The Feds Shuttered ShinyHunters' Salesforce Leak Site. We Named the Victims From the Infrastructure Weeks Ago. The Takedown Is the Easy Part.

Federal law enforcement shuttered the data-leak site that ShinyHunters built to extort the thirty-nine companies caught in their Salesforce campaign. That is a good day, and the agents who did it earned it. It is also the part of this story that was always going to be the easy part, and conflating the takedown with a win is the mistake that lets the next leak site go up next week. Here is why, and here is what the harder, more useful work actually looked like — because we did it, in public, before the site that just got taken down existed.

First, the campaign, because the leak site is the end of a chain we have documented end to end. Between March and June of 2025, ShinyHunters compromised the GitHub account of Salesloft and used TruffleHog — a free, public secrets-scanning tool anyone can download in thirty seconds — to pull OAuth tokens for the Drift and Drift Email integrations out of Salesloft's own source code. Those tokens were keys to the Salesforce instances of seven hundred and sixty organizations. Over the following months, the group exfiltrated roughly 1.5 billion Salesforce records, and inside many of those instances they found the next set of keys: cloud credentials, Snowflake tokens, passwords. The breach was never one company. It was a trust relationship — a vendor integration everyone enabled and nobody inspected — walking through seven hundred and sixty open doors.

The leak site that the Feds just took down is what comes at the end of that chain, and its appearance is a milestone worth naming precisely. A criminal operation does not start with a branded, persistent extortion storefront. It starts with one-off dumps on hacker forums, building reputation. The dedicated leak site is the operation graduating — the moment a crew has enough victims, enough credibility, and enough confidence to run extortion as a product with a storefront. It is the "proven" phase of a trust lifecycle, the same arc that governs every reputation-based system from dark markets to exchanges to social platforms: trust, proving, proven, and then the exposure that the proven phase creates. The leak site is what makes the extortion efficient. It is also, precisely because it is centralized and branded and persistent, the single most takedownable thing the operation owns.

And that is the whole point about why this takedown is the easy part. Hold it next to the other story we have been writing this week — the rough beast moving into the trust graph, the supply-chain worms coordinating over blockchain canisters and IPFS that cannot be subpoenaed off the internet. That infrastructure is decentralized by design specifically so it cannot be shuttered. A ShinyHunters leak site is the opposite. It is a storefront with an address. Law enforcement can seize an address. What they cannot seize is the credential set, the victim relationships, the playbook, and the operator's willingness to stand up a new storefront under a new name. Takedowns of centralized criminal infrastructure are real and worth doing and almost always temporary, because the takedownable layer is the cheapest layer for the criminal to rebuild. Watch for the re-host. It is coming.

So if the takedown is the easy part, what is the hard part, and did anyone do it? The hard part is knowing who the victims are before the leak site lists them — while there is still time for those companies to rotate credentials, hunt their logs, and get ahead of the extortion clock instead of finding out from a dark-web post. On May 8, weeks before this leak site existed, we published a ShinyHunters watch list: eight named environments with pre-staged attacker infrastructure already visible in our feed, including GE Healthcare, Moderna, and Nike. The thesis was simple and it has now been validated by a leak site with thirty-nine names on it: the victim universe of a campaign like this is knowable in advance, because the infrastructure that will be used to extort a company tends to appear before the company is publicly named. The leak site is the confirmation. The watch list is the warning, and the warning is the only part of this that gives a defender time to act.

That is the difference we keep pressing, and this week drew it in bright lines. The news is that the Feds took down a leak site, and that is genuinely good. The intelligence is that the leak site was the visible, takedownable tail end of a campaign whose victims were identifiable from infrastructure weeks earlier, that the takedown removes the storefront but not the operation, and that the same crew will rebuild the cheap centralized layer while keeping the expensive part — the access and the playbook — entirely intact. If your name is one of the thirty-nine, the takedown does not un-leak your data and it does not mean the operator is gone. It means the storefront is closed and the inventory is still for sale.

The honest, uncomfortable version, capped below certainty as always: we cannot promise the next leak site looks identical or that the operators do not learn from the seizure and decentralize their extortion infrastructure the way the supply-chain crews already decentralized their command and control. They might. The trend across the whole threat landscape is toward infrastructure that cannot be taken down, and the leak-site seizure is exactly the kind of event that teaches a criminal organization to stop using takedownable infrastructure. Enjoy this win. Do not mistake it for the end. And if you want to know whether you are on the next list, the answer is in the infrastructure today, not on the leak site tomorrow — which is exactly where we will keep looking.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register