Full Report
On August 9, DataBreaches reported on a Telegram channel with a name that combined the names of three groups: ShinyHunters, Scattered Spider, and Lapsus$. At the time, DataBreaches noted: Commenters on reading the new Telegram channel call it “schizo,” “complete chaos,” and “insane.” DataBreaches would just call it “overwhelming.” Today, DataBreaches would just call it... Source
Analysis Summary
# Incident Report: Proliferation of ShinyHunters Impersonators on Telegram
## Executive Summary
This event details the chaotic proliferation of unauthorized and fraudulent channels/accounts impersonating the threat actor group ShinyHunters across the Telegram messaging platform, beginning around August 9, 2025. The original channel was taken down but spawned multiple clones and associated scams attempting phishing/extortion against the group's followers and researchers. Response actions involved the original ShinyHunters leader publicly disavowing the fakes and providing verified contact information, while associated online forums (like UmbraForums) had to ban impersonators.
## Incident Details
- Discovery Date: Ongoing; initial report mentioned August 9, 2025.
- Incident Date: Started prior to August 9, 2025, with escalation around August 18-20, 2025.
- Affected Organization: ShinyHunters (the threat actor group itself is the subject of the compromise/impersonation).
- Sector: Cybercrime/Data Brokerage (Implied operational sector).
- Geography: Global (Telegram platform-based activity).
## Timeline of Events
### Initial Access
- Date/Time: Not applicable; this involves impersonation and social engineering, not network intrusion.
- Vector: Social media/messaging platform manipulation (Telegram accounts/channels).
- Details: Clones of the original ShinyHunters channel began appearing, often using similar account names (e.g., starting with "@leavemealone").
### Lateral Movement
- Details: Impersonators established themselves on new platforms, notably UmbraForums, using a convincing "ShinyHunters" admin account to post potentially real leaked data to gain credibility.
### Data Exfiltration/Impact
- Details: The primary impact was confusion, potential financial scams targeting followers, and the sharing of vitriolic, threatening messages naming specific employees of security firms (e.g., Mandiant, Unit 221B). A high-profile fake Europol reward notice regarding Qilin ransomware was also circulated, potentially misleading journalists.
### Detection & Response
- Date/Time: Detection tracked between August 18 and August 20, 2025.
- Details:
- **Original Actor Response (Shiny):** The leader announced the deletion of the original channel on August 18. When deletion failed, they posted clear alerts on August 19 and 20, identifying specific impersonators (@babukoffice, @shinyspiders, @minako4chan) and stating they were being extorted to stop the impersonation campaign. They provided verified email and Telegram handles for confirmation.
- **Platform Response (UmbraForums):** The impersonator account on UmbraForums was banned by the forum owner ("Nicotine").
## Attack Methodology
- Initial Access: N/A (Impersonation/Social Engineering).
- Persistence: Claiming ownership/association with the original leaked data caches.
- Privilege Escalation: N/A (Not applicable to internal network compromise).
- Defense Evasion: Creating numerous clone channels with similar handles to confuse observers and analysts.
- Credential Access: N/A.
- Discovery: N/A.
- Lateral Movement: Establishing presence on alternative forums (UmbraForums).
- Collection: Leveraging previously leaked data to maintain credibility.
- Exfiltration: N/A (Data was already compromised/leaked prior to this period of impersonation).
- Impact: Social engineering, extortion attempts, and propagation of misinformation (e.g., fake Europol reward).
## Impact Assessment
- Financial: Attempts were made to extort the original actor; potential financial scams targeting followers of the threat group.
- Data Breach: Re-circulation and association with previously leaked data (Salesforce campaign data mentioned). Volume unknown but involved marketing/internal information.
- Operational: Minimal disruption to the original ShinyHunters operations, though significant internal communication chaos occurred. Broad confusion in the security community regarding authentic group communication.
- Reputational: Tarnished the credibility of the ShinyHunters brand due to the actions of imposters and the circulation of extreme, threatening content.
## Indicators of Compromise
- Network indicators: @leavemealonecybernigger, @leavemealonefeds (Warned as impersonators).
- File indicators: N/A.
- Behavioral indicators: Accounts attempting to sell previously posted databases; posting threats against security personnel; attempting to extort the original actor. Specific impersonator handles identified: @babukoffice, @shinyspiders, @minako4chan.
## Response Actions
- Containment measures: The original actor purged offensive messages; security researchers contacted the original actor for verification.
- Eradication steps: Forum owner on UmbraForums banned the impersonator admin account.
- Recovery actions: The original actor published verified contact information (email, Telegram handle) and PGP key instructions for users to confirm authenticity.
## Lessons Learned
- The high value placed on threat actor communication channels leads to immediate impersonation and fraud attempts when official channels are disrupted or deleted.
- Clear, proactive communication (including known fake handles) is essential for actors whose reputation relies on verified data releases.
## Recommendations
- Security researchers and journalists should always seek multi-factor verification (PGP, verified email) when dealing with information originating from volatile, underground communication channels.
- Messaging platforms used by illicit groups (like Telegram) must incorporate better mechanisms for reporting and quickly removing brand-impersonating accounts.