ShinyHunters-linked extortion group lists Pathstone, claims 641,000 records

Security monitoring sites reported that a data-extortion group using the ShinyHunters name added Pathstone Family Office, LLC to a public victim list on Feb. 27, claiming more than 641,000 records and demanding a response by March 2, 2026 to avoid a leak.

HookPhish, RedPacket Security and ransomware.live each posted versions of the same extortion text, which they attribute to an entry labeled "[SHINYHUNTERS]." The post quoted across those aggregators says, "Over 641k records containing PII and other internal corporate data have been compromised." The listing also included an explicit deadline and threat: "This is a final warning to reach out by 2 Mar 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline."

HookPhish supplied precise timestamps for the incident, listing the date of breach as 2026-02-27 02:34:34.180146 and the discovery date one second later. Ransomware.live recorded the listing as discovered on 2026-02-27 and stamped its dataset update at 2026-02-27 14:49:30 UTC. RedPacket Security treated the post update as Feb. 27, 2026 and republished an AI-generated summary of the leak page.

At the same time, aggregators urged caution. RedPacket published a verification alert noting, "Listings attributed to SHINYHUNTERS have been reported as including unverified or fabricated victim claims. Treat this post as unconfirmed until corroborated with independent evidence." Ransomware.live said its index does not host stolen content and is limited to publicly visible postings, adding that it "does not engage in the acquisition, exfiltration, downloading, possession, hosting, access, consultation, redistribution, or disclosure of unlawfully obtained data."

Cybersecurity reporting places the post in the context of an escalating extortion campaign tied to social engineering and voice phishing. Cybersecurity Dive, in a Feb. 2 piece, said, "ShinyHunters late last month claimed credit for a series of voice phishing attacks that led to extortion demands against five organizations." The outlet added that "researchers are tracking multiple clusters that are using social engineering to gain access to victims," and that "extortion emails provided some details of what was stolen and demanded payment within 72 hours." Cybersecurity researchers have also linked parts of the campaign to clusters tracked as UNC6240, UNC6671 and UNC6661; "based on several overlapping issues, including the use of a common Tox account as part of negotiations, researchers linked the subsequent extortion activity to UNC6240," Cybersecurity Dive reported. Security researcher Alon Gal told Cybersecurity Dive that "hacks against five organizations were claimed."

None of the published monitoring sites or reporting in the supplied materials includes an on-the-record confirmation from Pathstone Family Office, LLC, samples of the alleged files, or independent forensic verification of the claimed exfiltration. The aggregators’ notices and legal disclaimers make clear they are indexing operator-posted content rather than validating the authenticity of purported stolen data.

If the claim proves accurate, the posting could expose clients and employees to privacy and fraud risks and may trigger regulatory notification obligations for a financial services firm operating in the United States. For now the entry should be treated as an extortion claim published on a leak site, attributed to a group using the ShinyHunters label and placed within a broader pattern of vishing and credential-harvesting campaigns that researchers say have intensified in recent weeks.