Here is the complete intel brief and tweet.

title: "Inter-Con Security: ShinyHunters Extortion Leak" date: 2026-06-20 slug: inter-con-security-shinyhunters-breach

Inter-Con Security: ShinyHunters Extortion Leak

Inter-Con Security, one of the largest physical security firms in the world, has been listed on the ShinyHunters Darkfield leak site, with the actor claiming exfiltration of more than 2.7 million records and internal corporate data. The listing was indexed on June 18, 2026, and the group issued a final extortion warning dated June 19, 2026, threatening to publish the data unless a ransom is paid by June 22, 2026.

What Happened

ShinyHunters added Inter-Con Security (icsecurity.com) to its public extortion portal on June 18, 2026, claiming to have compromised over 2.7 million records along with internal corporate data. The group followed the listing with a final warning on June 19, 2026, stating that the victim must make contact before the data is leaked, and warning of "several annoying (digital) problems" if the demand is ignored. The ransom deadline is set for June 22, 2026. As of the latest indexing, the status is recorded as "Data leaked," though the precise leak date remains unconfirmed. The disclosure was surfaced by Darkfield, which cross-checks ransomware listings against ransomware.live, RansomLook, and RansomWatch.

What Was Taken

According to the actor's own leak post, the stolen material includes:

• Over 2.7 million records
• Internal corporate data

Given Inter-Con's role as a contract security provider to aviation, government, healthcare, financial services, and commercial real estate clients, the records likely span employee and contractor personally identifiable information, client relationship data, and sensitive operational documentation. With more than 40,000 personnel deployed across North America, South America, and Africa, a breach of this scale represents large-scale PII exposure affecting both staff and the organizations Inter-Con protects.

Why It Matters

This incident is rated critical. Inter-Con is a critical infrastructure adjacent organization, providing physical security, executive protection, and security operations center management to government and high-value commercial clients. A compromise of its corporate data carries downstream risk far beyond the company itself: leaked contracts, guard schedules, site details, and personnel records could expose the physical security posture of the very clients Inter-Con is contracted to protect. The reputational damage to a firm whose business is trust and protection is severe, and the potential for secondary targeting of its clients makes this a supply chain concern for any organization in its portfolio.

The Attack Technique

The initial access vector and intrusion method have not been disclosed in the leak post. ShinyHunters is a recently emerged extortion group, first observed in October 2025, and is primarily motivated by financial gain through data theft and extortion. The group's listing and "pay or leak" final warning are consistent with a data exfiltration extortion model rather than confirmed encryption based ransomware. Their origin and affiliations remain unclear due to their recent emergence and limited public documentation. Organizations should treat the specific entry point as unknown and assume that common vectors, such as compromised credentials, exposed remote services, or third-party access, remain plausible until the firm publishes its own findings.

What Organizations Should Do

• Inter-Con clients should immediately engage their account contacts to determine whether their contracts, site data, or personnel records are within the exposed dataset, and review physical security arrangements accordingly.
• Rotate credentials and API keys associated with any shared portals, vendor integrations, or accounts connected to Inter-Con services.
• Enforce phishing-resistant multi-factor authentication across remote access, VPN, and administrative accounts to reduce the value of any leaked credentials.
• Monitor for exposure of corporate domains, employee emails, and related data across leak sites and dark web channels, and prepare breach notification processes for affected individuals.
• Audit and segment third-party and vendor access, applying least privilege so a single supplier compromise cannot cascade into your environment.
• Brief staff and clients on targeted phishing and social engineering risk, as leaked corporate data is frequently weaponized for follow-on attacks ahead of and after a public leak.

Sources: icsecurity.com data breach — Shinyhunters ransomware leak (2026) · Darkfield