A notorious extortion gang has launched a sophisticated wave of voice phishing attacks targeting major corporate login portals. ShinyHunters is impersonating IT support to trick employees into handing over access to critical single sign-on accounts. This new campaign allows hackers to bypass security layers and raid sensitive data from connected business applications.
How the Voice Phishing Attacks Work
The ShinyHunters gang has adopted an aggressive strategy known as vishing, or voice phishing. Instead of relying solely on deceptive emails, these criminals are picking up the phone and calling employees directly. They pose as helpful IT support staff to lower the guard of their victims. The goal is simple yet effective. They convince workers to log into a fake webpage that looks exactly like their company’s login portal.
Once the employee visits the fraudulent site, the attackers use advanced tools to capture credentials in real time. Okta recently released a report describing the phishing kits used in these attacks, noting they include a web-based control panel. This allows the hackers to see what the victim is doing and change the fake screen instantly. If the real system asks for a multi-factor authentication code, the attacker triggers a prompt on the fake site asking the user for that exact code.
The sophistication of these kits means the attackers can guide victims through every step of the login process. They can instruct a victim to approve a push notification or enter a specific code while keeping them on the phone. This human element makes the scam much harder for employees to detect compared to a standard robotic phishing email.
Targeting the Keys to the Corporate Kingdom
The primary target of these intrusions is the Single Sign-On (SSO) account. Services from providers like Okta, Microsoft Entra, and Google allow companies to link many different applications under one login flow. This convenience for employees has become a major vulnerability during these attacks. Once a threat actor compromises an SSO account, they effectively gain a master key to the organization’s entire digital toolbox.
After gaining entry, the attackers do not stop at the front door. They immediately browse the dashboard to see what applications are connected. These dashboards typically list every service available to that user, creating a menu of high-value targets for the hackers.
The gang has confirmed that their main goal is to reach specific software-as-a-service (SaaS) platforms. They are looking for widely used business tools where sensitive corporate data is stored.
Commonly targeted platforms include:
- Salesforce: Identified as the primary interest by the attackers.
- Microsoft 365: access to email and documents.
- Google Workspace: access to drive and communication tools.
- Communication Apps: Slack and Zoom.
- Development Tools: Atlassian and GitHub.
By breaching these linked services, ShinyHunters can steal proprietary information, customer lists, and financial records to fuel their extortion demands.
Gang Confirms Responsibility and Lists Victims
While some cybercriminal groups prefer to operate in the shadows, ShinyHunters has openly claimed credit for this surge in social engineering attacks. In a statement provided to reporters, the group confirmed they are behind the intrusions and highlighted that Salesforce data is their priority target. They described other compromised systems merely as benefactors in their wider scheme.
The group has also reactivated their data leak site on the Tor network to pressure victims. This site currently lists breaches involving several well-known companies.
| Company | Status of Breach | Details |
|---|---|---|
| Crunchbase | Confirmed | Corporate documents exfiltrated; law enforcement notified. |
| Betterment | Confirmed | Email platform abused for scams; data stolen. |
| SoundCloud | Disclosed | Data breach reported in late 2025. |
Crunchbase acknowledged the security incident today. A spokesperson stated that a threat actor had exfiltrated specific documents from their corporate network. The company assured the public that business operations were not disrupted and that they have engaged federal law enforcement.
Other major tech giants are also reacting to the claims. Microsoft stated they have nothing to share at this time regarding the abuse of their Entra platform. Google stated they have no indication that their products are being affected, despite the claims made by the attackers.
Fueling Attacks with Stolen Data
A disturbing aspect of this campaign is how the attackers identify their targets. ShinyHunters is not calling random numbers. They are using data stolen in previous breaches to make their calls seem legitimate. The group claims to possess information from older Salesforce data theft attacks.
This recycled data includes full names, phone numbers, and job titles. Possessing accurate personal details allows the scammers to sound convincing and authoritative when they call an employee. It is much easier to trick someone when you already know who they are and what their role is within the company.
This cycle of using old stolen data to facilitate new breaches creates a compounding threat for businesses. As more data is leaked, it becomes fuel for future social engineering campaigns, making it increasingly difficult for individuals to distinguish between a real IT request and a criminal acting on stolen information.
Conclusion
This wave of attacks serves as a stark reminder that technology alone cannot protect an organization. The human element remains the most vulnerable entry point for cybercriminals. With gangs like ShinyHunters using real-time tools and personal data to trick employees, businesses must double down on security training and verification procedures. We want to hear your thoughts on this escalating threat. Do you feel your workplace training is enough to spot a sophisticated vishing call? Share this story with your friends on social media to help spread awareness about these voice scams.
