Full Report
On October 14, the attorney for the man whom France claims to be the head of ShinyHunters held a press conference that included some statements on his client’s case. So far, neither France nor the attorney, Juan Branco, has disclosed the arrested man’s name, so we are not really sure who his client is. All... Source
Analysis Summary
# Threat Actor: ShinyHunters
## Attribution & Identity
* **Known Aliases:** Shinycorp, Shinycorp (the person the article author chatted with over the years).
* **Association:** Linked to arrests made by French authorities, who claim the arrested individual is the leader of the group. The attorney for the arrested man denies this attribution.
* **Uncertainty:** The identity of the arrested individual remains undisclosed; the article explores confusion around continued group activity versus the arrest.
## Activity Summary
* The group has targeted and allegedly negotiated with high-end fashion retailers, including Kering (which owns Gucci, Balenciaga, etc.) and LVMH.
* Alleged negotiations concerning data breaches occurred past June 23, 2025, which became a central point of contention regarding who the true leader is.
* The article notes massive attacks by ShinyHunters occurring *after* the arrest of their purported leader, suggesting continuity of operations.
## Tactics, Techniques & Procedures
* Data extortion and negotiation (implied through contact with victims like Kering).
* Potential for using data leaks/communications to misdirect investigation or public narrative (Attempting to create the impression the leader was still active post-arrest).
* *No specific technical TTPs or MITRE ATT&CK IDs are provided in the source material.*
## Targeting
* **Sectors:** High-end Fashion Retailers.
* **Geography:** Linked to French law enforcement action; victims mentioned are international corporations (Kering, LVMH).
* **Victims:** Kering, LVMH.
## Tools & Infrastructure
* **Malware families used:** None specified.
* **Infrastructure:** Communication via Telegram, email, and PGP keys were implied channels for negotiation/identity establishment (e.g., the "ShinyCorp" account).
* **URLs/IPs:** None present in the article.
## Implications
* The incident highlights the challenge of attribution when a group's leadership structure is disrupted, as operational continuity can easily sow confusion about the status of arrested members.
* There are suggestions of high-level coordination or influence, with the defense attorney claiming French law enforcement was taking direction from the FBI, and that victim companies pressured the government.
* The possibility exists that the arrested person was not the singular leader but an associate, or that a sophisticated disinformation campaign was executed to mask the group's true status post-arrest.
## Mitigations
* Law enforcement agencies should provide clear details regarding attribution and arrests to prevent operational ambiguity and misinformation campaigns from threat actors.
* Organizations should be highly skeptical of unsolicited negotiation communications following security incidents, especially if they might be part of a disinformation effort designed to mislead investigators or the public (as seen with the alleged Kering negotiations).