SYS::ONLINE
Wasteland.
Briefs820
Issues14
SinceFeb 2026
LIVE
█ Ransomware ATT-PHONE-RECORDS 2026-06-08

AT&T: ShinyHunters Ransom Payment for Stolen Call Records

"US telecom giant AT&T paid a hacker affiliated with the ShinyHunters group approximately $373,646 in Bitcoin (5.7 BTC) to delete stolen call and text metadata belonging to tens of millions of customers. The payment…"

US telecom giant AT&T paid a hacker affiliated with the ShinyHunters group approximately $373,646 in Bitcoin (5.7 BTC) to delete stolen call and text metadata belonging to tens of millions of customers. The payment, made in May, was confirmed via blockchain tracking and disclosed to WIRED by the threat actor. The breach is part of a broader campaign targeting more than 150 organizations through compromised Snowflake cloud storage accounts.

What Happened

AT&T discovered the breach indirectly. A researcher known as Reddington alerted incident response firm Mandiant after being tipped off by American hacker John Erin Binns, who allegedly accessed AT&T's call and text logs via an insecure Snowflake cloud storage account. Once notified, AT&T entered negotiations and ultimately wired 5.7 BTC, worth roughly $373,646 at the time, to a ShinyHunters affiliate in exchange for deletion of the stolen data and video evidence proving the destruction. Binns' arrest in Turkey on unrelated 2021 T-Mobile charges complicated the negotiation track, forcing AT&T to deal directly with a different actor holding the data.

What Was Taken

The threat actor exfiltrated call and text message metadata for tens of millions of AT&T customers. The dataset included records of phone numbers contacted, call durations, and text-message routing information. According to AT&T's disclosure, the content of communications and subscriber identity records were not part of the haul. Even without content, the metadata represents a high-value intelligence corpus: contact graphs, communication frequency, and timing patterns are sufficient to deanonymize individuals, map social networks, and identify high-value targets such as journalists, activists, and government employees.

Why It Matters

This incident sets a publicly confirmed precedent: a Fortune 50 carrier paid a six-figure ransom to a criminal group not for decryption, but for deletion. Defenders should assume payment provides no guarantee, since the actor retains operational copies and may resell, leak, or weaponize the data despite "proof of deletion." The Snowflake campaign also demonstrates that supply-chain identity weaknesses, in this case, customer-owned SaaS tenants without enforced MFA, can expose downstream data at the scale of an entire telecom subscriber base. The reputational and regulatory exposure for AT&T extends well beyond the ransom figure.

The Attack Technique

The intrusion exploited Snowflake customer accounts that lacked multi-factor authentication and relied on credentials obtained through infostealer malware deployed against contractor and employee endpoints. The threat actor cluster, tracked by Mandiant as UNC5537 and overlapping with ShinyHunters tradecraft, used valid credentials to authenticate to AT&T's Snowflake tenant and execute large-scale data exports. There was no exploitation of a Snowflake platform vulnerability; the compromise rested on stolen credentials, absent MFA enforcement, and stale or overprivileged service accounts that retained broad data access.

What Organizations Should Do

  1. Enforce MFA on every Snowflake account, including service and machine identities, and disable password-only authentication at the tenant policy level.
  2. Rotate all Snowflake credentials and audit network policies to restrict tenant access to known corporate IP ranges or private connectivity.
  3. Hunt for infostealer infections across employee, contractor, and third-party endpoints; treat any historical Redline, Vidar, or Lumma detection as a credential compromise event.
  4. Review Snowflake QUERY_HISTORY and ACCESS_HISTORY logs for the past 12 months, looking for anomalous large exports, unusual user agents, and access from residential or VPS IP ranges.
  5. Treat ransom payments for "deletion" as risk transfer, not risk elimination; assume exfiltrated data persists and trigger downstream notification, monitoring, and customer protection workflows.
  6. Map and minimize sensitive metadata stored in cloud data warehouses, applying retention limits and column-level encryption to call detail records and equivalent high-sensitivity datasets.

Sources: How AT&T Paid Hacker $370K to Delete Stolen Phone Records