Recent cyberattacks targeting global brands like Google, Louis Vuitton, and Allianz suggest a troubling trend – two notorious hacking groups, ShinyHunters and Scattered Spider, may be working together.
According to threat researchers at ReliaQuest, patterns in attack timing, shared infrastructure, and overlapping targets point to an unprecedented collaboration between these groups, each with very different origins and tactics.
Who Are ShinyHunters and Scattered Spider?
ShinyHunters emerged in 2020 and is known for large-scale data theft. They typically use leaked or stolen credentials to infiltrate corporate systems and then sell or leak that data on underground forums. Their past victims include AT&T, Santander, Ticketmaster, Adidas, Air France, and most recently, Google, Allianz, and Louis Vuitton.
Scattered Spider, active since 2022, has built a reputation as one of the most dangerous financially motivated threat collectives today. Many of its members — reportedly young, native English speakers — specialize in social engineering, phishing, vishing (voice phishing), and impersonating IT or help desk staff to gain credentials. They were behind the 2023 MGM Resorts and Caesars Palace breaches, which cost millions in damages.
Why This Collaboration Is So Dangerous
By joining forces, ShinyHunters and Scattered Spider combine complementary skill sets:
- ShinyHunters: Expertise in stealing credentials, running extortion campaigns, and generating publicity.
- Scattered Spider: Exceptional at high-pressure social engineering, domain impersonation, and MFA bypass.
Researchers note that the two groups’ recent operations share:
- Similar domain naming patterns (e.g., SSO-company[.]com, ticket-louisvuitton[.]com).
- Shared technical infrastructure such as domain registrars used in past campaigns.
- Synchronized targeting of industries — hitting different companies in the same sector during overlapping timeframes.
This overlap makes it harder for defenders to attribute attacks and disrupt campaigns.
How They Breach Systems
Both groups target shareable secrets — anything a user can tell or type, such as:
- Passwords
- One-time passcodes (OTPs)
- Recovery questions
Once obtained, these secrets allow attackers to bypass even MFA systems. Their go-to techniques include:
- SIM swapping to intercept codes
- Push bombing to cause MFA fatigue
- Phishing & vishing for login details
- Help desk manipulation to reset credentials
Why Traditional Defenses Are Failing
Linking Indicators of Compromise (IoCs) to specific threat actors is becoming less effective. As Brandon Tirado of ReliaQuest explains:
“When threat groups join forces, it complicates things for defenders… IoCs that were once unique to one group can suddenly appear in another group’s operations.”
Instead, security teams must focus on:
- Monitoring for domain impersonation
- Hardening SaaS applications
- User training to detect social engineering
- Eliminating reliance on shareable secrets for authentication
Key Takeaway for Businesses
This emerging partnership between ShinyHunters and Scattered Spider signals a new level of threat sophistication — one that blends data theft, social engineering, and rapid sector-wide targeting.
Organizations should move toward phishing-resistant authentication methods that remove all shareable secrets from the login process. Without something to phish or steal, attackers lose their easiest path in.
The Bottom line: The era of password-based security is ending. The sooner companies adapt, the better prepared they’ll be against the next wave of coordinated cyberattacks.
Contact us for more information about we can help keep your company secure.