The data extortion crew known as ShinyHunters has added two well known US companies to its dark web leak site, claiming to have stolen data from test and measurement equipment maker Fluke Corporation and from Ingram Content Group, one of the world's largest book and content distributors. Both listings appeared on July 1. As with all leak site posts, these are unverified extortion claims made by the attackers themselves, not confirmed breaches, and neither company has publicly acknowledged an incident.
ShinyHunters is known for large scale data theft and extortion rather than file encrypting ransomware, monetizing stolen databases by threatening to publish or sell them. IntelFusions previously tracked the group when it breached several universities through an Oracle PeopleSoft zero day. A leak site listing is typically the pressure phase: the victim is named publicly to force a payment before any data is released. You can follow the group's activity on its IntelFusions threat actor profile.
A busy week on the leak sites
The ShinyHunters claims land during a heavy stretch of extortion activity. Over the same three day window, the prolific Qilin ransomware operation posted the largest volume of fresh victims, spanning the US, UK, Japan, and Europe, while newer crews such as Krybit and Settra listed clusters of victims across manufacturing, healthcare, logistics, and technology. The steady drumbeat underscores how leak site extortion has become an industrialized, seven day a week business.
What organizations should do
Companies that appear on a leak site should assume the underlying data theft may be real and move quickly: preserve logs, engage incident response, reset exposed credentials, and prepare customer and regulator notifications rather than waiting for the attackers' deadline. More broadly, defenders should watch the access paths these crews favor, including exposed enterprise applications, stolen credentials, and unpatched internet facing servers. Because these remain claims, treat specifics with caution until an affected organization or independent researchers confirm them.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.