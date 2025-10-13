The FBI has seized a large domain used by hacker group ShinyHunters, which was responsible for stealing large amounts of Salesforce client data and threatening to post that information.

On Sunday, the FBI said that with the help of French authorities, it had seized domains associated with BreachForums – a major marketplace used by cybercriminals to buy, sell, and trade stolen data – which is used by cybercriminal groups ShinyHunters, Baphomet, and IntelBroker.

ShinyHunters is responsible for voice phishing attacks throughout the earlier part of this year that stole a large number of records from Salesforce clients, which they threatened to publish if Salesforce did not respond to their ransom demands.

“This takedown removes access to a key hub used by these actors to monetize intrusions, recruit collaborators, and target victims across multiple sectors,” said the FBI in a statement. “It demonstrates the reach of coordinated international law enforcement operations to impose cost on those behind cybercrime.”

In an alert issued last month, the FBI reported that ShinyHunters posed as IT support staff when calling Salesforce customer service employees. The hackers claimed they were addressing enterprise-wide connectivity issues and persuaded the employees to share their credentials under the pretense of resolving an auto-generated ticket.

ShinyHunters also exploited Salesforce’s connected app feature by posing as IT support and convincing employees to approve a malicious app. The scheme used OAuth tokens to access and steal sensitive data, bypassing safeguards like multi-factor authentication and login monitoring.

Salesforce has since said that it will not pay or negotiate ransom demands and that it will continue to support affected customers, Bloomberg reported.

The Salesforce breach was first detailed by Google Threat Intelligence Group (GTIG) in June when it warned that ShinyHunters – tracked by GTIG as UNC6040 – was extorting its victims by threatening to release their Salesforce-related data if they did not receive payment in Bitcoin.