ShinyHunters Shifts to Dark Web Operations After Canvas LMS Disruption Hits Universities

Popular hacking group ShinyHunters has lost its public website. The domain registry pulled the plug on shinyhunte.rs this past Monday.

And guess what? The timing lines up perfectly with their recent attack on Canvas LMS, that learning platform tons of schools use every single day.

What Went Down With the Canvas Attack

The Canvas attack affected a lot of schools. Hundreds of universities couldn’t hold classes normally. Students logged into Canvas and found something weird. Their school portals looked different. Hackers had left their mark everywhere.

ShinyHunters posted a message right on those compromised pages. They bragged about breaking in. Then they threatened to release stolen information unless someone paid them money.

Pretty scary stuff for students and teachers just trying to get through the semester.

Now the hacking group says the people who run domain names have suspended shinyhunte.rs. On their dark website (which still works fine), they left a notice. It basically says “that domain isn’t ours anymore.”

ShinyHunters’announcement on their onion website.

They’re warning everyone not to trust the old site if it comes back online. If another bad actor got a hold of the domain name, they could start posing as ShinyHunters, which won’t be good at all.

What Happened to ShinyHunters’ Domain

‘.rs’ domains belong to Serbia. As is the case with “.US” for the US and “.UK” for England, “.RS” identifies websites registered in the Republic of Serbia. The Serbian registry called RNIDS handles everything concerning domains.

Domain suspensions typically occur due to some form of complaint against the site, or evidence of illegal activity, such as distributing malware, phishing scams, or hosting ransomware. Domain suspensions can be requested by security vendors, CERT teams, hosting companies, or law enforcement agencies.

But here’s what nobody knows yet. Did Serbian officials act on their own? Or did other countries ask them to step in? People online started whispering about the FBI getting involved. But there’s zero public evidence of that right now. So for now, we just don’t know who pulled the trigger on this suspension.

Law enforcement actions against cybercriminals are just one side of the story. A recent cyberattack on Russian security firm Delta shows that even cybersecurity companies can become targets, regardless of which side they’re on.

Why This Matters for Regular People

So what does this mean for students and teachers? ShinyHunters isn’t new to this. They’ve stolen data before from companies like Salesforce and Anodot. And they ended up releasing the data on the dark web.

Surprisingly, the domain they lost only hosted announcements. The actual stolen data? That lives somewhere else entirely. Their dark web .onion site is still running as if nothing happened.

So the domain suspension doesn’t stop the leak threat at all. ShinyHunters can still post everything they stole. Students should assume their information might already be out there.

The group also threw out a warning that feels important. Someone random could register shinyhunte.rs later, and then pretend to be the real hackers to deceive people. To be safe, always verify the source of every information you consume. 

Steps to Keep Safe

The first step to take is changing your Canvas password. Do it right now before you forget. Pick something strong that you haven’t used anywhere else. No birthdays or pet names, please.

Also turn on multi-factor authentication as well. That extra step stops hackers from gaining access into your account because even if they have your password, they’d need a second code from your phone to get in. 

Monitor your email to spot suspicious activity on time. After breaches like this, scammers send tons of fake messages. They’ll pretend to be your school’s IT department or your professor. Don’t click random links. Don’t open weird attachments.

Check your bank accounts and credit reports too. Stolen student information sells on dark web markets all the time. Criminals buy this stuff to commit fraud. Call your university’s IT help desk. Ask them straight up what information got exposed. See if they’re offering credit monitoring. Some schools give that out after big attacks.

ShinyHunters says they’ll only use their dark web site from now on. They specifically warned that “anyone claiming to be us anywhere is impersonating.” So if the old site pops back up, remember it’s not really them.

The group is getting smarter about hiding. Moving fully off the regular internet makes them harder to catch. Dark websites don’t work like normal sites, so it’s not easy for registries to shut them down.