Checkout.com Refuses Ransom After ShinyHunters Breach of Legacy System
Checkout.com, a payment services provider, was targeted by the ShinyHunters criminal group, who gained unauthorized access to a legacy third-party cloud file storage system used for internal documents and merchant onboarding materials from 2020 and earlier. The attackers demanded a ransom, but Checkout.com refused to pay, instead donating the equivalent amount to cybercrime research. The company confirmed that its live payment processing platform was not affected, and no merchant funds or card numbers were accessed. Checkout.com has taken full responsibility for the incident, apologized to affected partners, and is working with law enforcement and regulators while notifying impacted parties.
The breach affected less than 25% of Checkout.com's current merchant base, as the compromised system contained only historical operational data. The company emphasized its commitment to transparency and accountability, outlining plans to invest further in cybersecurity. The incident highlights the ongoing threat posed by ransomware and extortion groups, with ShinyHunters continuing to target organizations for data theft and ransom. Checkout.com's public stance against paying the ransom and redirecting funds to cybercrime research sets a notable precedent in the industry.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Checkout.com pledged ransom-equivalent donations to cybersecurity research
Instead of paying the attackers, Checkout.com said it would donate an equivalent amount to Carnegie Mellon University and the University of Oxford Cyber Security Centre. The company framed the move as support for cybersecurity research following the extortion attempt.
Checkout.com disclosed the breach and refused to pay ransom
Checkout.com publicly acknowledged the data breach, said it would not pay the extortion demand, and stated it was contacting affected customers. The company also said it was working with law enforcement and regulators on the incident.
Attackers attempted to extort Checkout.com over stolen data
After stealing data, ShinyHunters demanded a ransom from Checkout.com. The company characterized the incident as an extortion attempt tied to the legacy system compromise.
ShinyHunters breached Checkout.com's legacy storage environment
The ShinyHunters cybercrime group accessed data from Checkout.com's legacy third-party cloud file storage system. Checkout.com said the incident affected less than 25% of its merchant base and did not impact payment processing, merchant funds, or card numbers.
Legacy cloud file storage system remained accessible after 2020
Checkout.com said the breached environment was a legacy third-party cloud file storage system used in 2020 and earlier that was not properly decommissioned. The system reportedly held internal operational documents and merchant onboarding materials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
A miracle: A company says sorry after a cyber attack - and donates the ransom to cybersecurity research
bitdefender.com
Open sourceCheckout.com Discloses Data Breach After Extortion Attempt
databreaches.net
Open sourceCheckout.com snubs hackers after data breach, to donate ransom instead
bleepingcomputer.com
Open sourceShinyHunters-hit Checkout.com rejects ransom payment
scworld.com
Open sourceRansomed CTO falls on sword, refuses to pay extortion demand
go.theregister.com
Open sourceProtecting our Merchants: Standing up to Extortion
checkout.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Data-Extortion Claims Target Crunchbase and Waltio
**Crunchbase** confirmed a cybersecurity incident after the **ShinyHunters** cybercrime group claimed it stole **over 2 million personal records**. ShinyHunters reportedly posted a **402 MB compressed archive** online after an extortion attempt failed, and Crunchbase stated the threat actor **exfiltrated certain documents from its corporate network**. Crunchbase said business operations were not disrupted, the incident was **contained**, external cybersecurity experts were engaged, and **federal law enforcement** was notified while the company reviews the exposed data to determine required legal notifications. In a separate ShinyHunters-linked extortion case, French crypto tax platform **Waltio** was reported to be facing a ransom threat tied to alleged theft of personal data for **nearly 50,000 users**, including threatened exposure of users’ **2024 tax reports**. Waltio stated its services and production systems remained secure and that **no sensitive banking or crypto access data** was compromised. The activity aligns with ShinyHunters’ established pattern of **data theft and leak-site pressure** when ransom demands are not met.
Mar 21, 2026
Vercel Confirms Breach After Threat Actor Offers Alleged Stolen Data for Sale
Vercel confirmed a security incident involving unauthorized access to certain internal systems after a threat actor using the name **ShinyHunters** claimed to be selling allegedly stolen company data on a hacking forum. The company said only a limited subset of customers was affected, its services remain operational, and it has engaged incident response experts, notified law enforcement, and is working directly with impacted customers. The actor claimed the stolen data included access keys, source code, database data, internal deployment access, and API keys, and shared a text file with 580 employee-related records along with a screenshot purportedly showing an internal Vercel Enterprise dashboard. Vercel advised customers to review environment variables and rotate secrets if necessary, while the authenticity of the leaked materials and the attribution to **ShinyHunters** remained unverified; the actor also claimed on Telegram that a **$2 million** ransom demand had been discussed with the company.
May 11, 2026
Red Hat GitLab Data Breach and Extortion by Crimson Collective and ShinyHunters
Red Hat, a leading enterprise software provider, confirmed a significant cyberattack resulting in unauthorized access to one of its GitLab instances. The breach was initially claimed by a hacking group known as Crimson Collective, who stated they had exfiltrated approximately 570GB of compressed data from Red Hat's internal development repositories. Among the stolen data were around 800 Customer Engagement Reports (CERs), which contain sensitive infrastructure and authentication details for numerous organizations across various sectors. Red Hat clarified that the compromised GitLab instance was used exclusively for Red Hat Consulting engagements, but the exposure of CERs poses a substantial risk to affected customers. Following the breach, Crimson Collective attempted to extort Red Hat, demanding a ransom to prevent the public disclosure of the stolen data. When Red Hat did not respond to these demands, Crimson Collective escalated their efforts by partnering with the ShinyHunters extortion group. ShinyHunters subsequently listed Red Hat on their newly launched data leak site, threatening to release the stolen data publicly if their ransom demands were not met by October 10th. The extortion campaign was further publicized through posts on Telegram, where the threat actors boasted about their alliance and intentions to target corporations. The incident highlights the growing trend of collaboration among cybercriminal groups to maximize pressure on victims and increase the likelihood of ransom payments. The breach also underscores the risks associated with third-party and internal development platforms, as attackers increasingly target these environments for valuable data. Red Hat's confirmation of the breach and the nature of the compromised data has raised concerns among its customers, particularly those whose sensitive information may now be at risk of exposure. The attack is part of a broader pattern of ransomware and extortion operations targeting high-profile technology companies. Security researchers have noted that the professionalization and convergence of cybercrime groups, as seen in this incident, are making such attacks more sophisticated and damaging. The Red Hat breach serves as a warning to organizations to strengthen their security posture around development environments and to prepare for the possibility of multi-stage extortion campaigns. The incident also demonstrates the importance of timely communication and transparency with affected stakeholders in the aftermath of a breach. As the deadline for the public release of the stolen data approaches, Red Hat and its customers face heightened risks of data exposure, reputational damage, and potential regulatory scrutiny. The evolving tactics of groups like Crimson Collective and ShinyHunters signal a challenging threat landscape for enterprises worldwide.
Mar 21, 2026