Enterprise software program large Crimson Hat is now being extorted by the ShinyHunters gang, with samples of stolen buyer engagement stories (CERs) leaked on their information leak website.
Information of the Crimson Hat information breach broke final week when a hacking group often called the Crimson Collective claimed to have stolen almost 570GB of compressed information throughout 28,000 inner improvement repositories.
This information allegedly contains roughly 800 Buyer Engagement Studies (CERs), which may comprise delicate details about a buyer’s community, infrastructure, and platforms.
The risk actors claimed to have tried to extort Crimson Hat into paying a ransom to forestall the general public disclosure of the info, however obtained no response.
Crimson Hat later confirmed to BleepingComputer that the breach affected its GitLab occasion, which was used solely for Crimson Hat Consulting on consulting engagements.
Quickly after the breach was disclosed, risk actors often called Scattered Lapsus$ Hunters sought to make contact with Crimson Collective.
Yesterday, Crimson Collective introduced that it had partnered with Scattered Lapsus$ Hunters to make the most of the newly launched ShinyHunters information leak website to proceed their extortion makes an attempt towards Crimson Hat.
“On the 4th April 1949 was created the so large known as NATO, however what if at the moment’s new alliance was greater than that ? However for a better objective, ruining companies thoughts,” reads a put up to the hacking group’s Telegram channel.
“What if, Crimson’s shininess extends even additional away ?”
Supply: BleepingComputer
“Relating to the present announcement concerning us, we’re going to collaborate with ShinyHunter’s for the long run assaults and releases,” the Crimson Collective risk actors advised BleepingComputer.
In coordination with the announcement, a Crimson Hat entry has now appeared on a brand new ShinyHunters information leak extortion website, warning the corporate that information could be publicly leaked on October tenth if a ransom demand was not negotiated with ShinyHunters.
As well as, the risk actors launched samples of the stolen CERs, together with these for Walmart, HSBC, Financial institution of Canada, Atos Group, American Categorical, Division of Defence, and Société Française du Radiotéléphone.
BleepingComputer contacted Crimson Hat about this improvement however didn’t obtain a response.
The ShinyHunters Extortion-as-a-Service
For months, BleepingComputer has surmised that ShinyHunters was performing as an extortion-as-a-service (EaaS), the place they work with risk actors to extort an organization in change for a share of the extortion demand, much like how ransomware-as-a-service gangs function.
This concept was primarily based on the quite a few assaults performed by numerous risk actors, all of which had been extorted underneath the ShinyHunters identify, together with these concentrating on Oracle Cloud and PowerSchool.
Conversations with ShinyHunters additional supported this concept, because the group has beforehand claimed to not be behind a selected breach however fairly simply performing as a dealer of the stolen information.
Moreover, there have been quite a few arrests of people related to the identify “ShinyHunters” over time, together with these linked to the Snowflake information theft assaults, breaches at PowerSchool, and the operation of the Breached v2 hacking discussion board.
Nevertheless, even after these arrests, new assaults happen with corporations receiving extortion emails stating, “We’re ShinyHunters”.
At this time, ShinyHunters advised BleepingComputer that they’ve been privately working as an EaaS, the place they take a income share from any extortion funds generated for different risk actors’ assaults.
“Everybody i’ve labored with up to now have taken 70 or 75% and I obtain a 25-30%,” claimed the risk actor.
With the launch of the ShinyHunters information leak website, it seems that the risk actor is now publicly working the extortion service.
Along with Crimson Hat, ShinyHunters can also be extorting SP World on behalf of one other risk actor that claimed to breach the corporate in February 2025.
BleepingComputer had contacted SP World on the time concerning the alleged breach, however was advised that the claims had been false and that the corporate was not breached.
Nevertheless, the risk actors have now launched samples of information on the info leak website, claiming they had been stolen in the course of the assault, and have additionally set an October tenth deadline.
After contacting SP World once more at the moment concerning its inclusion on the info leak website, they determined to not touch upon the claims.
“We do not touch upon such claims. We word that as a US listed firm, we’re required to publicly disclose materials cybersecurity incidents,” SP World advised BleepingComputer.
Be part of the Breach and Assault Simulation Summit and expertise the way forward for safety validation. Hear from prime consultants and see how AI-powered BAS is reworking breach and assault simulation.
Do not miss the occasion that can form the way forward for your safety technique