## On-Chain Sleuths Trace ShinyHunters' AT&T Ransom: 5.72 BTC Linked to May 2024 Payment in Blockchain Probe
Security researchers have achieved what law enforcement and cryptocurrency exchanges have struggled to do definitively: trace the on-chain movement of the ransom payment AT&T reportedly made to ShinyHunters in May 2024. The independent analysis identifies a single highest-fit candidate—5.71997804 BTC transferred on May 17, 2024, at 22:04 UTC—destined for a fresh wallet address and fully spent within six minutes, suggesting rapid dispersion through a broker or mixer. The payment, estimated at approximately $370,000 at the time, was previously confirmed by Wired but never published with an accompanying transaction hash, leaving a verifiable gap that this research aims to close using only free, public blockchain data.

The analytical methodology deployed a five-stage pipeline designed for large-scale on-chain attribution. Starting with a BigQuery bulk filter constrained by transaction amount and time window, the team reduced millions of transactions to roughly 500 candidates. Each candidate underwent recipient profiling via Blockstream Esplora—examining lifetime transaction counts and spending patterns—while sender-side analysis applied common-input ownership assumptions to identify broker-aggregation signatures. The researchers then executed a depth-12 concurrent forward trace with a top-K=4 fan-out strategy, ultimately cross-referencing terminal addresses against BitInfoCharts, WalletExplorer, and OKLink. The result is a structurally rigorous attempt to anchor ShinyHunters' financial trail to a publicly confirmed event.

The paper's significance extends beyond the AT&T case. ShinyHunters' broader campaign history—including breaches at Salesforce, Canvas/Instructure, and multiple Snowflake-era targets—lacks comparable public payment confirmation, making the AT&T settlement a rare analytical anchor for attributing future on-chain activity to the group's operations. If the attribution holds under peer review, it could inform both cryptocurrency tracing methodologies and the growing body of research linking blockchain transactions to ransomware ecosystems. The draft is currently seeking endorsement from arXiv's cryptography (cs.CR) community.
---
- **Source**: r/blueteamsec
- **Sector**: The Vault
- **Tags**: ShinyHunters, AT&T, ransomware, on-chain analysis, cryptocurrency tracing
- **Credibility**: unverified
- **Published**: 2026-05-11 17:48:18
- **ID**: 81903
- **URL**: https://whisperx.ai/en/intel/81903