable of "surviving arrests, infrastructure seizures, and operator turnover."

Cato says that persistence is what makes the group so dangerous six years since it was first observed.

Researchers point to a slew of law enforcement takedowns that would have easily crippled other cybercriminal groups.

Even after multiple forum seizures (RaidForums, BreachForums), surviving targeted honeypots, the conviction of alleged founder Sébastien Raoult in 2023, and the arrests of multiple high-profile admins in France last year, “the brand consistently reemerged within days or weeks,” the report explains.

A prime example is the 2025 expansion to form the Scattered LAPSUS$ Hunters (SLH) hacker trio, which Cato says combines the brand recognition of ShinyHunters, the social engineering expertise of Scattered Spider, and the aggressive tactics of LAPSUS$.

Researchers say ShinyHunters’ strategy has evolved from a database-driven crew into a group specializing in business logic abuse.

Rather than relying solely on traditional phishing or intrusion methods, recent campaigns have exploited trusted SaaS integrations, OAuth-connected applications, and help-desk social engineering schemes to gain access to corporate environments.

ShinyHunters' victim list keeps growing

Active since 2019, ShinyHunters has been steamrolling through the names of hundreds of high-profile corporate victims since last September, most of them linked to a worldwide campaign exploiting more than 1.5 million records tied to misconfigured Salesforce instances.

The cybercriminals have also kept busy executing their most recent June hacking spree targeting a critical zero-day vulnerability in Oracle PeopleSoft software.

Big-name brands claimed by ShinyHunters this month alone include Kodak, JCPenney, Madison Square Garden, and Sysco – adding to hundreds of victims tied to the group’s broader campaigns.

Drift, Salesloft, Snowflake, and Okta are also among the cloud and SaaS platforms that have been exploited in recent years.

The notorious gang was also responsible for last month’s days-long breach of the global educational platform Canvas by Instructure, wreaking havoc across thousands of schools in the final weeks of the school year, from kindergarten to university.

Meanwhile, ShinyHunters listed Amazon One Medical on its dark leak site early Thursday, claiming 8.8TB of stolen data.

The notorious extortion group gave Amazon a final warning to make contact by June 22nd, stating “before we leak along with several annoying (digital) problems that'll come your way.”

Acquired by Amazon in 2023, One Medical is a hybrid healthcare provider offering both an extensive network of brick-and-mortar clinics and a 24/7 virtual care platform serving more than 880,000 patients.

The group did not reveal how the attackers allegedly gained access to One Medical's servers, and it’s unclear if any patient data was accessed.

---

Unlock more exclusive Cybernews content on YouTube.