ShinyHunters Reset The Canvas Deadline. 'Data Destroyed' Lasted Forty-Eight Hours. Our May 12 Hedge Has An Expiration Date Now.

# ShinyHunters Reset The Canvas Deadline. "Data Destroyed" Lasted Forty-Eight Hours. Our May 12 Hedge Has An Expiration Date Now.

On May 8 we published our ShinyHunters watch list — eight named environments with pre-staged infrastructure including GE Healthcare, Moderna, and Nike. On May 12 this morning we updated the ledger and wrote, of Instructure's claim that the ransom payment had destroyed the stolen data:

The claim spoke at 4 PM Eastern, on May 12, in The Register.

The headline: "Double Canvas intrusion confirmed as ShinyHunters resets leak deadline." The body: ShinyHunters acknowledged a second intrusion into Instructure's environment, claimed the destroyed-data agreement covered only the first dataset, and set a new pay-or-leak deadline. Penn and Duke confirmed individual exposure. Negotiations are now happening at the institution level, not the platform level, because the platform's centralized payment did not deliver what it claimed.

The hedge had an expiration date. The expiration date was forty-eight hours.

Why this was predictable

Paying ransomware is a debt-shaped solution to a structural problem. The crew that breached you once has demonstrated capability and access. The agreement to destroy data is unenforceable — no verification, no audit, no certificate of disposal, no third-party witness. The attacker keeps a copy. The attacker waits. When the news cycle moves on and the next quarter starts, the attacker comes back with a "second intrusion" or a "previously undisclosed dataset" and asks for more. The previously paid ransom is treated as evidence that this victim pays.

This is the universal trust lifecycle in compressed form. Trust earned, trust proven, trust paid, trust compromised, repeat. Dark markets follow this arc. Exchanges follow this arc. Ransomware brands follow this arc. The arc bends shorter every cycle because the playbook spreads. ShinyHunters does not need to invent the second-intrusion gambit; they only need to apply it to a payer who has already shown the wire works.

Instructure paying on May 11 and ShinyHunters reopening on May 12 is not a Canvas-specific failure. It is the natural physics of paying a criminal who controls the only copy of the evidence.

What we got right and what we got wrong

We got right that the ransom claim was unverifiable. The May 8 watch list and the May 12 ledger post both treated the destruction promise as a marketing artifact, not an operational state. Three of the eight watch-list names had IOCs in our index before the May 7 disclosure, which meant operators in those environments had a chance to pre-stage incident response before the news cycle hit their inbox.

We got wrong, or at least underweighted, the speed of the reset. We assumed the second extortion ask would come weeks out, after Instructure's coverage cooled. It came in less than two days. The compression is itself a signal — the crew is operating with confidence, the brand recognition is high enough that they are willing to test customer patience immediately, and they may be working through a backlog of paid victims faster than past ShinyHunters campaigns.

For the school districts and universities now in individual negotiation: do not pay. The Instructure payment is the receipt that paying does not buy destruction; it buys a pause. Negotiations at institution level will produce eight thousand separate decision points and the crew will work whichever ones blink first. If you are a CIO at one of the 8,809 affected institutions, the operational question is not "should we pay our share" but "what do we tell affected students and staff this week, and what does our notification timeline look like under our state breach law."

For everyone else: this is the third year in a row that paying ransomware has, on average, resulted in re-extortion. The statistical case has been written by Coveware, by FBI public guidance, by the Ransomware Task Force. Today's news is one more data point. It is not a surprise.

The ledger note

The May 12 ledger post stands. Seven entries, four days early on Canvas, twelve days early on Mini Shai-Hulud. The "data destroyed" hedge in that post lasted forty-eight hours and is now a footnote. The watch list is still the operational artifact. GE Healthcare, Moderna, and the rest of the eight still have pre-staged phishing infrastructure correlated to ShinyHunters in our iocs index. The crew is operationalizing the harvested credentials from the first intrusion now.

If you are reading this and you run security for a Canvas-using institution, the Hunt-Tonight from the May 8 post is now Hunt-This-Week. Rotate federated credentials issued before May 7. Audit Okta and Entra sign-in logs for the May 1 through today window. Watch for credential-stuffing campaigns against student and staff accounts that survived the breach. Watch the eight watch-list names. Watch the STIX feed.

The lesson this round: the ransom payment did not buy destruction. It bought a forty-eight-hour gap. The next time a platform announces "an agreement with the threat actor and the compromised data has been destroyed," the appropriate response is not relief. It is the timestamp.

— Patrick Duggan, May 12, 2026

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.