.svg?width=185&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Home"){kind=logo}
.svg?width=13&quality=80&auto=webp&format=auto&cache=true&immutable=true&cache-control=max-age%3D31536000 "Top Navigation - Sign in - Icon")
Summary
GOLD CRYSTAL is a financially motivated cybercriminal group, also known as ShinyHunters and UNC6240, that have been operating since 2020. The group share some significant overlaps with other English-speaking cybercriminal groups such as GOLD HARVEST, with both groups made up of individuals that have some affiliation to 'The Com' ecosystem. GOLD CRYSTAL are active across several underground forums and Telegram channels, using these platforms to sell data stolen from a wide range of companies. The group first appeared as a 'data broker' on the Empire Forum and RaidForums in May 2020, using these platforms to leak millions of records and generate publicity. These early attacks appeared to focus predominantly on credential theft and database access, with the group releasing 386 million records stolen from 18 different companies onto an underground forum in July 2020. GOLD CRYSTAL were also linked to the 2024 Snowflake breach in which customers of the cloud-based data warehousing and analytics platform had accounts compromised by threat actors using credentials found in infostealer dumps.
Most recently, GOLD CRYSTAL was tied to a widespread data-theft campaign targeting Salesforce cloud customers in which threat actors impersonated IT support staff and used voice phishing calls to trick employees into installing a malicious version of Salesforce's Data Loader tool, allowing them to access and extract sensitive customer data. Another campaign against Salesforce a month later used OAuth/refresh tokens stolen from Salesloft's Drift integration to access numerous Salesforce customer organizations, systematically exporting CRM data and hunting for credentials (e.g., AWS access keys, passwords, Snowflake tokens).
GOLD CRYSTAL have historically advertized stolen data for sale on various underground forums, marketplaces and their Telegram account in which they have used the name 'Scattered LAPSUS$ Hunters'. However, on October 3, 2025 the group launched their first dedicated leak site, populated with 40 initial victims.
Most recently, GOLD CRYSTAL was tied to a widespread data-theft campaign targeting Salesforce cloud customers in which threat actors impersonated IT support staff and used voice phishing calls to trick employees into installing a malicious version of Salesforce's Data Loader tool, allowing them to access and extract sensitive customer data. Another campaign against Salesforce a month later used OAuth/refresh tokens stolen from Salesloft's Drift integration to access numerous Salesforce customer organizations, systematically exporting CRM data and hunting for credentials (e.g., AWS access keys, passwords, Snowflake tokens).
GOLD CRYSTAL have historically advertized stolen data for sale on various underground forums, marketplaces and their Telegram account in which they have used the name 'Scattered LAPSUS$ Hunters'. However, on October 3, 2025 the group launched their first dedicated leak site, populated with 40 initial victims.
Contact us
Contact us directly whether your organization needs immediate assistance or
you want to discuss your incident readiness, response, and testing needs.