oag.dc.gov September 8, 2025
Lawsuit Alleges That 93% of Deposits to Athena Bitcoin, Inc. Are From Scams That Target Vulnerable Residents & Seniors & That Athena Profits from Illegal, Hidden Fees
Attorney General Brian L. Schwalb today sued Athena Bitcoin, Inc. (Athena), one of the country’s largest operators of Bitcoin Automated Teller Machines (BTMs), for charging undisclosed fees on deposits that it knows are often the result of scams, and for failing to implement adequate anti-fraud measures. When users discover they have been scammed and seek refunds, Athena imposes a strict “no refunds” policy on their entire transactions—even failing to return the significant undisclosed fees it collects from scam victims.
An investigation by the Office of the Attorney General (OAG) showed that Athena BTMs appeal to criminals because Athena fails to provide effective oversight, creating an unchecked opportunity for illicit international fraud. Athena BTMs are most frequently used by scammers targeting elderly users who are less familiar with cryptocurrency and less likely to report fraud. According to the company’s own data from its first five months of operations in the District:
93% of all Athena BTM deposits were the direct result of scams;
Nearly half of all deposits were flagged to Athena as the product of fraud;
Victims’ median age was 71; and
The median amount lost per scam transaction was $8,000, with one victim losing a total of $98,000 in nineteen transactions over a period of several days.
“Athena’s bitcoin machines have become a tool for criminals intent on exploiting elderly and vulnerable District residents,” said Attorney General Schwalb. “Athena knows that its machines are being used primarily by scammers yet chooses to look the other way so that it can continue to pocket sizable hidden transaction fees. Today we’re suing to get District residents their hard-earned money back and put a stop to this illegal, predatory conduct before it harms anyone else.”
Athena is one of the country’s largest BTM operators and has maintained seven BTMs in the District. BTMs allow users to purchase cryptocurrencies such as Bitcoin with cash and then deposit the cryptocurrency into a digital “wallet.” The wallet should be owned by the consumer purchasing the cryptocurrency, but in the scams conducted with Athena’s machines, exploited users send large sums of money directly to swindlers.
OAG’s lawsuit alleges Athena violates the District’s Consumer Protection Procedures Act and Abuse, Neglect, and Financial Exploitation of Vulnerable Adults and the Elderly Act by:
Facilitating financial scams. Athena is well aware that the safeguards it has implemented are insufficient to protect customers from fraud. Athena’s own logs show that during its first five months of operation in the District, 48% of all funds deposited in the company’s BTMs resulted in consumers reporting directly to Athena that they had been the victim of a scam.
Illegally profiting from hidden fees. Athena BTMs charge District consumers fees of up to 26% per transaction without clearly disclosing them at any point in the process. Bitcoin purchased through other apps and exchanges typically have fees of 0.24% to 3%. In June 2024, Athena added a confusing and misleading reference to a “Transaction Service Margin” in its lengthy Terms of Service, but the magnitude of the margin is never disclosed, nor is the word “fee” ever mentioned.
Refusing to refund victims of fraud. Athena further deceives users through a refund policy that either outright denies scam victims refunds or arbitrarily caps them, even though Athena could easily return the hidden transaction fees it pockets. Athena also requires fraud victims to sign a release that frees the company of all future liability and blames victims for not sufficiently heeding onscreen BTM warnings.
With this lawsuit, OAG seeks to force Athena to bring Athena’s operations into compliance with District law, secure restitution for victims, and penalties for the District.
A copy of the lawsuit is available here.
This case is being handled by Assistant Attorneys General Anabel Butler and Jason Jones, Investigator Lu Lagravinese, and Civil Rights and Elder Justice Section Chief Alicia M. Lendon.
Resources for District Residents
Elder financial abuse is all too common and largely underreported. It happens to people across all socioeconomic backgrounds and can be perpetrated by anyone having a connection to the senior resident, whether through a family, personal, or business relationship. Elders or vulnerable adults may be hesitant to report abuse because of fear of retaliation or lack of physical or cognitive ability to report the abuse, or because they do not want to get the alleged abuser in trouble.
Resources to help residents learn how to detect, prevent, and report abuse of the elderly or vulnerable adults are available here.
Google has confirmed that hackers created a fraudulent account in its Law Enforcement Request System (LERS) platform that law enforcement uses to submit official data requests to the company
"We have identified that a fraudulent account was created in our system for law enforcement requests and have disabled the account," Google told BleepingComputer.
"No requests were made with this fraudulent account, and no data was accessed."
The FBI declined to comment on the threat actor's claims.
This statement comes after a group of threat actors calling itself "Scattered Lapsus$ Hunters" claimed on Telegram to have gained access to both Google's LERS portal and the FBI's eCheck background check system.
The group posted screenshots of their alleged access shortly after announcing on Thursday that they were "going dark."
The hackers' claims raised concerns as both LERS and the FBI's eCheck system are used by police and intelligence agencies worldwide to submit subpoenas, court orders, and emergency disclosure requests.
Unauthorized access could allow attackers to impersonate law enforcement and gain access to sensitive user data that should normally be protected.
The "Scattered Lapsus$ Hunters" group, which claims to consist of members linked to the Shiny Hunters, Scattered Spider, and Lapsus$ extortion groups, is behind widespread data theft attacks targeting Salesforce data this year.
The threat actors initially utilized social engineering scams to trick employees into connecting Salesforce's Data Loader tool to corporate Salesforce instances, which was then used to steal data and extort companies.
The threat actors later breached Salesloft's GitHub repository and used Trufflehog to scan for secrets exposed in the private source code. This allowed them to find authentication tokens for Salesloft Drift, which were used to conduct further Salesforce data theft attacks.
These attacks have impacted many companies, including Google, Adidas, Qantas, Allianz Life, Cisco, Kering, Louis Vuitton, Dior, Tiffany & Co, Cloudflare, Zscaler, Elastic, Proofpoint, JFrog, Rubrik, Palo Alto Networks, and many more.
Google Threat Intelligence (Mandiant) has been a thorn in the side of these threat actors, being the first to disclose the Salesforce and Salesloft attacks and warning companies to shore up their defenses.
Since then, the threat actors have been taunting the FBI, Google, Mandiant, and security researchers in posts to various Telegram channels.
Late Thursday night, the group posted a lengthy message to a BreachForums-linked domain causing some to believe the threat actors were retiring.
"This is why we have decided that silence will now be our strength," wrote the threat actors.
"You may see our names in new databreach disclosure reports from the tens of other multi billion dollar companies that have yet to disclose a breach, as well as some governmental agencies, including highly secured ones, that does not mean we are still active."
However, cybersecurity researchers who spoke with BleepingComputer believe the group will continue conducting attacks quietly despite their claims of going dark.
Update 9/15/25: Article title updated as some felt it indicated a breach.
bbc.com 12.09 Theo LeggettBusiness correspondent
The past two weeks have been dreadful for Jaguar Land Rover (JLR), and the crisis at the car maker shows no sign of coming to an end.
A cyber attack, which first came to light on 1 September, forced the manufacturer to shut down its computer systems and close production lines worldwide.
Its factories in Solihull, Halewood, and Wolverhampton are expected to remain idle until at least Wednesday, as the company continues to assess the damage.
JLR is thought to have lost at least £50m so far as a result of the stoppage. But experts say the most serious damage is being done to its network of suppliers, many of whom are small and medium sized businesses.
The government is now facing calls for a furlough scheme to be set up, to prevent widespread job losses.
David Bailey, professor of business economics at Birmingham Business School, told the BBC: "There's anywhere up to a quarter of a million people in the supply chain for Jaguar Land Rover.
"So if there's a knock-on effect from this closure, we could see companies going under and jobs being lost".
Under normal circumstances, JLR would expect to build more than 1,000 vehicles a day, many of them at its UK plants in Solihull and Halewood. Engines are assembled at its Wolverhampton site. The company also has large car factories in China and Slovakia, as well as a smaller facility in India.
JLR said it closed down its IT networks deliberately in order to protect them from damage. However, because its production and parts supply systems are heavily automated, this meant cars simply could not be built.
Sales were also heavily disrupted, though workarounds have since been put in place to allow dealerships to operate.
Initially, the carmaker seemed relatively confident the issue could be resolved quickly.
Nearly two weeks on, it has become abundantly clear that restarting its computer systems has been a far from simple process. It has already admitted that some data may have been seen or stolen, and it has been working with the National Cyber Security Centre to investigate the incident.
Experts say the cost to JLR itself is likely to be between £5m and £10m per day, meaning it has already lost between £50m and £100m. However, the company made a pre-tax profit of £2.5bn in the year to the end of March, which implies it has the financial muscle to weather a crisis that lasts weeks rather than months.
'Some suppliers will go bust'
JLR sits at the top of a pyramid of suppliers, many of whom are highly dependent on the carmaker because it is their main customer.
They include a large number of small and medium-sized firms, which do not have the resources to cope with an extended interruption to their business.
"Some of them will go bust. I would not be at all surprised to see bankruptcies," says Andy Palmer, a one-time senior executive at Nissan and former boss of Aston Martin.
He believes suppliers will have begun cutting their headcount dramatically in order to keep costs down.
Mr Palmer says: "You hold back in the first week or so of a shutdown. You bear those losses.
"But then, you go into the second week, more information becomes available – then you cut hard. So layoffs are either already happening, or are being planned."
A boss at one smaller JLR supplier, who preferred not to be named, confirmed his firm had already laid off 40 people, nearly half of its workforce.
Meanwhile, other companies are continuing to tell their employees to remain at home with the hours they are not working to be "banked", to be offset against holidays or overtime at a later date.
There seems little expectation of a swift return to work.
One employee at a major supplier based in the West Midlands told the BBC they were not expecting to be back on the shop floor until 29 September. Hundreds of staff, they say, had been told to remain at home.
When automotive firms cut back, temporary workers brought in to cover busy periods are usually the first to go.
There is generally a reluctance to get rid of permanent staff, as they often have skills that are difficult to replace. But if cashflow dries up, they may have little choice.
Labour MP Liam Byrne, who chairs the Commons Business and Trade Committee, says this means government help is needed.
"What began in some online systems is now rippling through the supply chain, threatening a cashflow crunch that could turn a short-term shock into long-term harm", he says.
"We cannot afford to see a cornerstone of our advanced manufacturing base weakened by events beyond its control".
The trade union Unite has called for a furlough system to be set up to help automotive suppliers. This would involve the government subsidising workers' pay packets while they are unable to do their jobs, taking the burden off their employers.
"Thousands of these workers in JLR's supply chain now find their jobs are under an immediate threat because of the cyber attack," says Unite general secretary, Sharon Graham.
"Ministers need to act fast and introduce a furlough scheme to ensure that vital jobs and skills are not lost while JLR and its supply chain get back on track."
Business and Trade Minister Chris Bryant said: "We recognise the significant impact this incident has had on JLR and their suppliers, and I know this is a worrying time for those affected.
"I met with the chief executive of JLR yesterday to discuss the impact of the incident. We are also in daily contact with the company and our cyber experts about resolving this issue."
https://www.international.gc.ca Date modified: 2025-09-12
Summary
Rapid Response Mechanism Canada (RRM Canada) has detected a “hack and leak” operation by Iran-linked hacker group, “Handala Hack Team” (Handala). The operation targeted five Iran International journalists, including one from Canada. RRM Canada assesses that the operation began on July 8, 2025.
The hacked materials ranged from photos of government IDs to intimate content. They were first released via the Handala website, then further amplified via X, Facebook, Instagram, Telegram, and Iranian news websites. At the time of assessment, engagement with the hacked materials has varied from low to medium (between 0 to 2,200 interactions and 1 to 225,000 views), depending on the platform. The social media campaign appears to have stopped as of early August.
Following the aftermath of the initial “hack and leak” operation, RRM Canada also detected amplification of the leaked information through multiple AI chatbots—ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek. These platforms all outlined detailed information about the “hack and leak” operation, providing names of the affected individuals, the nature of the leaked information, and links to the released images. RRM Canada notes that some of these chatbots continue to surface the leaked images upon request.
Many sources, including the Atlantic Council, have associated the Handala Hack group with Iran’s intelligence services. Footnote1
Targets and content
Initial “hack and leak” operation
On July 8, 2025, alleged “hacktivist” group “Handala Hack Team” claimed to have accessed the internal communication and server infrastructure of Iran International—a Farsi satellite television channel and internationally-based English, Arabic, and Farsi online news operation.Footnote2 The group released several uncensored photos of government IDs (including passports, permanent resident cards, and driver’s licences) of five Iran International staffers. In some instances, released content included email address passwords, along with intimate photos and videos. (See Annex A)
RRM Canada detected the operation on July 9, 2025, following the release of the information on a Telegram channel associated with Handala. The group claimed to have acquired information of thousands of individuals linked to Iran International, including documents and intimate images of journalists who worked for the news agency.Footnote3
On July 11, 2025, RRM Canada detected further distribution of materials on X and Facebook. The information appears to focus on a Canadian resident employed by Iran International. The leak included several photos of the individual’s ID, including their provincial driver’s licence, permanent resident card, and Iranian passport, and other personal photos and videos. Three other internationally based staff of the news agency were targeted in a similar fashion, with the release of government-issued ID on Handala’s website and then distributed online.
It is believed that more journalists have been affected by the hack, and there are suggestions that the group is also using the hacked intimate images as a source of revenue by implementing pay-for-play access to some images.
Information amplified through AI chatbots
RRM Canada tested six popular AI chatbots—ChatGPT, Gemini, Copilot, Claude, Grok, and DeepSeek—to assess whether the platforms would retrieve and share the information leaked by Handala. While the required prompts varied, all tested chatbots outlined detailed information about the operation, providing the names of the individuals implicated in the lead in addition to the nature of information. (See Annex B)
In addition to providing information, links, and, in some cases, images related to the leak, the chatbots provided citations that included links to unreliable or state-linked sources or repeated unverified accusations against Iran International regarding its credibility from Handala.
Tactics, techniques and procedures
“Hack and leak” operations are a type of cyber-enabled influence campaign where malicious actors hack into a target’s systems or accounts to steal sensitive or private information and then leak the information publicly. Operations are often implemented with the intent to damage reputations, influence public opinion, disrupt political processes, and even put personal safety at risk.
These operations are often associated with state-sponsored actors, hacktivist groups, or cybercriminals.
Links to Iranian intelligence
Handala established their web presence in December 2023. The group has limited social media presence, likely resulting from frequent violations of the platforms’ terms of service.
Atlantic Council and several threat intelligence firms (including Recorded Future, Trellix, and others) report that Handala has connections or is affiliated with other Iranian intelligence-linked groups such as Storm-842 (also known as Red Sandstorm, Dune, Void Manticore, or Banished Kitten).Footnote4 Iran International asserts that Handala and Storm-842 are the same group operating as a cyber unit within Iran’s Ministry of Intelligence.Footnote5
Implications
The leak of personal information increases the risk to the personal safety of the affected Iran International staff. The ease of access to the information resulting from search engine algorithms and availability on AI chatbots further increases this risk. Such operations are used as a form of digital transnational repression (DTNR), which is leveraged to coerce, harass, silence, and intimidate those who speak against foreign actors or against their interests.
Annex A: Sample images of leaked information
Image 1
Image 1: Government-issued ID and personal photos of a Canadian resident working for Iran International.
Image 2
Image 2: post likely from Handala Hack Team associates amplifying leaked materials.
Annex B: Large language model outputs
Image 3
Image 3: Web version of ChatGPT producing leaked images.
Image 4
Image 4: Google’s Gemini reproducing images of the leak.
Image 5
Image 5: Grok showing X posts that include leaked information.
Image 6
Image 6: Claude generating responses with a citation linking directly to Handala's website.
Image 7
Image 7: DeepSeek generating responses with a citation linking directly to Handala’s website.
ZATAZ » Darknet: dismantling of the French DFAS platform
Posted On 12 Sep 2025By : Damien Bancal
The Paris prosecutor has announced the shutdown of DFAS, one of the last major French-speaking darknet platforms, after a joint investigation by Cyberdouanes and OFAC.
On September 12, 2025, the Paris prosecutor confirmed the dismantling of the darknet platform “Dark French Anti System” (DFAS), active since 2017. Considered the last major French-speaking darknet marketplace, it facilitated drug sales, personal data trading, and criminal tools. Two men were arrested on September 8: the alleged creator, born in 1997, and an active contributor, born in 1989. More than 6 bitcoins, worth about €600,000, were seized. The investigation, launched by Cyberdouanes in 2023, uncovered over 12,000 members and 110,000 published messages. This operation closes a series of successive dismantlings carried out by French authorities since 2018.
The origins and structure of DFAS
The DFAS platform, short for “Dark French Anti System,” had been operating on the darknet since 2017. It offered various services, including drug sales, tools for fraud and cyberattacks, weapons, and guidance on user anonymization. It stood out as a rare French-speaking hub in a landscape largely dominated by English-language platforms.
One of the two men arrested, born in May 1997, is suspected of having designed and managed the platform. The second, born in April 1989, acted as a tester of its criminal services. Both suspects were brought before a judge for possible indictment.
The investigation began in 2023, led by the French customs intelligence unit DNRED. Cyberdouanes noted a steady growth in activity, despite earlier takedowns of French-speaking marketplaces. DFAS had more than 12,000 active members and over 110,000 messages. The site also served as a refuge for former users of previously dismantled platforms.
On September 8, 2025, law enforcement arrested two individuals linked to DFAS. More than 6 bitcoins, worth around €600,000, were seized. Investigators also secured technical materials documenting the platform’s operations and exchanges. The U.S. Office of Foreign Assets Control (OFAC) subsequently pursued the financial flows tied to the platform.
The end of a French-speaking darknet cycle
DFAS was the last major French-speaking darknet marketplace still active in 2025. Its shutdown follows a series of high-profile operations: La Main Noire in 2018, French Deep Web in 2021, Le Monde Parallèle that same year, and Cosa Nostra in 2024. Each closure had temporarily displaced users, but DFAS succeeded in capturing a large share of these migrations.
The Paris prosecutor’s announcement thus marks a turning point: the French-speaking darknet is now without a central hub. Criminal exchanges are dispersing across foreign platforms or smaller, harder-to-trace channels, complicating both monitoring and enforcement. [ZATAZ News English version]
| The Record from Recorded Future News Jonathan Greig
September 15th, 2025
Hackers connected to the Scattered Spider and ShinyHunters cybercriminal operations are extorting organizations for exorbitant ransoms after stealing data from Salesforce, the FBI warned.
The agency released a flash notice on Friday with information about an ongoing data theft campaign that has impacted hundreds of businesses this year. The FBI refers to the hackers as both UNC6040 and UNC6395 and by their colloquial names of ShinyHunters and Scattered Spider, respectively.
After months spent breaching some of the largest companies in the world, the hackers are now attempting to extort victim organizations — threatening to leak troves of customer data, business documents and more.
The FBI did not say how many victims have received extortion emails demanding payment in cryptocurrency but they noted that the monetary demands have varied widely and are made at seemingly random times. Some extortion incidents were initiated days after data exfiltration while others took place months later.
The FBI said the campaign began in October 2024 when members of the group gained access to organizations through social engineering attacks that involved contacting call centers and posing as IT employees.
That scheme typically gave the cybercriminals access to employee credentials that were then leveraged to access Salesforce instances holding customer data. In other cases, the hackers used phishing emails or texts to take over employees’ phones or computers.
The hackers evolved their tactics throughout the summer, switching to exploiting third-party applications that organizations linked to their Salesforce instances.
“UNC6040 threat actors have deceived victims into authorizing malicious connected apps to their organization's Salesforce portal,” the FBI said.
“This grants UNC6040 threat actors significant capabilities to access, query, and exfiltrate sensitive information directly from the compromised Salesforce customer environments.”
By August, the hackers began targeting the Salesloft Drift application, an AI chatbot that can be integrated with Salesforce.
The tactic allowed them to bypass traditional defenses like multifactor authentication, login monitoring and password resets, the FBI explained. In some cases, the FBI has found that the hackers created malicious applications within Salesforce trial accounts that allowed them to register connected apps without using a legitimate corporate account.
On Monday, Reuters and the BBC confirmed that Kering — the French conglomerate that owns Gucci, Balenciaga and Alexander McQueen — was attacked by the same ShinyHunters cybercriminals.
ShinyHunters told the BBC that it stole information connected to 7.4 million unique email addresses. The hackers told another news outlet that they stole the information in late 2024 but only began negotiating a ransom in June 2025.
Last week, a critical government agency in Vietnam confirmed that millions of financial records were stolen in an attack claimed by ShinyHunters. The cybercriminals previously took credit for devastating campaigns targeting giants in the insurance, retail and aviation industries.
The FBI provided indicators of compromise that potential victims can use to see whether they have been affected by the hacking campaigns and urged companies to train call center employees on the tactics used.
The agency also said companies should limit the privileges of almost every employee account, enforce IP-based access restrictions, monitor API usage and more.
Experts said the information provided by the FBI showed how sophisticated the actors are at abusing legitimate tools for nefarious purposes, like Azure cloud infrastructure, virtual servers, Tor exit nodes and proxy services to obfuscate their origin.
Scattered retirement?
The FBI notice came shortly after the group made several posts on Telegram claiming to be retiring. The group blamed a recent string of arrests, law enforcement activity and criminal convictions against members as their reason for ceasing the current operation.
Cybersecurity experts were dubious about the disbanding claims, noting that cybercriminal operations often make similar claims before reconstituting under different names. Some theorized the hackers are likely going to enjoy the spoils of their recent extortion campaigns before returning to cybercriminal activity.
Sam Rubin, a senior official with Palo Alto Networks’ Unit 42, said recent arrests may have prompted the group to lay low, but history says such activity is often temporary.
“Groups like this splinter, rebrand, and resurface — much like ShinyHunters. Even if public operations pause, the risks remain: stolen data can resurface, undetected backdoors may persist, and actors may re-emerge under new names,” he said.
“Silence from a threat group does not equal safety.”
databreaches.net Posted on September 15, 2025 by Dissent
On September 11, DataBreaches broke the story that customers of several high-end fashion brands owned by Paris-headquartered Kering had their personal information acquired by ShinyHunters as part of two Salesforce attacks. As we reported, a spokesperson for ShinyHunters claimed to have acquired more than 43 million customer records from Gucci and almost 13 million records from Balenciaga, Brioni, and Alexander McQueen combined.
Kering never responded to emailed inquiries, but ShinyHunters provided DataBreaches with samples from both attacks that appeared legitimate. They also provided chat logs from negotiations they claimed took place with someone presenting themselves as Balenciaga’s safety manager. Those negotiations appeared to go on for more than a month and a half between June 20 and mid-August. According to the logs, it appeared Kering agreed to pay a ransom of 500,000 euros, but then they went silent and never followed through.
Kering Issues a Statement
Although they did not respond to DataBreaches’ questions at the time, Kering issued a statement that they provided to other news sites, including LeMagIT and The Guardian.
Their statement, as reported by LeMagIT, does not answer all of the questions DataBreaches had, but it’s a start. Kering states:
« En juin 2025, nous avons constaté qu’un tiers non autorisé avait temporairement accédé à nos systèmes et consulté des données clients limitées provenant de certaines de nos Maisons », explique le service de presse de Kering dans une déclaration adressée à la rédaction.
Celle-ci ajoute que « nos Maisons ont immédiatement signalé cette intrusion aux autorités compétentes et ont informé les clients conformément aux réglementations locales ».
Et de préciser qu’aucune « information financière, telle que des numéros de compte bancaire ou de carte de crédit, ni aucun numéro d’identification personnelle (numéro de sécurité sociale), n’ont été compromise lors de cet incident ».
Selon le service de presse de Kering « l’intrusion a été rapidement identifiée et des mesures appropriées ont été prises pour sécuriser les systèmes concernés et éviter que de tels incidents ne se reproduisent à l’avenir ».
A machine translation roughly yields:
In June 2025, we found that an unauthorized third party had temporarily accessed our systems and accessed limited customer data from some of our Houses. Our Houses immediately reported this intrusion to the competent authorities and informed the customers in accordance with local regulations….. No financial information, such as bank account or credit card numbers, nor any personal identification number (social security number), was compromised during this incident.
According to Kering’s statement, “the intrusion was quickly identified and appropriate measures were taken to secure the affected systems and prevent such incidents from recurring in the future.”
They do not name the brands affected, they do not disclose the total number of affected individuals, and when asked what countries were affected, Kering reportedly declined to answer Reuter’s question.
An Inconsistent Statement?
It appears that neither Kering nor any of the affected brands detected the breaches on their own, and they only first found out when ShinyHunters contacted them in June. Why they did not discover the breaches by their own means is unknown to DataBreaches.
DataBreaches can confirm that there was no financial information in the samples of records that DataBreaches inspected. However, Kering’s statement to another news outlet contradicts claims made by ShinyHunters to DataBreaches.net in important respects.
As previously reported, ShinyHunters provided this site with chat logs of negotiations between ShinyHunters and someone claiming to be a representative of Balenciaga. But Kering has apparently told the BBC that it did not engage in conversations with the criminal(s), and it didn’t pay any ransom, consistent with long-standing law enforcement advice.
Their denial appears to be factually inaccurate, at least in part.
At the time of our first publication, DataBreaches reported that Balenciaga had made a small test payment in BTC to ShinyHunters. This site did not include specific proof in that article, but ShinyHunters had provided this site with evidence at the time. We are posting that proof now in light of Kering’s denial that they engaged in any conversations or paid any ransom.
The chat log provided to this site showed that Balenciaga was to make a small test payment in BTC to ShinyHunters on or about July 4. The amount mentioned in the chat log was 0,00045 BTC. The chat log also showed the BTC address as bc1qzwpshyadethrqum0yyjh7uxxzhsnjjgapdmr4c. DataBreaches had redacted that address from the published report.
On July 4, Balenciaga’s “user” told ShinyHunters that the test payment had been made:
[en attente] : 2025-07-04
[03:09:08] shinycorp: Bonjour, vous nous aviez promis un paiement hier, mais nous n’avons rien reçu. des nouvelles ?
[04:23:45] Utilisateur: Bonjour
[04:24:05] Utilisateur: nous avons eu du retard pour la création du compte
[04:24:09] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b
[04:24:18] Utilisateur: ci joint la preuve du paiement test
[04:24:24] Utilisateur: je vous invite à vérifier
[04:52:42] shinycorp: Reçu pour la première fois
[06:17:52] shinycorp: Veuillez diffuser la transaction.
[07: 45: 06] Utilisateur: fichier: / / / C: / Utilisateurs / X / Bureau / flux de blocs.htm
[07:46:28] Utilisateur: https://blockstream.info/tx/a4d9c24a90fdbcf652f18bafae89740094ad7a555e4e747e7e2602771e9a1d6b
DataBreaches had looked up the wallet address and found confirmation of the payment. The following is a screengrab showing the payment.
Btcpaid
Kering’s reported claims about no conversations and no payment appear to be refuted by the chat log and corresponding BTC transaction. ShinyHunters did not claim that Kering paid their ransom demand, but they do claim that there were extensive negotiations and that a small test payment was made, and there seems to be proof of that.
Kering’s statement to other news sites also leaves a lot of other unanswered questions. They told the BBC that they had emailed all affected customers, but that raises other questions. DataBreaches emailed Kering again today to ask for additional details. Specifically, DataBreaches asked them:
Have you notified data protection regulators in all of the countries where your customers reside?
When did you send emails to customers to notify them?
Have you notified store customers by postal mail if the customers did not provide email addresses? If not, how have you notified those without email addresses?
Your statement claims that you did not have any conversations with the attackers. Has your legal department obtained IP addresses from qtox to find out the IP address of the person representing themself as Balenciaga’s negotiator? Are you claiming that ShinyHunters was lying about negotiations, or are you saying something else?
No reply has been received.
Furthermore, we still do not know how many unique customers, total, were affected by these attacks on their brands. The BBC reported that it might be less than 7.4 million based on the number of unique email addresses. But the 7.4 million unique email addresses were only for the Balenciaga, Brioni, and Alexander McQueen data. There were more than 43 million records for the Gucci data set, so there would be a significant number of unique email addresses and customers there, too, and not all customers provide an email address.
Although Kering does not seem to be embracing public transparency in its incident response, we may eventually find out more if investors demand accountability or if data protection regulators report on any investigations and findings.
