Cushman & Wakefield: ShinyHunters and Qilin Dual Ransomware Attack

Cushman & Wakefield, one of the world's largest commercial real estate services firms, was hit by two independent ransomware groups within a four-day window in early May 2026. ShinyHunters claimed responsibility on May 1, threatening to publish stolen data by May 6, while Qilin listed the company on its dark web leak site on May 4. The company publicly confirmed the breach on May 6, attributing the initial intrusion to a vishing (voice phishing) attack. ShinyHunters subsequently published the full 50 GB dataset of approximately 500,000 Salesforce records after ransom negotiations collapsed.

What Happened

On May 1, 2026, the data extortion syndicate ShinyHunters claimed it had breached Cushman & Wakefield and exfiltrated roughly 50 GB of data from the firm's Salesforce CRM environment. The group issued a May 6 deadline for payment, after which it threatened to release the data publicly.

Three days later, on May 4, the Qilin Ransomware-as-a-Service (RaaS) operation independently listed Cushman & Wakefield on its dark web data leak site. Notably, Qilin provided no data sample and no ransom demand, suggesting either an early-stage compromise or a distinct intrusion that had not yet progressed to the encryption phase typical of Qilin affiliates.

Cushman & Wakefield publicly confirmed the incident on May 6, describing it as "a limited data security incident due to vishing" and stating that response protocols had been activated. When negotiations with ShinyHunters collapsed, the group followed through and published the full dataset. Qilin has not yet published any data, and the company has stated its core systems and operations continue to run normally, which is consistent with ShinyHunters' theft-and-extortion model that does not involve file encryption.

Reporting from CyberNews and Cyber Daily indicates the two claims represent independent intrusions rather than a coordinated coalition between the groups.

What Was Taken

ShinyHunters' published dataset comprises approximately 500,000 Salesforce records totaling roughly 50 GB. Salesforce, a cloud-hosted CRM platform, is widely used by enterprise sales and account teams to store customer contacts, deal pipeline data, communications, and internal corporate records.

The exposed data includes:

• Personally identifiable information (PII) belonging to clients, prospects, and contacts within the Cushman & Wakefield CRM environment.
• Internal corporate records tied to commercial real estate transactions, client relationships, and deal data.
• Salesforce object data that may include contact details, account histories, and notes containing sensitive commercial intelligence.

Qilin has not released a sample or specified the contents of any data it claims to hold, leaving the scope of that second intrusion unverified.

Why It Matters

This incident is a clean, documented case of a single Fortune 500 enterprise being attacked by two independent ransomware operations within days of each other. It validates a structural threat pattern that incident response (IR) playbooks have historically failed to account for: when initial access is sold or resold on access broker marketplaces, the same set of credentials can be exploited by multiple buyers in parallel.

For defenders, this raises three immediate strategic concerns:

1. IR playbooks that assume a single adversary may miss a second, concurrent intrusion already underway in the environment.
2. Containment of one threat actor does not imply eradication. A second actor operating through the same broker-sourced access may remain undetected.
3. The commercial real estate sector, which has not historically been a top-tier ransomware target, holds significant volumes of high-value transactional and PII data attractive to both encryption-based and pure-extortion actors.

The Attack Technique

Cushman & Wakefield's own statement identifies vishing (voice phishing) as the initial access vector. Vishing involves attackers placing telephone calls, typically impersonating IT helpdesk or trusted internal staff, to socially engineer employees into surrendering credentials, MFA codes, or remote access.

This is consistent with ShinyHunters' recent operational pattern of targeting Salesforce tenants through social engineering of employees with CRM privileges, rather than exploiting software vulnerabilities. Once credentials are obtained, attackers authenticate directly to the Salesforce environment and exfiltrate data using legitimate API access or bulk export functionality, evading endpoint-focused defenses entirely.

The Qilin intrusion vector has not been publicly confirmed. Given Qilin's RaaS affiliate model, the second intrusion may have originated from a separate purchase of broker-sourced credentials or a distinct social engineering campaign targeting different personnel. The four-day gap between claims is consistent with two affiliates independently acting on overlapping access.

What Organizations Should Do

1. Harden helpdesk and identity verification workflows against vishing. Require out-of-band verification (callback to known internal extensions, manager approval) before any credential reset, MFA reset, or device enrollment request initiated by phone.
2. Audit SaaS application access, especially Salesforce, Microsoft 365, and Workday. Restrict bulk export and API access to a minimal set of accounts, enforce IP allowlisting where feasible, and alert on anomalous data volume exfiltration.
3. Assume parallel intrusions during IR. When a confirmed breach is detected, do not scope containment to a single threat actor's known indicators. Hunt for additional unrelated activity across the same identity, network, and SaaS surface.
4. Monitor access broker marketplaces and underground forums for listings referencing your organization, executives, or domain. Threat intelligence subscriptions and dark web monitoring can provide early warning of credential resale.
5. Enforce phishing-resistant MFA (FIDO2 security keys or platform passkeys) for all privileged and SaaS-administrative accounts. Push-based and SMS MFA remain vulnerable to vishing-driven social engineering of the helpdesk.
6. Conduct tabletop exercises that explicitly model a dual-actor scenario, including data extortion without encryption (ShinyHunters style) running concurrently with a traditional RaaS encryption attack (Qilin style).

Sources: Dual Ransomware Gang Attack: When ShinyHunters And Qilin