On the Trail of ShinyHunters, Cybercriminals Are “Data Hunters”

“As individuals hunt and collect shiny Pokémon, [hackers] ShinyHunters Collects and Resells User Data”Researchers from the cyber security company Intel471 explain to AFP, the authors of the report on their activities.

According to a US indictment seen by AFP targeting Sébastien Raoult in June 2021, Shinyhunters has a reputation for stealing data from dozens of companies around the world since 2019, including several in the US. That data on the dark web.

According to the FBI, the group hacked into multiple companies’ accounts and computer networks, particularly through phishing email campaigns known as “phishing” that targeted employees using a wide range of services, such as the computer code-sharing site Github. Microsoft is an American computer company.

Three Frenchmen

According to various experts interviewed by AFP, victims include a Microsoft account on Github, Indonesian e-commerce site Tokopedia, American clothing brand Bonobos, online PDF editor PDF Nitro or US phone operator AT&T.

Based on IP addresses, related accounts and discussions on Discord, the FBI believes it has identified three French men who were part of the ShinyHunters “group,” including Sébastien Raoult, 21, who was jailed near Rabat in early June. They will be extradited to the US in the coming months.

Gabriel Gaby, known by the nicknames “Zach” and “Jordan Keso” — and “Groi” and “Gnostic Players” — who suffers from Asperger’s autism; Abdel H.

Tried in 2019 for plagiarism of Vevo channel and Despacito tube on Youtube, Gabriel Gaby was declared criminally irresponsible. The 23-year-old computer genius is also accused in another case, suspected of hacking the CatHub cryptocurrency platform in 2019 along with others.

Data leak of 91 million users

The nickname “ShinyHunters” first appeared on the now-closed RaidForums in April 2020, according to observations by researchers at cybersecurity firm Intel471.

The group’s first coup leaked the data of 91 million Tokopedia users the following May, according to reports from computer security firm DigitalShadows consulted by AFP.

ShinyHunters first tried to sell their first databases. But starting in July 2020, the releases refer to “Phase 2,” which will distribute these databases freely on hacker forums, explains DigitalShadows analyst Evan Rigi.

“They were very popular on forums, the cyber security expert says. They were really looking for recognition from other users.”According to a report sent by Ivan Rigi.

“At first, they wanted to make a name for themselves on the dark web, and some money, because a database doesn’t sell very expensive”AFP spoke with Angelina Shelest, an analyst at French cybersecurity start-up CybelAngel, which monitors leaks from the group.

But starting in April 2021, ShinyHunters will have entered their third phase: threatening companies to release their data for ransom, according to records observed by analyst Evan Rigi.

For example, a US judge accused the “ShinyHunters” account in March 2021 of blackmailing an Indian company official into demanding 1.2 million bitcoins and leaking all their data.

“We are not a gang of cybercriminals, we are computer enthusiasts”

Many experts interviewed suspect that ShinyHunters is linked to other cybercriminal groups, such as Gnostic Players.

“Investigators Say Gnostic Players Become Glow Hunters. But Those Are Two Completely Different Things”Nasim B., a friend of Sebastien Raoult. Protesting his role, he describes himself as a “self-taught” computer scientist who lives “very simply”.

The 23-year-old from Grenoble, who was tried in 2019 with Gabriel Gaby for hacking the Vevo channel and accused in the CatHub file, told AFP he was questioned by French and US investigators at the end of May. Around the same time Sebastien Raoult was arrested in Morocco.

“During the investigations, the FBI cited about thirty pseudonyms and asked us if we knew who they were,” said Nasim B, who pleaded not guilty to the attacks attributed to ShinyHunters and Sebastien Raoult. “We are not a gang of cybercriminals, we are computer enthusiasts”He begs.

Nasim, who says he knows a “Sesyo” better known as Sébastien Raoult, describes his hacker friends as “a community of friends who have known each other since 2012, who have a common interest in the Internet” and “a sense of success.” [un] feat”.

“We hack under a pseudonym”

“We hack under a pseudonym”, he said. “It’s easy to deceive, mislead, and fabricate one’s attack so you can attribute the attacks to others.” The young man pleads.

Two sources familiar with the matter confirmed that the hackers were taken into police custody in France in May and June as part of a request for mutual assistance from the US on ShinyHunters.

Mattis S., 21, says he was questioned by investigators about the May 31 cyberattacks by ShineHunters in the south of France. “We have nothing to do with it. In fact a group (…) of acts (theft) is not done regularly and randomly by people”.

According to Evan Riggi, the ShinyHunters have “migrated to the Bridgeforum since the Raidforum was taken down, and seem to have either ceased operations or not wanted to be involved in the community”.

In France, the family of Sébastien Raoult — a former student in computer science at Epinal — is mounting steps and press conferences demanding his extradition to France instead of the United States.

Sébastien Raoult’s lawyer sent letters to President Emmanuel Macron, Prime Minister Élisabeth Borne and the justice and foreign ministries on Monday, denouncing the “unacceptable judicial situation” for the “jurisdictional black hole of the young man”.

“Instead of a general trial in France, we have sacrificed Sébastien Raoult so that he will be tried alone in the United States, which is scandalous and against fundamental rights”Responds to AFP Me Philippe Ohayon.