Breaches

ShinyHunters Claims Second Leader Arrested as Group's X Account Suspended

Zero Day Wire

05 Feb 2026 — 1 min read

ShinyHunters, one of the most prolific data breach and extortion groups of the past five years, has posted a message to their official Telegram channel claiming that a "second leader has been arrested."

The brief update also confirmed that the group's X (formerly Twitter) account has been suspended and cannot be recovered.

No additional details were provided regarding the identity of the arrested individual, the jurisdiction involved, or the circumstances of the arrest.

Background

ShinyHunters first emerged in 2020 and quickly became one of the most active data breach actors in the cybercriminal ecosystem. The group is responsible for breaching dozens of major organizations, including Ticketmaster, AT&T, Microsoft, Tokopedia, Wishbone, and Mashable — collectively exposing hundreds of millions of user records.

In July 2024, French authorities arrested Sebastien Raoult, a 22-year-old French national extradited from Morocco, who pleaded guilty to charges related to ShinyHunters operations. Raoult was sentenced to three years in federal prison and ordered to pay over $5 million in restitution.

If confirmed, today's claim of a second leadership arrest would mark another significant blow to the group's operational capability.

Implications

The combination of leadership arrests and platform deplatforming suggests mounting pressure on ShinyHunters' ability to operate openly. However, the group has historically demonstrated resilience — pivoting between communication channels, marketplaces, and operational models.

Organizations previously targeted by ShinyHunters or operating in sectors the group has historically focused on — SaaS platforms, technology companies, gaming, and e-commerce — should remain vigilant for potential retaliatory leaks or opportunistic attacks by remaining group members.

PayPal Confirms Six-Month Data Exposure After Loan System Code Error Leaked Social Security Numbers

PayPal has confirmed a data exposure incident affecting its Working Capital (PPWC) business loan service, where a software code change left sensitive customer information accessible for nearly six months before being detected. The exposure ran from 1 July 2025 to 12 December 2025, when the error was finally discovered and

AWS Reports 600+ FortiGate Firewalls Compromised in AI-Augmented Campaign by Russian-Speaking Cybercrime Group

A financially motivated Russian-speaking cybercrime group compromised more than 600 internet-exposed FortiGate firewalls across 55 countries in just over a month, using off-the-shelf generative AI tools to scale an operation that would traditionally require a well-resourced team, according to a new incident report from AWS. The campaign, which ran from

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors