ShinyHunters posted a ransom note on the Canvas homepage during finals week 2026. They hit ADT in April for 5.5 million customer records. Medtronic the same week, claiming 9 million. Six years of arrests in France, Canada, the UK, and Turkey. Operators in their twenties get extradited. The brand keeps publishing. This episode is the structural answer to the persistence puzzle. ShinyHunters is not an organization. Google Mandiant tracks three separate threat clusters under the brand — UNC6661, UNC6671, UNC6240 — that share tradecraft, sometimes share infrastructure, and increasingly share a Telegram channel with two other crime brands. The mechanism is identity federation. Single sign-on collapses authentication into one chokepoint. When it works, you log into Okta once and Salesforce, Workday, GitHub, AWS all open. When it fails — when one help-desk agent picks up the wrong phone call — the same chokepoint opens for the attacker. Two distinct playbooks. The press conflates them. UNC6040 — vishing call to the help desk, OAuth Device Flow exploitation, a modified Data Loader the attacker renames "My Ticket Portal," persistent token theft. The victim authenticates with their real SSO on the real Salesforce domain. They see an OAuth consent screen Salesforce designed. They click Allow. Standing access is granted. The other playbook — UNC6671 — internet-scanning Salesforce Experience Cloud sites, querying the Aura GraphQL endpoint without authentication, exploiting over-permissioned guest profiles, paginating around a 2,000-record API limit via a sortBy bypass. No employee to deceive. The vector is misconfiguration. The persistence puzzle. Sebastien Raoult sentenced to three years in Seattle, January 2024. Pompompurin arrested in Peekskill, March 2023. Connor Moucka in Kitchener, October 2024. Kai West in France, February 2025. Four more operators in France, June 2025. And the brand kept publishing — Allianz, Qantas, TransUnion, the Salesloft Drift wave across 760 companies, ADT, Medtronic, Canvas. August 2025 — Trinity of Chaos. ShinyHunters, Scattered Spider, and LAPSUS publicly federate on a Telegram channel under two interchangeable names. They market a ransomware-as-a-service product called shinysp1d3r. Modern cybercrime is collaborative. The franchise model has a structural pressure point arrests don't reach. The architectural fix exists. Three layers. Phishing-resistant MFA at the identity provider — FIDO2/WebAuthn breaks adversary-in-the-middle. Approve Uninstalled Connected Apps permission gates rogue OAuth at Salesforce. API Access Control deny-by-default for known integrations. Real-Time Event Monitoring streaming to a SIEM catches the burst pattern in minutes. And the AT&T anti-thesis. Paid $370,000 in 2024 to delete the data. It leaked anyway. CHAPTERS 00:00 Cold open — six years, ten arrests, zero shutdown 02:05 The victims — thirty days, six confirmed names 05:57 How they actually do it — two distinct playbooks 11:18 Why vishing defeats trained employees 12:46 The arrests — the persistence puzzle 15:56 Trinity of Chaos — the August 2025 federation 18:53 What the fix looks like — three architectural layers 25:08 Three signals to watch SOURCES Google Mandiant — Cost of a Call (June 2025) Mandiant — Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft (Jan 2026) Mandiant — UNC6040 Proactive Hardening (Sept 2025) FBI IC3 FLASH Advisory 250912.pdf (September 12, 2025) Salesforce KB 005132367 — Data Loader OAuth Device Flow removal Salesforce — Approve Uninstalled Connected Apps permission docs CISA — Implementing Phishing-Resistant MFA (October 2022) NIST SP 800-63B-4 — Digital Identity Guidelines (2025) BleepingComputer — ADT, Medtronic, Canvas coverage Have I Been Pwned — ADT 5.5M, McGraw Hill 13.5M verification CyberScoop — Moucka extradition + custom vishing kits Resecurity — Trinity of Chaos analysis TechCrunch — AT&T paid Snowflake hackers (2024)
