Skip to main content
close search
site logo

ShinyHunters escalates tactics in extortion campaign linked to Okta environments

Researchers are tracking multiple clusters that are using social engineering to gain access to victims.

Published Feb. 2, 2026
David Jones's headshot
Reporter
Team of hackers dressed in black work on computers in dark room.
Getty Images

Researchers warn that a recently disclosed extortion campaign linked to ShinyHunters represents an escalation of tactics used by the group. 

ShinyHunters late last month claimed credit for a series of voice phishing attacks that led to extortion demands against five organizations. 

Multiple groups linked to a ShinyHunters-branded campaign that leverages voice phishing and victim-branded credential-harvesting sites to gain access to corporate environments by gaining access to single sign-on credentials and multifactor authentication codes, according to Mandiant, the incident response arm of Google Threat Intelligence Group. 

After gaining access, the threat groups target cloud-based software-as-a-service applications in order to steal sensitive data and other internal documents for use in future extortion campaigns. 

GTIG researchers are tracking the threat groups as UNC6661, UNC6671 and UNC6240

Since mid-January, hackers from UNC6661 called employees at victim organizations under the guise of being IT staffers. The hackers falsely claimed the company was updating multifactor settings and directed the workers to a branded credential harvesting site. This allowed the site to capture MFA codes and single sign-on credentials. 

Mandiant confirmed that, in certain cases, hackers gained access to accounts belonging to Okta customers. This activity was referenced in a January blog post from Okta about a campaign using phishing kits. 

Based on several overlapping issues, including the use of a common Tox account as part of negotiations, researchers linked the subsequent extortion activity to UNC6240. Extortion emails provided some details of what was stolen and demanded payment within 72 hours. 

Researchers confirmed a new data leak site posted in late January with information about alleged victims. As previously reported, security researcher Alon Gal told Cybersecurity Dive that hacks against five organizations were claimed. 

Hackers linked to UNC6671 have conducted similar attacks, impersonating IT staff, since in early January. The credential-harvesting domains used the same structure to those used by UNC6661, but were registered through a different service.

Filed Under: Threats

Editors' picks

Company Announcements

View all | Post a press release
DNS4EU Brings Sovereign, Protective DNS to Google Chrome Users Across Europe
From Whalebone
January 28, 2026
Whalebone logo
AU10TIX Collaborates with Microsoft to Reduce Fake Account Openings by 90% Using OneVet and Ve…
From AU10TIX
January 29, 2026
AU10TIX logo

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Threats
Industry Dive is an Informa TechTarget business.
© 2026 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.