ShinyHunters / UNC5537 Snowflake-customer mass-extortion wave
Financially-motivated cybercrime collective active since April 2020, responsible for some of the largest data-theft and extortion incidents of the post-2020 era. Operationally blends credential-stuff…
Summary
Mandiant documented a sustained credential-stuffing campaign — tracked as UNC5537 with significant overlap to ShinyHunters — against Snowflake customer tenants lacking MFA. Credentials were harvested from prior infostealer infections on contractor and employee laptops, then replayed against ~165 Snowflake instances. The campaign produced the year's biggest data-breach headlines: Ticketmaster (560M records), Santander (30M customers across Spain / Chile / Uruguay), AT&T (call/SMS metadata for ~109M subscribers), Neiman Marcus, Advance Auto Parts, Pure Storage, and others. Alleged ringleader Connor Riley Moucka ('Judische') was arrested in Ontario on 30 October 2024.