"Just as individuals hunt and collect Shiny Pokémon, [hackers] ShinyHunters collect and resell user data," researchers from cybersecurity company Intel471, authors of a report on their activities, told AFP.
According to a June 2021 US indictment targeting Sébastien Raoult, seen by AFP, the ShinyHunters have earned a reputation for having stolen the data of dozens of companies around the world since 2019, including several companies in the United States. , and then selling some of that data on the dark web.
According to the FBI, the team hacked into the accounts and computer networks of numerous companies, in particular through phishing email campaigns, called "phishing", targeting employees who use widespread services, such as the sharing platform of computer code Github, owned by the American computer giant Microsoft.
#photo1
Three French
According to various experts interviewed by AFP, among their victims would be the Microsoft account on Github, the Indonesian e-commerce site Tokopedia, the American clothing brand Bonobos, the online PDF editor PDF Nitro or the American telephone operator AT&T.
Based on IP addresses, related accounts and discussions on Discord, among others, the FBI believes it has identified three French people who are members of the ShinyHunters "group", including Sébastien Raoult, 21, imprisoned since early June near Rabat. and who could be extradited in the coming months to the United States.
#photo2
American justice is also targeting Abdel H. - under the pseudonyms "Zac" and "Jordan Keso" - and Gabriel KB, known under the names of "Kuroi" and "Gnostic Players", suffering from Asperger's autism.
Tried in 2019 for the piracy of the Vevo channel and the Despacito tube on Youtube, Gabriel KB had been declared criminally irresponsible.
This 23-year-old computer genius is also indicted in another case, suspected of having hacked, with others, the Gatehub cryptocurrency platform in 2019.
- Sale, sharing, extortion -
It was in April 2020 on the now closed RaidForums that the nickname "ShinyHunters" first appeared, according to the observations of researchers from the cybersecurity company Intel471.
The group's first coup took place the following May, when it leaked the data of 91 million Tokopedia users, according to reports from the computer security company Digital Shadows consulted by AFP.
#photo3
The Shinyhunters first sought to sell their first databases.
But from July 2020, publications mention a "phase 2", which would consist of distributing these databases for free on hacker forums, explains Digital Shadows analyst Ivan Righi.
"They were very popular on the forums, says the cybersecurity specialist. They were really looking for recognition from other users," according to a report sent by Ivan Righi.
"At the beginning, they were more looking to make a name for themselves on the dark web, and a little money, because a database cannot be resold very expensively", also believes with AFP Angelina Shelest, analyst for the start. French cybersecurity company CybelAngel, which monitors leaks from the group.
But starting in April 2021, the ShinyHunters would have entered their third phase: threatening companies with releasing their data for ransom, according to posts observed by analyst Ivan Righi.
American justice, for example, accuses the “ShinyHunters” account of having blackmailed an Indian company official in March 2021, demanding 1.2 million bitcoins so as not to leak all of their data.
"Self-taught"
Several experts interviewed suspect the ShinyHunters of being linked to other cybercriminal groups, such as the GnosticPlayers.
"The investigators say that GnosticPlayers has turned into ShinyHunters. But these are two completely different cases", protests for his part Nassim B., a friend of Sébastien Raoult, describing himself as a "self-taught" computer scientist living "very merely".
This 23-year-old from Grenoble, also tried in 2019 alongside Gabriel KB for the hacking of the Vevo channel, and indicted in the Gatehub file, tells AFP that he was questioned by French and American investigators at the end of May, at the same time as the arrest of Sébastien Raoult in Morocco.
"During the interrogations, the FBI cited around thirty pseudonyms, and asked us if we knew who they were," said Nassim B., who claims his innocence and that of Sébastien Raoult in the attacks attributed to ShinyHunters.
"We are not a gang of cybercriminals, we are a bunch of computer enthusiasts," he pleads.
Nassim, who says he knows "Sezyo" well, alias Sébastien Raoult, describes his hacker buddies as "a community of friends who have known each other since 2012, having in common a passion for the Internet" and a taste for hacking for "the feeling of 'to have achieved [a] feat'.
"False Leads"
“We hack under a pseudonym,” he says.
"It's easy to usurp someone's attack, to make false leads, to make sure to attribute attacks to others", pleads the young man.
Two sources familiar with the matter confirmed that hackers had been taken into police custody in France in May and June as part of a request for mutual assistance from the United States on the ShinyHunters.
Mattys S., 21, also claims to have been questioned by investigators on May 31 in the South of France on cyberattacks attributed to ShinyHunters.
"We have nothing to do with that. There has never really been a group (...) the acts (of piracy) are done regularly by people, randomly".
According to Ivan Righi, the ShinyHunters have, since the dismantling of Raidforum, "migrated to BridgeForum, and it appears that they have ceased operations, or do not wish to be involved within the community".
In France, the family of Sébastien Raoult - ex-student in computer science at Epinal - multiplies the steps and press conferences, to demand his extradition to France rather than to the United States.
Sébastien Raoult's lawyer thus sent letters on Monday to President Emmanuel Macron, Prime Minister Elisabeth Borne and the Ministries of Justice and Foreign Affairs, denouncing the "inadmissible judicial situation" akin to "a jurisdictional black hole of the young man.
"Instead of a common trial in France, we have sacrificed Sébastien Raoult so that he can be tried alone in the United States, it is scandalous and contrary to fundamental rights", reacted to AFP Me Philippe Ohayon.
© 2022 AFP