Enterprise software giant Red Hat is now being extorted by the ShinyHunters gang, with samples of stolen customer engagement reports (CERs) leaked on their data leak site.

News of the Red Hat data breach broke last week when a hacking group known as the Crimson Collective claimed to have stolen nearly 570GB of compressed data across 28,000 internal development repositories.

This data allegedly includes approximately 800 Customer Engagement Reports (CERs), which can contain sensitive information about a customer’s network, infrastructure, and platforms.

The threat actors claimed to have attempted to extort Red Hat into paying a ransom to prevent the public disclosure of the data, but received no response.

Red Hat later confirmed to BleepingComputer that the breach affected its GitLab instance, which was used solely for Red Hat Consulting on consulting engagements.

Soon after the breach was disclosed, threat actors known as Scattered Lapsus$ Hunters sought to make contact with Crimson Collective.

Yesterday, Crimson Collective announced that it had partnered with Scattered Lapsus$ Hunters to utilize the newly launched ShinyHunters data leak site to continue their extortion attempts against Red Hat.

“On the 4th April 1949 was created the so big called NATO, but what if today’s new alliance was bigger than that ? But for a greater purpose, ruining corporations mind,” reads a post to the hacking group’s Telegram channel.

“What if, Crimson’s shininess extends even further away ?”

“Regarding the current announcement regarding us, we are going to collaborate with ShinyHunter’s for the future attacks and releases,” the Crimson Collective threat actors told BleepingComputer.

In coordination with the announcement, a Red Hat entry has now appeared on a new ShinyHunters data leak extortion site, warning the company that data would be publicly leaked on October 10th if a ransom demand was not negotiated with ShinyHunters.

In addition, the threat actors released samples of the stolen CERs, including those for Walmart, HSBC, Bank of Canada, Atos Group, American Express, Department of Defence, and Société Française du Radiotéléphone.

BleepingComputer contacted Red Hat about this development but did not receive a response.

The ShinyHunters Extortion-as-a-Service

For months, BleepingComputer has speculated that ShinyHunters was acting as an extortion-as-a-service (EaaS), where they work with threat actors to extort a company in exchange for a share of the extortion demand, similar to how ransomware-as-a-service gangs operate.

This theory was based on the numerous attacks conducted by various threat actors, all of which were extorted under the ShinyHunters name, including those targeting Oracle Cloud and PowerSchool.

Conversations with ShinyHunters further supported this theory, as the group has previously claimed not to be behind a particular breach but rather just acting as a broker of the stolen data.

Furthermore, there have been numerous arrests of individuals associated with the name “ShinyHunters” over the years, including those linked to the Snowflake data theft attacks, breaches at PowerSchool, and the operation of the Breached v2 hacking forum.

However, even after these arrests, new attacks occur with companies receiving extortion emails stating, “We are ShinyHunters”.

Today, ShinyHunters told BleepingComputer that they have been privately operating as an EaaS, where they take a revenue share from any extortion payments generated for other threat actors’ attacks.

“Everyone i’ve worked with in the past have taken 70 or 75% and I receive a 25-30%,” claimed the threat actor.

With the launch of the ShinyHunters data leak site, it appears that the threat actor is now publicly operating the extortion service.

In addition to Red Hat, ShinyHunters is also extorting SP Global on behalf of another threat actor that claimed to breach the company in February 2025.

BleepingComputer had contacted SP Global at the time about the alleged breach, but was told that the claims were false and that the company was not breached.

However, the threat actors have now released samples of data on the data leak site, claiming they were stolen during the attack, and have also set an October 10th deadline.

After contacting SP Global again today regarding its inclusion on the data leak site, they decided not to comment on the claims.

“We don’t comment on such claims. We note that as a US listed company, we are required to publicly disclose material cybersecurity incidents,” SP Global told BleepingComputer.