ShinyHunters Hit Charter, Carnival, Vimeo, 7-Eleven, And Instructure In May 2026. Plus TELUS, Cushman & Wakefield, NVIDIA Armenia Earlier. The Dominant Criminal Pool Of The Year.

ShinyHunters is the dominant criminal pool of 2026 by victim count, blast radius, and brand recognition. The May 2026 ledger of confirmed ShinyHunters-attributed breaches against publicly-named victims is the receipt that closes the question of who holds the criminal-pool throne for the year. Five major brands in thirty days, plus three more earlier in 2026, plus the operator constellation Patrick Duggan and Paul Galjan have been tracking under the "Coinbase Cartel" frame across our blog archive since the March 17 TELUS disclosure.

DugganUSA's adversaries index has carried a ShinyHunters profile since the cluster's 2020 emergence on RaidForums and BreachForums. The profile catalogs sectors hit — SaaS Platforms, Education, Financial Services, Technology, Real Estate, Telecommunications, Cryptocurrency — and synonyms that include Shiny Hunters, ShinyHunter, SH, and the "Coinbase Cartel (with Scattered Spider + Lapsus$)" constellation we have observed across multi-operator campaigns. The May 2026 ledger extends that profile rather than creating a new one. This post is the named-actor synthesis the month deserves.

The May 2026 victim list

The combined victim count for the May 2026 disclosures alone is roughly 291 million records across five named brands. That is not a top-ten-actor-of-the-year level of activity. That is a different category. The category is "the operator population that absorbs the largest credential-and-data extraction tonnage on the public internet in any given month."

The 2026 cumulative ledger

The May victims sit on top of earlier 2026 attributions that the same operator constellation has owned or been credibly assigned:

DugganUSA's earlier coverage tied TELUS to the same operator constellation in the post "BreachForums Is Down, TELUS Lost a Petabyte, and Your Hospital Is Next" (March 17, 2026). The Cushman & Wakefield and NVIDIA Armenia attributions appeared in our "Instructure Canvas. Cushman & Wakefield. NVIDIA Armenia. All ShinyHunters Today." post earlier in May.

The total year-to-date victim count attributable to the ShinyHunters operator constellation, conservatively counted, exceeds half a billion records across at least eight named brands in five months. The actual count is higher because the ShinyHunters cluster aggregates data-theft activity that may originate from adjacent operator groups (Scattered Spider, LAPSUS$) under the broader Coinbase Cartel constellation frame.

The operator-constellation read

ShinyHunters operates as the data-aggregation-and-extortion node in a multi-operator constellation. The actors who do the initial breach — often Scattered Spider for telecom and SaaS, sometimes LAPSUS$ for source-code and corporate-data theft, sometimes other named groups — pass the stolen data to ShinyHunters for monetization. ShinyHunters runs the leak-site infrastructure, the data-marketplace listings, and the extortion-correspondence with the affected companies. The division of labor lets each operator group focus on its competitive advantage: initial-access specialization for the breach actors, monetization-and-pressure specialization for ShinyHunters.

This is the criminal-pool structural equivalent of the GREYVIBE / UAC-0098 / Ember Bear Russia-aligned cluster we filed last week — multiple operator groups operating in a constellation pattern with division of labor between the technically-skilled access teams and the monetization-skilled extortion teams. The difference is the political alignment. The Russia-aligned constellation has state interests in the loop. The ShinyHunters / Scattered Spider / LAPSUS$ constellation is financially motivated end-to-end, which makes their target selection commercially rational rather than strategically directed.

Commercially rational target selection produces a different defender posture than strategically directed targeting. The ShinyHunters cluster will hit any brand where the per-record monetization value is high (financial services, telecom subscriber data, education with personally identifiable student records, entertainment platforms with active credit-card-on-file populations) and where the breach is operationally cheap (credential-stuffing-vulnerable authentication, SaaS-platform-OAuth-token theft, third-party vendor compromise). Defenders downstream of the ShinyHunters cluster need to do two things specifically: harden credential-stuffing defenses across all customer-facing authentication endpoints, and audit third-party vendor access scope so a compromised vendor does not enable lateral movement into the core platform.

Both defenses are inexpensive at the engineering layer. Both are absent from many of the May victims. The Charter, Carnival, 7-Eleven breach mechanics each include some version of the credential-stuffing-or-third-party-vendor playbook. The Instructure Canvas case is more complex because the SaaS-multi-tenant architecture changes the attack surface, but the underlying credential-and-API-access weakness is the same family.

The asymmetry view

The ShinyHunters operator pool runs on operator-tier infrastructure that costs single-digit-thousands of dollars per month. The victim companies have annual security-budget line items in the seven-to-nine-figure range. The cost asymmetry is real but it runs in the opposite direction from where the security budgets are deployed. Spending heavily on EDR, SIEM, and threat-intelligence platforms is the standard playbook. None of those defenses is the binding constraint on whether ShinyHunters successfully exfiltrates 4.9 million Charter accounts. The binding constraint is whether the credential-stuffing-detection layer at the customer-facing authentication endpoint is operational. That layer costs five figures per year at commodity-SaaS pricing. The victims are not spending it.

The cost-curve inversion in this case is straightforward. ShinyHunters spends low five figures monthly to operate. Victim companies spend mid-six to low-eight figures annually on defense and still get breached because the defense spend is not allocated to the attack class that actually hits them. The asymmetry-take-the-fight frame applies the same way it applies to every other vertical we have written about this month. Spend the pennies where the cost curve is binding. Stop spending the dollars where the cost curve is irrelevant to the attack class.

The defender posture downstream

For organizations not yet on a ShinyHunters target list: the targeting is commercially rational. If your business holds high-value-per-record customer data, credentialed account access, or third-party SaaS integrations with insufficient scope-limitation, you are on the future target list. The defender preparation is the credential-stuffing-detection plus third-party-access-audit pair named above, plus an honest accounting of where your customer data has been replicated across vendor platforms whose security postures you do not directly control.

For organizations consuming public threat intelligence: the ShinyHunters cluster's operator infrastructure changes frequently but the operator behavior is consistent. The leak-site indicators, the extortion-correspondence pattern, the data-listing taxonomies on BreachForums-successor sites are all observable in real-time. Defender postures that consume those signals get early warning when their own brand or their vendors' brands appear in the listing pipeline. The signal exists. The consumption is a matter of feed integration and analyst attention.

For the broader threat-intelligence community: the May 2026 ShinyHunters ledger is the operational receipt for the criminal-pool-dominant-of-2026 designation. The next operator population that displaces ShinyHunters from this slot is the next operator population that combines multi-operator constellation efficiency with AI-paced iteration on either the breach side or the monetization side. We have not seen that combination publicly attributed yet for the financially-motivated cohort. The Russia-aligned criminal-pool-pivot cohort got there first with GREYVIBE; the financially-motivated cohort is one or two cycles behind. The forward watch is which financially-motivated operator group bolts an AI-multimodal production loop onto the ShinyHunters monetization infrastructure first.

The receipts compound

The threat intelligence in this post — the ShinyHunters adversary profile in our index, the cross-correlated breach receipts across eight named brands in five months, the operator-constellation analysis that ties ShinyHunters to Scattered Spider and LAPSUS$ under the Coinbase Cartel frame — all ship out through DugganUSA's public STIX 2.1 threat-intelligence feed. Free. No credit card. Machine-consumable. Registration takes thirty seconds at [analytics.dugganusa.com/stix/register](https://analytics.dugganusa.com/stix/register).

Yesterday we documented that customers consuming our feed had visibility on the BlueHammer Microsoft Defender CVE for forty days before Microsoft's MSRC blog officially acknowledged the cluster. The asymmetry inversion is real, it is dated, and it compounds for whoever subscribes. The same predictive-kill-chain pattern applies to ShinyHunters monitoring — defenders downstream of our feed see leak-site listings, extortion-correspondence patterns, and credential-stuffing-precursor indicators ahead of the vendor-tier disclosure cycle that follows a breach.

The cheapest defender posture beats the most expensive defender brand. Subscribe. The receipts compound.

— Patrick Duggan · DugganUSA LLC

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com