ShinyHunters Says 340 Million OnlyFans Records. The Number Is the Leverage, Not the Breach.

The headline writes itself, and that is exactly the trap. Over the weekend ShinyHunters claimed a 340-million-record OnlyFans haul, a number engineered for screenshots rather than scrutiny. We have had a ShinyHunters adversary profile on file since May 23, and we wrote up their May spree, Charter, Carnival, Vimeo, 7-Eleven, and Instructure, when it was the dominant criminal pool of the month. This is the same crew, and the pattern is the same: the count is the weapon.

Here is the discipline we hold ourselves to, capped at the honest 95 percent: we do not know that it is 340 million real records. ShinyHunters inflates. A claim of 340 million padded with scraped public profiles negotiates exactly like 34 million of genuine private data, because the fear does the negotiating before anyone audits the dump. When a data-theft crew leads with a round, enormous number and no sample schema, treat the number as a pressure instrument, not a measurement. The leverage is the headline you are reading right now.

What actually deserves your attention is the tradecraft. ShinyHunters stopped being a forum data-broker years ago. In the configuration we track as the Coinbase Cartel, overlapping with Scattered Spider and Lapsus$, they breach cloud SaaS platforms by social-engineering DevOps and support staff, stealing OAuth and CI tokens, then extorting. These are the same hands we correlated to the Grafana GitHub-token slip in May and the Canvas and Instructure campaign that touched thousands of schools. The mechanism is always a platform trusting a token, and that trust being borrowed by the wrong person.

And a line we will not cross: if the OnlyFans breach is real, the people in that data are victims, not a punchline. The platform is incidental. The story is that a trust boundary failed and exposed human beings who had every reasonable expectation of privacy. We will track the infrastructure the moment indicators surface, correlate it against the ShinyHunters cluster we already hold, and publish receipts. We will not make jokes at the expense of the exposed. That is the difference between threat intelligence and gossip.

If you run identity or SaaS infrastructure, the takeaway is not OnlyFans. It is your own OAuth grants, your CI tokens, and the support staff who can be talked into a screen share. That is where this crew lives. The 340 million is theater. The token is the door.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com