Who are ShinyHunters? The 'Pay-or-Leak' Gang that Just Left the Canvas Hacked Platform Dark

Students and educators worldwide were met with a digital blackout this week after a notorious cybercriminal collective infiltrated a primary learning network. The group, known for its aggressive extortion tactics, claimed responsibility for the disruption just as critical academic deadlines approached.

As institutions scramble to secure their data, many are left wondering about the identity and motives of the shadowy organisation holding their school year hostage.

Massive Outage Sparks Global Academic Chaos

Thousands of users found themselves locked out of Canvas on Thursday as the site crashed, reportedly replaced by a haunting digital note from the ShinyHunters collective. According to live tracking data from Downdetector, the service disruption hit over 8,000 people during the peak of the outage.

Instructure's Canvas platform serves as a cloud-hosted learning hub where schools, universities, and companies can coordinate everything from fully remote courses to traditional classroom lessons.

A wave of users took to social media to report the shutdown, with many convinced that a security breach had taken place. One student posted, 'Final exam just got canceled cuz canvas got hacked wtf. Can't tell if we are so up or so down,' alongside a screen grab of the suspicious alert they encountered.

Sinister Ransom Note Targets Educational Institutions

The warning stated, 'SHINY HUNTERS rooting your systems since 19 ;) ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some "security patches."'

'A WARNING If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked. Instructure still has until EOD 12 May 2026 to contact us.'

As the digital dust settles on the immediate outage, the focus shifts from the technical failure to the shadowy figures claiming responsibility for the strike.

Who are ShinyHunters?

This infamous ring of digital outlaws likely began operating in 2019, though they only truly rose to prominence a year later. Expert in massive network intrusions and ransom demands, the group has become the most widely recognised name in cybercrime throughout 2026.

The world first took notice of the group in May 2020, when they suddenly surfaced on dark web marketplaces with a massive haul of stolen data. In a relentless fourteen-day spree, the hackers compromised over a dozen firms and put millions of private records up for sale.

Since their inception, the group has followed a strict 'pay-or-leak' strategy. After infiltrating an organisation, they reach out to the victim behind the scenes to demand a ransom. If the target refuses to pay, the hackers either post the sensitive files on dark web forums or sell them off to the highest bidder. This approach has become increasingly advanced as the years have passed and has made them one of the most persistent cybercrime groups of the decade.

The group reportedly functions under the leadership of a persona known as ShinyCorp, who also goes by the handles sp1d3rhunters or shinyc0rp on various Telegram channels. To better understand their operations, Google's Threat Intelligence Group (GTIG) monitors activity linked to the group through several distinct threat clusters, including UNC6040, UNC6240, and UNC6661. This tracking system helps researchers distinguish between different hacking campaigns and the specific roles individuals play within the wider organisation.

The group's activities have not gone unpunished by global law enforcement. In May 2022, Moroccan authorities arrested Sébastien Raoult, a French programmer associated with the group, who was later extradited to the United States.

By January 2024, a US court sentenced him to three years in prison and ordered a five-million-dollar restitution payment. The crackdown continued into June 2025, when French police detained four more individuals suspected of managing the BreachForums platform.

While these arrests caused temporary setbacks, the organisation has proven resilient, with operations persisting through every legal challenge.

Financial Motives and the Business of Cybercrime

The primary driving force behind ShinyHunters is straightforward financial profit. This focus provides a strategic advantage for investigators, as the group runs their operations with the predictability of a legitimate business. They utilise set pricing structures, established negotiation tactics, and affiliate schemes. By 2025, they even appeared to have developed a formal release schedule for their own ransomware-as-a-service platform.