FBI warns of Scattered Spider and ShinyHunters attacks on Salesforce platforms

Hackers connected to the Scattered Spider and ShinyHunters cybercriminal operations are extorting organizations for exorbitant ransoms after stealing data from Salesforce, the FBI warned. 

The agency released a flash notice on Friday with information about an ongoing data theft campaign that has impacted hundreds of businesses this year. The FBI refers to the hackers as both UNC6040 and UNC6395 and by their colloquial names of ShinyHunters and Scattered Spider, respectively.

After months spent breaching some of the largest companies in the world, the hackers are now attempting to extort victim organizations — threatening to leak troves of customer data, business documents and more. 

The FBI did not say how many victims have received extortion emails demanding payment in cryptocurrency but they noted that the monetary demands have varied widely and are made at seemingly random times. Some extortion incidents were initiated days after data exfiltration while others took place months later. 

The FBI said the campaign began in October 2024 when members of the group gained access to organizations through social engineering attacks that involved contacting call centers and posing as IT employees. 

That scheme typically gave the cybercriminals access to employee credentials that were then leveraged to access Salesforce instances holding customer data. In other cases, the hackers used phishing emails or texts to take over employees’ phones or computers. 

The hackers evolved their tactics throughout the summer, switching to exploiting third-party applications that organizations linked to their Salesforce instances.

“UNC6040 threat actors have deceived victims into authorizing malicious connected apps to their organization's Salesforce portal,” the FBI said. 

“This grants UNC6040 threat actors significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.”

By August, the hackers began targeting the Salesloft Drift application, an AI chatbot that can be integrated with Salesforce. 

The tactic allowed them to bypass traditional defenses like multifactor authentication, login monitoring and password resets, the FBI explained. In some cases, the FBI has found that the hackers created malicious applications within Salesforce trial accounts that allowed them to register connected apps without using a legitimate corporate account. 

On Monday, Reuters and the BBC confirmed that Kering — the French conglomerate that owns Gucci, Balenciaga and Alexander McQueen — was attacked by the same ShinyHunters cybercriminals. 

ShinyHunters told the BBC that it stole information connected to 7.4 million unique email addresses. The hackers told another news outlet that they stole the information in late 2024 but only began negotiating a ransom in June 2025. 

Last week, a critical government agency in Vietnam confirmed that millions of financial records were stolen in an attack claimed by ShinyHunters. The cybercriminals previously took credit for devastating campaigns targeting giants in the insurance, retail and aviation industries. 

The FBI provided indicators of compromise that potential victims can use to see whether they have been affected by the hacking campaigns and urged companies to train call center employees on the tactics used. 

The agency also said companies should limit the privileges of almost every employee account, enforce IP-based access restrictions, monitor API usage and more. 

Experts said the information provided by the FBI showed how sophisticated the actors are at abusing legitimate tools for nefarious purposes, like Azure cloud infrastructure, virtual servers, Tor exit nodes and proxy services to obfuscate their origin.

Scattered retirement?

The FBI notice came shortly after the group made several posts on Telegram claiming to be retiring. The group blamed a recent string of arrests, law enforcement activity and criminal convictions against members as their reason for ceasing the current operation. 

Cybersecurity experts were dubious about the disbanding claims, noting that cybercriminal operations often make similar claims before reconstituting under different names. Some theorized the hackers are likely going to enjoy the spoils of their recent extortion campaigns before returning to cybercriminal activity. 

Sam Rubin, a senior official with Palo Alto Networks’ Unit 42, said recent arrests may have prompted the group to lay low, but history says such activity is often temporary. 

“Groups like this splinter, rebrand, and resurface — much like ShinyHunters. Even if public operations pause, the risks remain: stolen data can resurface, undetected backdoors may persist, and actors may re-emerge under new names,” he said. 

“Silence from a threat group does not equal safety.”