First, the current state of affairs: ShinyHunters has claimed the attack on Odido and demanded ransom. Odido refused to pay, after which the group made the first batch public. Before that, we were already certain that the group was behind the attack, as they had approached multiple media outlets with evidence. ShinyHunters is known for this modus operandi.

Who or what is ShinyHunters?

ShinyHunters emerged around 2020 in the cybercriminal circuit and quickly became known for the large-scale offering of stolen databases. No, Odido is not the first; the group gained notoriety by hijacking around 200 million accounts from 13 companies.

ShinyHunters stood out due to this series of high-volume data breaches and the sale of personal data. They are known for their leak & distortion method and have now managed to make a gigantic haul in the Netherlands.

How does ShinyHunters typically operate?

Where classic ransomware groups take down systems with encryption, ShinyHunters operates differently. The group generally follows this pattern:
 

1. Exfiltration (data theft)
2. Extortion ("pay or we publish")
3. Publication / sale as leverage and business model

You can see this pattern reflected in the case of Odido; now that the telecom company does not want to pay, the data is slowly but surely being published.

ShinyHunters and the Odido haul

It is therefore predictable what will happen next. The intentions of ShinyHunters can be described in three parts:

1. Collecting ransom

This is logical. ShinyHunters has demanded ransom, and this is how they profit from the leak. Odido has now stated that they will not pay, causing ShinyHunters to immediately move on to the next target.

2. (Re)sale in the criminal circuit

ShinyHunters is not known for conducting phishing attacks themselves. What the group does is sell the data, thereby giving (other) criminals the opportunity to commit fraud. The stolen data is immediately usable for many things:
 

• targeted phishing and helpdesk fraud
• account takeover (especially if data can be combined with other leaks)
• identity theft

The addresses, bank accounts, and identity documents that come with the haul are certainly very useful for the latter point.

3. Reputation building

ShinyHunters also directly puts themselves in the spotlight, especially by first leaking only a portion of the data. This helps them build their reputation, both among other criminals and with us, the public. The 'better' that reputation is, the greater the chance that:
 

• the victim will still pay
• other victims will succumb more quickly in the future
• buyers (criminals) will have trust in the "supplier"

Defending against ShinyHunters

If you are an IT professional, you may now be sitting on the edge of your seat. The difference from other ransomware attacks also means a different defense approach. You need to combat not only ransomware encryption but especially data exfiltration and publication pressure:
 

• DLP/egress monitoring (large exports, unusual data flows)
• strong IAM and minimal rights on data environments
• detection of bulk queries and mass exports
• incident response ready for "leak extortion": legal/comms + technical containment

ShinyHunters is a well-known name in the data theft ecosystem and uses stolen data as a bargaining chip: pay, or we publish/sell. In the case of Odido, you can see that pattern: after the decision not to pay, a first batch of data appeared on the dark web. The aftermath is clearly felt. For organizations, the lesson is clear: those who protect data must invest just as much in detecting and limiting exfiltration as in classic anti-ransomware measures.