ShinyHunters member pleads guilty to $6 million in data theft damages

Sebastien Raoult, a 22-year-old from France, has pleaded guilty in the U.S. District Court of Seattle to conspiracy to commit wire fraud and aggravated identity theft as part of his activities in the ShinyHunters hacking group.

Raoult, also known as 'Sezyo Kaizen,' was apprehended last year in Morocco for being suspected of being a co-conspirator of the notorious data broker and hacking group and was extradited to the U.S. in January 2023.

According to the plea agreement, Raoult and his co-conspirators hacked into computers to steal corporate and customer data. They then sold it under the ShinyHunters alias on various forums, marketplaces, and Telegram channels.

The estimated damage caused by this activity exceeds $6,000,000, according to the U.S. DoJ announcement, while the number of records stolen is measured in the hundreds of millions.

"Raoult and his co-conspirators hacked into protected computers of corporate entities for the theft of confidential information and customer records, including personally identifiable information and financial information," reads the U.S. DoJ announcement.

"After Raoult and his co-conspirators hacked companies, a user going by the name ShinyHunters posted hacked data from many of those companies for sale on dark web forums, including RaidForums, EmpireMarket, and Exploit."

Between April 2020 and July 2021, the ShinyHunters group posted stolen datasets from over sixty companies.

"A company's stolen data typically sold for thousands of dollars, and Shiny Hunters sometimes sold the same company's data multiple times," reads Raoult's plea agreement.

"For example, ShinyHunters sold the data from Victim-4 for $5,000, 13 different times, for a total of $65,000

In many cases, ShunyHunters extorted the breached firms, demanding a ransom payment to not publicly leak the stolen information.

"Shiny Hunters also demanded ransoms from some victims and succeeded in obtaining ransoms as large as $425,000," continued the plea agreement. 

"When the co conspirators breached companies' cloud computing providers, they sometimes used them to generate profit by cryptomining, while the cloud provider billed the use of computing power to the victim companies."

Raoult and his co-conspirators employed a wide range of tactics to breach companies, including creating phishing sites that mimicked login pages for legitimate platforms and businesses.

Once the hackers stole valid account credentials, they used them to log in to the targeted network to manually steal all data that could be accessed from the compromised account.

Next, the threat actors scrutinized the stolen data for the existence of additional account credentials that might help them further access the breached company's networks, their cloud storage, or any of their third-party service providers.

After they could no longer sell stolen data or it lost its value, the threat actors commonly distributed the data for free on hacker forums to gain reputation in the hacking community.

Raoult now faces a punishment of up to 27 years in prison for conspiracy to commit wire fraud, plus at least another two years of prison term for aggravated identity theft.