On October 14, the attorney for the man whom France claims to be the head of ShinyHunters held a press conference that included some statements on his client’s case. So far, neither France nor the attorney, Juan Branco, has disclosed the arrested man’s name, so we are not really sure who his client is. All we know is that France claims he is the head of ShinyHunters, and Branco claims he isn’t.
The press conference was in French. Thankfully, Valéry Rieß-Marchive of LeMagIT reported on it, so I could check my understanding of what Branco was saying.
During the conference, Branco:
- argued that those arrested were young autistic people who were very technically talented and could be of great benefit to their country, but instead they had been arrested and could be going away for 20 years.
- claimed that Kering and LVMH, two victims of attacks, had pressured the French government to make arrests.
- claimed that French law enforcement was taking orders/direction from the FBI. He offered nothing to suggest that the FBI was wrong in its attribution, even if they had provided information and direction to France. And although Branco indicated that the FBI might have used methods to acquire evidence that would be violative of rights, he offered no proof of that either; and
- emphasized that since massive attacks by ShinyHunters (the group) occurred after his client was arrested, his client wasn’t the head of ShinyHunters.
The last point seemed absurd as a defense. A group can continue even if one or more members — including the leader — are arrested. There are always others in the wings who will step up or are even looking forward to taking over a well-known brand.
But his argument made me reconsider something I had reported previously, that the person I had been chatting with for years, whom I had known as “Shinycorp,” was still online, so who was in the French prison?
And that’s when I realized I had reached an unwarranted conclusion.
Re-Thinking….
Kering was attacked before June 23, 2025. That seems indisputable. But the alleged negotiations between Kering and ShinyHunters continued past June 23. Branco suggests that activity by ShinyHunters after June 23 proves that his client is not the head of ShinyHunters. It doesn’t. But maybe ShinyHunters hoped that’s what people would conclude.
Did ShinyHunters reach out to DataBreaches with the negotiation chat logs and an “exclusive” to try to create the impression that the real ShinyHunters couldn’t be in prison because he was still actively attempting to extort Kering after that date? It seems probable — or at least possible — at this point.
In providing this site with the alleged chat logs, ShinyHunters specifically asked DataBreaches to include dates and timestamps to show when certain events occurred. When asked why they were urging this site to include dates and timestamps for some of the entries, they claimed that it was to show that Kering’s posture had changed and that they had likely been influenced by law enforcement.
But perhaps their real intent was just to make it appear that the leader of ShinyHunters was still online and active after the June 23, 2025 arrests, and that journalists could confirm that?
As DataBreaches subsequently clarified in the post about the negotiations, there was never any hard proof that the negotiations ever occurred, and Kering had denied that there were any negotiations. The only “hard” proof was a BTC payment, but there was no evidence that Kering ever made it. It could have been a payment by anyone, and a whole story just fabricated around it.
On August 3, DataBreaches published a post stating that the person in the ShinyCorp account appeared to be the same person DataBreaches had chatted with over the years. And if that person was still online, had France arrested the wrong person as the leader of Shiny Hunters? At the time, I wrote:
If I was being trolled, this was the best troll ever.
But if I wasn’t being trolled and if Shiny isn’t in a French prison and being represented by Juan Branco, then who is sitting in that prison? Did French law enforcement really make two incorrect arrests or attributions?
At the time, I was thinking in terms of A or B. I had failed to consider that there was a third possibility: that I was, indeed, chatting with the same person I had chatted with in the past, but that person may not have been the leader of ShinyHunters. That person may have been someone who was their trusted associate and communicator. That person would have access to the Telegram account, email, the PGP key, and the forum and would and could post as ShinyCorp or ShinyHunters at any time. One person immediately sprang to mind.
But by now, DataBreaches had gone into wait-and-watch mode.
Who is Sitting in Prison, Revisited
Did law enforcement identify and arrest the correct individual as the leader of ShinyHunters? DataBreaches does not know. If they have, and if there has been a well-planned and executed scheme to make it appear that ShinyHunters is still online, it convinced me — for a while.
If ShinyHunters played this site, I tip my hat to them on how well they planned and consistently played this.
For now, DataBreaches simply notes that I no longer would suggest or claim that the leader is not in prison in France. Then again, I would not claim that he is.
Neither France nor the FBI have provided any real details or specifics. I hope they do sooner rather than later.
I had much the same thought when I read the original article, that there could very well be multiple heads and the individual you’ve been in communication with in the past is simply one of an upper echelon, a public face, or communicator as you’ve put it.
An interesting development for sure.
You haven’t yet made any comment on the “Hello James from the Scattered :)” supposed defacement of the shinyhunte[.]rs domain. Any thoughts?
Great stuff as always DataBreaches.
The odds of having multiple people all remembering all details over years strikes me as slimmer than having one person. It may be that multiple people did other jobs as “ShinyCorp,” but just one person dealt with journalists. From communicating with another journalist, I had a pretty good idea when “Shiny” was giving us both the same information.
But of course, I I could be wrong (still). I expect my post will not sit well with some people.
As to “James,” the person that I call “Shiny” told me that it was just trolling. That was before it expanded on the channel. They later claimed “James” is “MLT,” which is kind of ridiculous since everyone knows MLT and his real name, so what’s the point of calling him “James?” Do they expect to out him as “James” in a way that is more harmful to him than just being MLT? Or was there someone in Scattered whose real name was “James” or whose moniker is “James?” And if there was, why would they try to publicly scare them or threaten them? I took it as just more b.s. or trolling from them.
Thanks for the kind words.
It was quite obvious that MLT was involved in running Breachforums when all of the MyBB exploits he shared with his inner circle had been pre-patched on the MyBB install that they were running. It’s clear that the first set of databreaches that Shiny ever sold/released came from the Github bruteforce campaign that Nclay led, but the only individual from the Gnostic group that wasnt ever arrested was NSFW. he very much could’ve carried the torch. It would be interesting to read the Raidforums posts and compare Shiny’s stylometry with NSFWs. Shiny appeared just as NSFW was exiting. I always believed MLT was NSFW.
*Which* NSFW? There were two people sharing that moniker back in the TDO days. It was not obvious to me that MLT was involved in running BreachForums, but I didn’t know anything was pre-patched. Can I ask how you knew about that?
Well ofcourse I’m gonna try the latest mybb 0days on the breahforums duhhhhh.
I’m so naive…. 🙂
The NSFW that hacked a plethora of sites alongside Nclay and then gave Troia data to detrace him with his fake disinfo report?
OK, now I know which one you’re talking about.
I mean, take a moment and look. Salesforce Drift Github breach, it’s clearly Nclay and NSFW’s OG github tactics. Look at the time frame of NSFW phasing out his existence and the phasing in of Shiny, and then look at why all of this is related to the French, Gabriel is the reason. The only reason ShinyHunters still exists is because they cannot arrest NSFW.
And then people don’t question at all why Raymond (Vinny Troia) was called in to negotiate ransoms for the Snowflake hacks, Troia and NSFW (Shiny/MLT) are buddies and have been buddies for years, jesus, Troia even had MLT working for him under his real life identity.
It’s important to look at the extent at which nsfw went to disinfo researchers, current Shiny is doing the same thing in the same way.
Interesting hypothesis. I’d be surprised if Shiny was MLT, but eventually, I think we’ll find out. And yes, your email address rings a bell. 🙂
Shiny is not MLT in the sense of you have been speaking to MLT, MLT is the ghost writer for everything ShinyHunters related, and NSFW is MLT and has always been MLT.
One of the names NSFW used, even in Troia’s report was, Mastercorp, like shinycorp, and that was before Shiny even existed.
And for the MLT/Troia relationship, you can see MLT follows him on keybase here; https://keybase.io/0dayWizard
You can also see he follows Donjuji and juji follows shinycorp,
Vinny is followed by and follows kuroish on keybase, who is fs0ciety shinyhunters member.
connect the dots….
What in the hell are you talking about ? MLT???? No.
And it’s Reddington, not Raymond.
Please stop harassing me. Yes I am the leader of both Scattered Spider and ShinyHunters . I work for Interpol.
I have no idea why people keep harassing me and threatening me. Simply put I think all of you are jealous of me because you can’t do what I do. I pivot your entire net within seconds, rooting your boxes. Drop a Shell. Break Point and root fucking stacking pointers
Oh, my lord, rest in peace KMS. // R.I.P. RORY
I wonder what happened to the scene, that it became so dark and all about money.
Group members often re-use monickers to sig-int away their timezones and be able to troll or confuse people by using multiple at the same moment even. It would not surprise me a bit if this ShinyHunters group kicked off with Gabriel(nclay) and friends from Nassim. After all, we’ve seen arrests in France. It is super likely you spoke to the ‘spokesperson’.
But, what’s left? The (publicly) uncompromised state of the PGP key that was used to sign off the RF profile back in 2020.
Did only the spokesperson have the key? Is it compromised? At this point everything is possible. It is time for Gabriel to speak up.
Nclay not once specifically targeted DHS, CIA or gov employees, everything he did was financially motivated. From what I’ve read, Nclay turned himself in, do you really think someone who turned himself in would later just decide to attack government employees? People turn them selves in to get away from the fear of being caught, they don’t later attack the united states government.
NSFW ran away as soon as he got any heat, he moved in the shadows, deleting accounts , detracing, Shiny has made this all very public like he wants to be watched, he would never run a public campaign like this.
MLT does have ties to public anti-establishment hacks previously but that was just against the British government I believe, I could be wrong, I am not educated on teampoison history. I think MLT learnt his lesson with targeting governments. I imagine MLT is heavily surveyed by his own government, and people love to bring him up, he’s one of the only people from 2014 who is still around and I think for that reason he is brought up publicly so much.
With this in mind, the only people who really targeted the DHS/CIA/US gov specifically was that psycho John Erin Binns, I think if OG Shiny is arrested and that he gave his accounts to anyone, I think it would be someone affiliated with that first Snowflake campaign, maybe someone affiliated to John Erin Binns, someone willing to target US gov infrastructure in the same way that John did.
I think you missed one point that strikes me as significant. They seem to be claiming that they culled the government employee info from the Salesforce-related data they had hacked: “The member said the group did this by digging through its caches of stolen Salesforce customer data.” There was no stated intent to directly attack government agencies.
I have emailed Home Depot *multiple* times over the past weeks to ask them if they are notifying customers whose information was stored in their government customer database that had been leaked. They have not replied, so it’s not clear to me whether all of the data now claimed by Scattered or whoever is from the Home Depot data or not — or a combination of Salesforce victims’ data.
The Department of Homeland Security replied to me yesterday that they were investigating the Telegram leak of the .csv files. Maybe we’ll get lucky and they’ll actually reveal what they discover without trying to blame the Democrats.
“digging through its caches of stolen Salesforce customer data.”, does this imply they are using some preexisting knowledge of gov employee info? Like cross referencing it?
Was some gov infrastructure compromised through the salesforce breaches? How else would they know they are Gov employees?
Gov stuff aside.
I do find it weird that all of this Shiny/Gnostic stuff was all related to France. Makes you wonder what intimate relations Shiny/Gnostic had and what other relations lay on French soil regarding Shiny and other affiliates.
SLSH knew they had hit upon government employee data because they included a .csv for Home Depot showing govt employee customer data there. ShinyHunter’s spokesperson also specifically tipped me to look at the Home Depot govt. employee .csv file when I contacted SH with a question about the leak site. I think it was just a lucky find for them.
As to your other point, didn’t Gnostic morph into ShinyHunters, or am I forgetting something?