Wynn Resorts has admitted a breach of its employee data, but says that the attackers deleted it. Does it mean that ShinyHunters just got paid?

It has been five days since claims circulated that notorious hacking group ShinyHunters warned it had stolen 800,000 sensitive records from the US luxury casino empire Wynn Resorts.

Wynn Resorts operates some of the most recognizable high-end hotels and casinos in Las Vegas and Macau, generating approximately $1.87 billion in revenue.

Last week, the cyber gang issued what it calls a “final warning” on the dark web, giving the luxury resort giant until February 23rd before releasing the data to the public.

After our previous reporting, Wynn Resorts has contacted Cybernews, admitting the data breach.

“We have learned that an unauthorized third party acquired certain employee data,” the company’s spokesperson said in the statement.

“This incident has had no impact on our guest experience, our operations, or our physical properties, which are all fully operational and open for business,” the company added.

The company says it has launched an investigation and is offering complimentary credit monitoring and identity protection to all its employees.

But what happened with the “final warning?” Instead of releasing the data publicly, the gang has apparently deleted the Wynn Resorts entry from its website.

“The unauthorized third party has stated that the stolen data has been deleted. We are monitoring and to date have not seen any evidence that the data has been published or otherwise misused,” read the statement further, raising questions about the negotiations between attackers and the Wynn Resort.

ShinyHunters are frank on their leaksite: “When you pay us, your data is deleted, and you move on with your life. When you don’t pay us, you get posted here, among other things.”

Was that the case of Wynn Resorts? The company has declined to comment on the ransom.

Why paying ransom is a trap you can’t afford

When ransomware hits, the instinct to pay the attackers can feel immediate, especially if critical data is on the line. But experts warn that handing over cash rarely solves the problem. In some cases, it makes things worse.

And think about it. First of all, there is an absolute zero guarantee that paying will help and you get your data back. Studies show a significant portion of companies that pay either recover only part of their files or receive decryption keys that don’t work properly.

Even if a ransom is paid, attackers may still leak or sell sensitive data or launch additional attacks. This tactic is known as double or triple extortion.

Also, it is essential to see the big picture. Every ransom payment funds criminal operations, encouraging attackers to target other organizations or even hit the same victims again. They know your weak spot now! Research by Cybereason suggests that up to 80% of companies that pay are attacked a second time.

Solving the problem in the easiest way might also not be what the authorities expect from you. In many jurisdictions, paying sanctioned criminal groups is illegal and can result in heavy fines.

In the UK, since early 2026, the government has implemented a ban on public-sector and critical infrastructure organizations paying ransoms, while the ICO explicitly states that paying ransoms is not considered an "appropriate measure" to protect data and will not reduce penalties.

The FBI in the US also advises against paying, noting that it perpetuates crime without guaranteeing results.

There are some positive signs as well. Ransomware payments decreased in both frequency and amount in 2025. Reports show that the average payments dropped by up to 66%. This is sending a clear message to the cyberunderground that, probably, deploying ransomware is not going to be easy money after all.

What to do instead of paying the ransom?

Prevention and investing in cybersecurity are always the key steps to take. However, no one is bulletproof. If your organization has been listed on the ransomware gang’s leak site, instead of paying, you should consider taking these actions:

• Disconnect affected systems immediately and report the incident to law enforcement.
• Offline, and up-to-date backups! Remember, while “backups” might sound like a curse word, but they are essential when you need to restore your systems.
• Bring in incident response experts and do the investigation
• Check for free decryptors. Resources like the No More Ransom project offer free tools to unlock encrypted files safely.

---

Unlock more exclusive Cybernews content on YouTube.