Threat Intelligence Tarot
Vol. II · 104
Criminal (French and Moroccan nationals, suspected)
risk 3/5
The Data Magpie
ShinyHunters
ShinyCorp
Cloud storageSaaS platformsConsumer databasesTechnology companiesRetail
Active since 2020 · Data theft, Financial gain, Notoriety
The Data Magpie collects everything that glitters: records, credentials, session tokens. It does not hack for ideology or espionage but for the pure accumulation of data as currency, shiny things traded in dark markets.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1190
Exploit Public-Facing Application
Initial Access
T1078
Valid Accounts
Defense Evasion
T1530
Data from Cloud Storage
Collection
T1114.002
Remote Email Collection
Collection
T1657
Financial Theft
Impact
T1110.004
Credential Stuffing
Credential Access
T1041
Exfiltration Over C2 Channel
Exfiltration
Notable Operations
  • AT&T breach (2024, 73 million customer records)
  • Snowflake customer credential campaign compromising 165+ companies
  • Ticketmaster breach (560 million records)
  • 500 million+ total records stolen across all operations
Defenses
  • MFA enforced on all cloud storage and SaaS platform access
    NIST CSF: PR.AC
  • Credential stuffing protection via IP reputation and velocity limiting on login endpoints
    CIS Control 6
  • Cloud Access Security Broker monitoring data egress from cloud storage
    CIS Control 13
  • Data minimization: retain only data required for business purposes
    NIST CSF: PR.DS
Reversed: Their Weakness
Multi-factor authentication on cloud storage access would have prevented the Snowflake campaign entirely. Data minimization practices reduce the value of what is stolen when breaches occur.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Signal ThiefNext →The Chaos Court
Related Adversaries
The Auction House
RansomHub
4 shared TTPs
The Chaos Court
The Com
3 shared TTPs
The Thousand Hands
APT10
3 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.