Enterprise software company Red Hat is the target of an extortion campaign by the ShinyHunters group following a data breach. The incident, first claimed by a group called the Crimson Collective, involves stolen customer reports and has led to a new collaboration between the hacking organizations.
The initial breach and stolen data
The breach was announced last week when the Crimson Collective claimed it had stolen nearly 570 gigabytes of compressed data from 28,000 of Red Hat’s internal development repositories. A key part of the stolen data is said to be approximately 800 Customer Engagement Reports (CERs). These documents are highly sensitive as they can contain specific details about a customer’s network architecture, IT infrastructure, and operational platforms.
The attackers stated they attempted to contact Red Hat for a ransom payment but received no response. Red Hat later confirmed it had experienced a security incident, specifying that the breach was limited to a GitLab instance used by its consulting division for customer engagement work.
Escalation through a new alliance
The situation escalated when Crimson Collective announced a partnership with another group, Scattered Lapsus$ Hunters, to leverage the newly launched ShinyHunters data leak site for their extortion efforts. In a post on its Telegram channel, Crimson Collective hinted at the alliance.
“What if, Crimson’s shininess extends even further away?”
The group later confirmed the collaboration, stating they would work with ShinyHunters on future attacks and data releases.
Following this, an entry for Red Hat appeared on the ShinyHunters data leak and extortion website. The post serves as a public warning, setting a deadline of October 10th for a ransom to be negotiated directly with ShinyHunters. To prove their claims, the attackers released samples of the stolen Customer Engagement Reports, which included documents related to major corporations and government bodies, including Walmart, HSBC, the Bank of Canada, the Department of Defence, and American Express.
ShinyHunters’ extortion-as-a-service model confirmed
The incident confirms long-held speculation that ShinyHunters operates as an extortion-as-a-service (EaaS) platform. This model functions like ransomware-as-a-service, where the platform’s operators work with different hacking groups to conduct extortion and take a percentage of any ransom payments.
ShinyHunters has now confirmed it operates this model, detailing the revenue split. The group stated that the hackers they work with typically take 70-75% of the payment, while ShinyHunters receives a 25-30% cut. The launch of the public data leak site marks a shift from a private to a public-facing extortion service.
Other targets on the ShinyHunters platform
The ShinyHunters site is also being used to extort the financial information and analytics company S&P Global on behalf of a different attacker. That group claimed to have breached S&P Global in February 2025, a claim the company denied at the time. Data samples asserted to be from the attack have now been posted on the ShinyHunters site with the same October 10th deadline. When contacted again, a representative for S&P Global declined to address the claims directly, stating, “as a US listed company, we are required to publicly disclose material cybersecurity incidents.”
