A hacking group known as the Crimson Collective recently made headlines after claiming to have stolen nearly 570 gigabytes of data from the enterprise software company Red Hat. The attackers stated that they accessed 28,000 internal development repositories, including about 800 Customer Engagement Reports, which contain sensitive information about a customer’s network, infrastructure, and platforms. The group attempted to extort Red Hat by demanding a ransom to prevent the data’s public release. When they received no response, they announced they would be partnering with another well-known hacking group, ShinyHunters, to escalate their extortion efforts.
The collaboration between the Crimson Collective and ShinyHunters marks a new development in the attack. The groups have partnered to utilize ShinyHunters’ newly launched data leak site as part of their ongoing extortion attempts against Red Hat. A post on the Crimson Collective’s Telegram channel alluded to this new “alliance,” with one message stating, “Regarding the current announcement regarding us, we are going to collaborate with ShinyHunter’s for the future attacks and releases.” Red Hat has since appeared on the new ShinyHunters data leak site, where the attackers have issued a public warning that the stolen data will be leaked on October 10th if a ransom is not negotiated.
In a show of force, the attackers also released samples of the stolen Customer Engagement Reports, which included those for major companies and organizations like Walmart, HSBC, and the Department of Defense. The breach was confirmed by Red Hat, which stated the incident affected a GitLab instance used solely for consulting engagements. This public display of stolen data, along with the deadline for a ransom payment, highlights a significant shift in the attackers’ strategy, leveraging the notoriety and new platform of ShinyHunters to increase pressure on the company.
The recent incidents point to a developing trend in cybercrime where ShinyHunters acts as an Extortion-as-a-Service, or EaaS. For months, it was speculated that the group was working with various other threat actors, extorting companies in exchange for a portion of the ransom. This theory was based on a pattern of attacks conducted by different groups that were all extorted under the ShinyHunters name. Today, the group has confirmed this business model, stating they have been privately operating as an EaaS, receiving a 25-30% revenue share from any extortion payments. The launch of the new data leak site suggests that this extortion service is now a public and more formalized operation.
ShinyHunters is also using its new platform to extort other companies, including SP Global, on behalf of another threat actor. The company was allegedly breached in February 2025, a claim it previously denied. However, the hackers have now released samples of data on the new leak site and set the same October 10th deadline. When contacted about this development, SP Global declined to comment, stating that as a US-listed company, it is required to publicly disclose material cybersecurity incidents. This event further solidifies the public-facing nature of ShinyHunters’ new extortion service, marking a new chapter in how cybercriminals are monetizing stolen data.
Reference:
