Canvas Hackers ShinyHunters Say Their Official Domain Was Suspended¶
Ch12.011 Canvas Hackers ShinyHunters Say Their Official Domain Was Suspended¶
📊 Level ⭐⭐ | 31.8KB |
entities/shinyhunters-canvas-domain-suspended.md
"Canvas Hackers ShinyHunters Say Their Official Domain Was Suspended"¶
Canvas Hackers ShinyHunters Say Their Official Domain Was Suspended¶
Published Time: 2026-05-12T22:18:09+01:00 Markdown Content: 
- Hacking News
- Technology
- Cyber Crime
- Security
- Crypto
- Surveillance
- Gaming
- Technology
- Cyber Crime
- Security
- Crypto
- Surveillance
- Gaming
- Submit Press Release
The Latest¶
How Fintech APIs Are Modernizing Business Cash Flow Management¶
FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit¶
China-Linked Twill Typhoon Uses Fake Apple and Yahoo Sites for Espionage¶
TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai-Hulud Attack¶
- Zyxel
- Zynga
- Zyklon B hacker
- Zygote
- Zurich Insurance Group
- Zues Malware
- Zues
- ZTNA
- ZTA Gateways
- Security ShinyHunters says its shinyhunte.rs domain was suspended after the Canvas LMS attacks, forcing the group to move fully to its dark web (.onion) site.
by Waqas May 12, 2026 3 minute read The notorious hacking group ShinyHunters, recently linked to the large-scale compromise and defacement of Instructure's Canvas LMS platform, claims its official clearnet domain has been suspended by the domain registry, fueling online speculation that the site may have been targeted following the group's recent attacks. The issue surfaced on Monday, May 11, 2026, when the group's public-facing domain,
shinyhunte.rs, suddenly went offline. Soon after, rumors spread across underground forums and social media platforms suggesting the domain may have been seized by law enforcement agencies, including speculation about possible FBI involvement. The timing of the outage comes shortly after ShinyHunters claimed responsibility for attacks targeting Canvas LMS, a widely used learning management system adopted by universities and educational institutions worldwide.
Canvas LMS Attack¶
Hackread.com previously reported on the cyberattack and confirmed that hundreds of universities experienced class disruptions following the Canvas LMS defacement incident. The attack affected multiple universities globally, with compromised Canvas portals displaying a defacement message allegedly posted by ShinyHunters. The page included statements about the breach and threats to leak stolen data if ransom demands were not met. 
Defacement message left by the ShinyHunters hacking group on the Canvas LMS portal (Image credit: Hackread.com) Despite the attention surrounding the group's clearnet website, the domain itself was used only for announcements and operational updates. Data leaks connected to the group's previous Salesforce and Anodot-related breaches were hosted separately on a dark web (.onion) leak accessible through the Tor network. 
homepage of the now-suspended domain of the ShinyHunters hackers (Image credit: Hackread.com) At the time of writing, the group's onion domain remains active, along with a notice stating "The domain shinyhunte.rs was suspended, it is not operated and owned by us anymore." The group also warned visitors not to trust the suspended domain in the future, claiming it could later be registered or reused by unrelated actors for malicious activity. "It may be reclaimed by unknown persons in the future for malicious use. We do not control shinyhunte.rs anymore; it has been suspended by the registry." Discover more Computer Security Open Online Courses Distance Learning ShinyHunters further stated that all future announcements and leak activity will now be conducted exclusively through its onion-based infrastructure. "We will operate at this onion domain only moving forward. Anyone claiming to be us anywhere is impersonating." 
ShinyHunters' announcement on its dark web site (Image credit: Hackread.com)
Understanding the .RS Domain¶
The .rs domain is the country code top-level domain (ccTLD) assigned to Serbia. The abbreviation "RS" comes from "Republika Srbija," meaning the Republic of Serbia. The namespace is managed by the Serbian National Internet Domain Registry, commonly known as RNIDS. While domain suspensions are not unusual in cases involving malware distribution, phishing, ransomware, or cybercrime operations, such actions generally require abuse complaints, supporting evidence, or requests from security organizations, hosting providers, CERT teams, or law enforcement agencies. It remains unclear whether Serbian authorities or the registry itself acted independently, or whether the suspension followed requests or evidence submitted by foreign agencies investigating ShinyHunters' recent activity. At this stage, there is also no public evidence confirming that the domain was officially seized by the FBI or any other law enforcement body. Discover more Technology News Educational Software Antivirus & Malware
Moving Away From the Clearnet¶
Although losing a domain can temporarily disrupt operations, cybercriminal groups often recover quickly by registering replacement domains under different extensions or relocating activity to decentralized infrastructure. However, ShinyHunters' decision to abandon clearnet operations entirely and rely only on its onion-based platform suggests the group is becoming more cautious about operational security and exposure following increased public attention surrounding the Canvas LMS attacks. Additionally, the group's continued use of a Tor-based onion service makes disruption more difficult because onion domains operate outside the traditional DNS system managed by registries and ICANN-linked providers.
Waqas¶
Leave a Reply Cancel reply¶
Your email address will not be published.Required fields are marked * Comment * Name * Email * Website Δ View Comments (0)
Subscription Form¶
Email Address* FIRSTNAME LASTNAME
Latest Posts¶
- How Fintech APIs Are Modernizing Business Cash Flow Management
- FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit
- China-Linked Twill Typhoon Uses Fake Apple and Yahoo Sites for Espionage
- TeamPCP Claims Sale of Mistral AI Repositories Amid Mini Shai-Hulud Attack
- Instructure Reaches Deal with ShinyHunters to Prevent Canvas Data Leak
PRESS RELEASE¶
* [Press Release](https://hackread.com/category/press-release/)
Lyrie.ai Joins First Batch of Anthropic's Cyber Verification Program¶
* [Press Release](https://hackread.com/category/press-release/)
LuxSci Launches Enterprise-Grade HIPAA-Compliant Email Security for Mid-Sized Healthcare Organizations¶
* [Press Release](https://hackread.com/category/press-release/)
Criminal IP and Securonix ThreatQ Collaborate to Enhance Threat Intelligence Operations¶
* [Press Release](https://hackread.com/category/press-release/)
Brinker Introduces a Novel Approach to Deepfake Detection¶
* [Press Release](https://hackread.com/category/press-release/)
BreachLock Named Representative Vendor in the 2026 Gartner Market Guide for Adversarial Exposure Validation¶
Related Posts¶
Baltimore' 911 CAD system hacked; remained suspended for 17 hours¶
The 911 dispatch system of Baltimore became the target of hack attack over the weekend. As per Pugh… by Waqas
Scammers using voicemail email phishing scam to steal data¶
Scammers are taking advantage of COVID-19 pandemic to spread a voicemail email phishing scam. by Waqas 
Read More
Cloudflare Mitigates Massive 5.6 Tbps Mirai-Variant DDoS Attack¶
Cloudflare mitigates a record-breaking 5.6 Tbps DDoS attack, highlighting the growing threat of hyper-volumetric assaults. Learn about the… by Deeba Ahmed
Kubernetes Clusters Targeted by Siloscape Malware¶
Siloscape is regarded as an unusual malware that focuses on Linux as the preferred OS for managing cloud environments and applications. by Deeba Ahmed 
HACKREAD is a news platform that centers on Cybersecurity, AI, InfoSec, Cyber Crime and Hacking News with full-scale reviews on Crypto and Technology trends. Founded in 2011, HackRead is based in the United Kingdom. Copyright © 2026 HackRead The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of Hackread.com. If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.
深度分析¶
ShinyHunters 域名被暂停事件揭示了多个重要的网络安全趋势: 1. 域名撤销作为执法工具的效力与局限 .rs 域名(塞尔维亚国家代码顶级域)被用于托管威胁组织的公开网站,这本身就是一个有趣的地缘政治现象。塞尔维亚国家互联网域名注册管理机构(RNIDS)在接到投诉后可以暂停域名,但这只能影响该特定 TLD 下的域名。攻击者迅速迁移到 .onion(Tor 隐藏服务)表明,依赖单一顶级域名的安全策略存在根本性缺陷。 2. 攻击者运营安全的演进 ShinyHunters 选择完全放弃 clearnet 运营而仅使用 Tor,这反映出一个重要趋势:即使是大型有组织的威胁行为者,也在因高调攻击而面临国际压力后调整策略。这说明执法机构的跨地域协作虽然缓慢但有效,迫使攻击者向更难追踪的基础设施迁移。 3. 教育行业成为高价值目标 Canvas LMS 攻击影响全球数百所大学,凸显了教育机构在网络安全方面的薄弱环节。学术机构通常安全预算有限但持有大量敏感个人数据,使其成为勒索软件和数据泄露的优先目标。 4. 域名暂停与真正执法行动的区别 目前没有证据表明 FBI 或其他执法机构正式扣押了该域名。域名暂停可能仅由塞尔维亚注册机构独立作出,或是在外国机构提交证据后启动的。这提醒我们,在获得确切信息前,不应过度解读安全事件。
实践启示¶
对于企业和组织: 1. 不要依赖单一域名策略 — 如果你的服务有多个合法域名,确保它们都指向相同的可信基础设施,并有适当的监控和告警机制。 2. 监控你的品牌被用于恶意域名 — 使用威胁情报工具监控可能被用于网络钓鱼或冒充你品牌的相似域名。 3. 为基础设施中断制定应急预案 — 当你的域名或云服务可能因攻击或法律行动而无法访问时,确保有备份通信渠道。 对于安全团队: 1. 关注 TLD 级别的威胁情报 — 了解哪些国家代码顶级域(ccTLD)对滥用投诉响应迅速,哪些相对宽松。 2. 监控 .onion 服务 — 如果你的组织是攻击者的已知目标,监控 Tor 隐藏服务上的相关活动可能提供早期预警。 3. 将域名暂停视为可能的执法前兆 — 威胁行为者的域名突然暂停可能预示着更广泛的执法行动即将展开。 对于个人用户: 1. 验证你访问的网站真实性 — 如果某个组织突然更换域名(尤其是迁移到 .onion),在信任该网站之前通过其他渠道验证其真实性。 2. 了解暗网风险的局限性 — 虽然 Tor 提供了匿名性,但它也是欺诈者和攻击者的避风港,对任何暗网内容的信任都应保持谨慎。
相关实体¶
- Www.Cio 4170978 Nearly Every Enterprise Is Investing In Ai But Only 5 Say Their
- Npm Supply Chain Compromise Postmortem
- Cloudflare Glasswing Mythos Security
- Checkmarx Jenkins Plugin Compromised In New Supply Chain Attack
- Www Wiz Io Mini Shai Hulud Strikes Again Tanstack More Npm Packages Compromised
- a route to root in a 4g industrial router