We Couldn’t Have Been Pwnd by Someone a Little Cooler, at Least?

The following is a guest post by Lee Clark, alum of the Patterson School of Diplomacy and International Commerce and current cyber intelligence professional.

On May 7, the hacking group ShinyHunters impacted functionality of Instructure’s  Canvas classroom management suite at thousands of colleges and universities. According to InfoSecurity Magazine:

“The original compromise of Instructure occurred on April 25 with around 275 million records from 8809 educational institutions stolen.

ShinyHunters gained unauthorized access to Instructure systems by exploiting a vulnerability in the Free-For-Teacher version of Canvas. Over 3.65 TB of data is said to have been exfiltrated by the ransomware gang.

The group made its first extortion attempt by posting a ransom demand on its data leak site. The initial deadline was 8 May, after which the group threatened to leak data.

[…]

Since that deadline has passed, the group extended its deadline and began a school-by-school extortion campaign, researchers at Halcyon noted in a recent analysis.

This has seen a defacement message appear on approximately 330 institutional Canvas login pages.”

Here’s the original ransom note that appeared on user screens:

Canvas appears to be back online at many institutions, and as of this writing, ShinyHunters has removed the claim from their dark web ransom blog. There’s an informal expectation in the cyber community that being posted then removed from a prominent ransomware name and shame page generally indicates that the victim has paid or is negotiating a payment, but that’s difficult to confirm and not always true.

The notable aspect of this hack, as compared to the thousands of other software supply chain hacks that happen constantly, is simple: normies saw the ransom note. Thousands of students, TAs, professors, administrators across America got a big scary ransom note (or later saw it on the news or heard word of mouth from colleagues or classmates and saw a flimsy “Down for Maintenance” sign where their grades should be). I read these things all day at work, they’re boring, annoying, often full of grandiose claims and bluster. But to someone who doesn’t read these all day, they can be pretty darn scary and invasive. Typically, the only people who see ransom notes appear on their screen are employees of the impacted company, here, ShinyHunters was able to post the ransom note to damn near all of Canvas’s customer base simultaneously during finals week! Makes sense, from their perspective, maximum public pressure to resolve quick and easy. Pay us the money, and we’ll go away. 

A few things here! A few years ago, ShinyHunters was known primarily by cyber professionals for fake or at least exaggerated data breach and ransom claims and extorting people with fake threats of leaking nude photos. Fast forward to 2025, they’ve melded with Lapsus$ and Scattered Spider to form The Com, become a  primary cyber threat to private business globally, and now this. Early research indicates they probably were only able to steal names and email addresses from Instructure and are bluffing on severity (which tracks for them). Doesn’t really matter though, this hack broke through mainstream news, and clout is as good as cash for this particular group. A key thing they focus on is supply chain hacks: why hack one company if you can hack a tool used by thousands of companies and then ransom them all? Exponential bang for buck.

And if half of victims pay (but less than 15% get their functionality/data back), and you hack, say, 9k colleges, you’re looking at a nice payday for minimal work, all you had to do was make a phone call, install some files, and download some databases. You don’t even have to know how to code, just how to scam.

The Com is largely composed of British teenagers with mid-level hacking skills that are very good at social engineering, basically they’re super good at tricking people into giving up passwords via phone calls where they pretend to be a company’s IT support or an employee who needs IT support. These teens harass and blackmail other teens in online spaces, especially gaming spaces, into helping them run scams and breaches and sales of stolen data. 

It’s nasty, evil shit they get up to, heinous things like encouraging preteen girls to hurt themselves and take nude photos with their injuries showing, then using those photos to blackmail them into helping with scams. They also tend to doxx, swat, and threaten to kill cyber pros who investigate them. The biggest problem is they’re decentralized, so even though British authorities arrest Com figureheads at the rate of one or two per month, it hasn’t really made a dent, and as result these clowns are the most prolific and impactful hackers in the world for the last year or two. 

We live in a Golden Age of scams, and we are beset on all sides by clowns.