On August 9, DataBreaches reported on a Telegram channel with a name that combined the names of three groups: ShinyHunters, Scattered Spider, and Lapsus$. At the time, DataBreaches noted:
Commenters on reading the new Telegram channel call it “schizo,” “complete chaos,” and “insane.” DataBreaches would just call it “overwhelming.”
Today, DataBreaches would just call it “deleted.”
But there is so much confusion about what happened between the time that the Telegram channel opened and now that it may help others to know what channels are acknowledged ShinyHunters’ channel(s), and what channels may appear to be ShinyHunters’ channels or chats but are allegedly scammers or imposters.
Say Goodbye to the Original Channel
After its debut, the Telegram channel continued to leak data, brag, and run polls. Somewhat disturbingly, some members seemed obsessed with Mandiant and Unit 221B and posted vitriolic messages naming particular employees. DataBreaches will not quote any of the specific messages or a threat of physical violence, but was relieved when the leader of ShinyHunters (who this site refers to as “Shiny” to indicate an individual and not the group) deleted the offensive messages.
Despite Shiny’s housecleaning and rebukes of some posters and messages, some people seemed to just run their mouths with little regard for consequences. Some even threw all caution to the winds and engaged in a video chat that didn’t screen out at least one researcher who contacted DataBreaches about the chat. DataBreaches would not be surprised if the video chat was already in the hands of the NCA, the AFP, and the FBI.
On August 18, Shiny announced that the channel would be deleted in 30 minutes. By then, there were already clones of the channel with names that sounded like the original channel and had similar account names beginning “@leavemealone”. Some of those clones were deleted, but two remaining clones and the appearance of a new forum would pose new problems.
On August 19, Shiny discovered that attempts to delete the original channel had failed, but he could still post alerts there. The first one read:
This channel is unable to be deleted but we are not running any other channel, any other channel claiming to be us or specifically ShinyHunters is a fake/scam/impersonator e.g. @leavemealonecybernigger @leavemealonefeds (IS NOT US. IMPERSONATORS.)
The real shiny is only reachable at his email [email protected] or @sloke48. If anyone is claiming to be ShinyHunters have them PGP verify with his key. (https://web.archive.org/web/20210921111301/raidforums.com/user-ShinyHunters)
WE ARE NOT RUNNING ANY CHANNEL. DO NOT FALL FOR THE SCAMS/IMPERSONATORS/FAKES.
WE ARE NOT SELLING ANY DATABASES, ANYONE CLAIMING TO SELL DATABASES WE HAVE IS A SCAM!
At the bottom of the message, Shiny pointed to the fake channel which was calling itself “scattered lapsus$ hunters v2.”
Note that the message contains ShinyHunter’s current email address and individual Telegram account. Scammers created other names on the same mail host to sound like shinyhunters but there is only one real email account at the present time — the one in Shiny’s message.
On August 20, Shiny was able to reveal more about the scammers and impersonators and displayed screengrabs of chats with them. He summarized the situation:
The people who are running this impersonation campaign are:
@babukoffice
@shinyspiders
@minako4chanThey are trying to extort me out of a few thousand dollars to stop the impersonation.
The user “ShinyHunters” on UmbraForums is also a impersonator believed to be one of the 3 people on Telegram impersonating me.
Please do not fall for these scams.
Oh Right, About that UmbraForums
Those eager for a new forum may have been happy to see UmbraForums open, especially since there was an admin account, “ShinyHunters,” who claimed they were back and so happy to be an admin on the forum.
Fake ShinyHunters even posted some data from past activities and the Salesforce campaign. The data appeared to be the same data that the original Telegram channel had leaked and was likely to be real data, but the person writing as “ShinyHunters” did not write like Shiny and DataBreaches immediately suspected an imposter. When asked about the account and forum, Shiny replied that he had no knowledge of the forum and that wasn’t him. He also issued a post denying that it was him on the forum and warning people not to fall for scammers.
By the next day, the ShinyHunters account on UmbraForums had been banned with a nasty message by the forum owner, “Nicotine.”
In the meantime, UmbraForums had managed to get its users’ profiles all indexed by Google.
Fakes, Fakes, Everywhere
Scammers and imposters seemed to be everywhere, all trying to capitalize on “ShinyHunters” or “ShinySpiders.”
 |
Two allegedly fake channels are currently using this image as their pfp, although that can change at any moment. The fake Telegram channels also use or quote Shiny’s information as if Shiny is posting in those channels. It can get confusing. |
Perhaps the best fake, though, was a fake Europol reward for Qilin that appeared on August 16, and that reportedly fooled a number of journalists:
During the course of ongoing international investigations, we have confirmed that the cybercriminal group Qilin has carried out ransomware attacks worldwide, severely disrupting critical infrastructure and causing significant financial losses.
We have identified two primary administrators operating under the aliases Haise and XORacle, who coordinate affiliates and oversee extortion activities.
We are actively pursuing all available leads in cooperation with international partners.
A reward of up to $50,000 is offered for information that directly leads to the identification or location of these administrators.Contact Methods:
– Telegram: @Europolrewards
– Tox ID: C1EC9387C4E46F7670203B7F23F5D7CE282B82A219A791B4D3E995A7BD3CE44D1E4EF9599C2FThink about (y)our next move.
Perhaps those who are posting rashly and brashly on Telegram should think about Noah Urban and then think some more about their next move.