After giving a 48-hour ultimatum, ShinyHunters, an infamous extortion gang, dumped millions of records tied to two Wall Street powerhouses onto the dark web. The leaked data includes contracts and clients’ personal data.
Last week, two heavyweight US investment advisory firms – Mercer Advisors and Beacon Pointe Advisors – received warnings that attackers had gained access to millions of records of their internal data. The attackers claimed they would expose the data if their demands were not met.
The threat came from a threat actor that’s not exactly a newbie in the cyber underground. ShinyHunters has built a reputation for high-impact data theft operations, and recent activity suggests the group is accelerating the scale of its attacks.
Just last week, the gang dropped data belonging to Canada Goose, a major luxury winter clothing maker. However, Cybernews researchers determined that the data was several years old.
As in most extortion cases, threats to release data are part of pressure tactics designed to force negotiations and muscle organizations into paying ransom. And also to get revenge on the company’s reputation by releasing the data publicly if the demands are not met.
The threats targeting elite US financial advisory firms have now been executed, as the extortion group dropped stolen data on a dark web site. The companies have previously not responded to Cybernews's inquiry about the alleged breach.
After the data was dumped, our journalists reached out to the affected companies for confirmation that the data originated in their systems. A response is yet to be received.
Based in Newport Beach, California, Beacon Pointe Advisors is the largest female-led independent registered investment advisor in the US. The company manages roughly $62 billion in client assets and employs more than 600 people.
In 2021, the firm drew backing from private equity titan Kohlberg Kravis Roberts & Co., a move that signaled Beacon Pointe had graduated to Wall Street’s big leagues. Last year, it landed at number seven on Barron's Top 100 RIA list.
Denver-based Mercer Advisors manages approximately $92 billion in assets and employs around 1,500 people. The firm topped Barron’s list in both 2024 and 2025.
What data was leaked?
The Cybernews research team has investigated the leaked dataset, which allegedly belongs to Mercer Advisory, and has discovered that it consists of Mercer’s clients' data, including:
- Full names
- Contact information
- Full or partial SSNs, addresses
- Emergency contact details
- Employee training documents
- Contracts between Mercer and its clients, Mercer clients and various investment companies, with PII of both the client and Mercer representatives
- Other legal documents
Attackers previously claimed that they have over 5 million records. The claims do not seem overly exaggerated, as the leaked dataset contains around 5.7 million records. However, the researchers point out that some clients’ records are duplicates.
In total, the dataset allegedly belonging to Mercer Advisory is 5GB in size. The leaked dataset attributed to Beacon Pointe Advisory is 60GB.
New data breach at Mercer Advisors, or old data resurfaced?
This is not the first time Mercer Advisor has experienced a data breach. The company disclosed a security incident tied to its April 30th, 2025, acquisition of Tufton Capital, affecting 661 individuals.
According to the notice submitted to the Maine Attorney General’s office, before Tufton’s systems were fully integrated, suspicious activity was detected within a segment of its network.
The investigation showed that the attackers had access to a part of the network between May 15th and May 16th, 2025.
It is currently unclear whether the newly alleged breach is connected to that earlier incident. Cybernews contacted the company for a comment on this matter. However, it is not uncommon for cybercriminals to resurface data from old breaches.
ShinyHunters has been attacking high-profile companies
In 2026, ShinyHunters reportedly ran an active voice phishing campaign to steal single sign-on (SSO) credentials for Okta, Microsoft, and Google accounts.
ShinyHunters was also attributed to a potential data breach at Waltio, a prominent French cryptocurrency tax filing platform, which the hackers controversially linked to kidnapping cases in France.
The gang has also claimed breaches at Bumble, Match Group, operating Hinge, Match, and OkCupid services, and Panera Bread. It also targeted the private company intelligence platform Crunchbase. According to the company, the threat actor exfiltrated “certain documents” from its corporate network.
The gang is associated with last year’s Salesforce CRM data heist that targeted enterprise cloud services and customer databases.
On June 25th, 2025, French authorities announced the arrest of four alleged members of ShinyHunters across multiple regions of France.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked