-
ShinyHunters claims to have breached the Council of Europe, allegedly stealing over 297GB of HR and payroll data affecting more than 10,000 staff members.
-
The alleged leak contains names, home addresses, salaries, bank details, medical records, and social security information spanning the past 15 years.
-
Security researchers warn that the stolen data could enable financial fraud, identity theft, blackmail, and highly convincing phishing campaigns targeting CoE employees.
ShinyHunters, the notorious hacker collective, has claimed responsibility for a major breach of the Council of Europe (CoE), the continent’s leading human rights body. The gang published a detailed post on its dark web blog over the weekend, alleging that it stole more than 297GB of HR and payroll data and accessed over 429,000 files.
The Council of Europe represents 46 European nations, focusing on human rights, democracy, and the rule of law. The organization is separate from the European Union, despite sharing the same flag. CoE has not confirmed the breach. Cybernews reached out to the organization for comment and will update this report once a response arrives.
Half a Million Records, 15 Years of Payroll Data
ShinyHunters shared an unusually detailed post on its dark web blog, outlining precisely what the group claims to have accessed. According to the attackers, the breach targeted CoE’s HR and payroll systems and cut across multiple departments within the organization.
The alleged haul includes 409,000 payslips covering more than 10,000 staff members over the past 15 years. The attackers also claim possession of over 14,000 CVs, more than 3,700 personnel files, and 10,700 additional documents.
According to ShinyHunters, the stolen records contain contract and purchase order details, mission travel overpayment data, interpreter scheduling information, 2026 salary scales, absence and illness reports, bank account and payroll export data, and employee performance evaluations.
The exposed data points span full names, employee IDs, home addresses, phone numbers, dates of birth, salaries, bank details, tax information, social security data, medical records, and mission references.
Researchers Warn of Fraud, Blackmail, and Targeted Scams
The Cybernews research team described the potential fallout as severe. The team pointed out that the breadth of the alleged breach allows criminals to build extraordinarily detailed profiles of every affected individual, drawing simultaneously from employment history, financial records, and medical data.
According to the team, criminals could use bank and tax data for direct financial fraud, exploit identity details to open loans or accounts in a victim’s name, and use medical or performance records as blackmail leverage.
Armed with such data, attackers can launch highly convincing impersonation campaigns. One recent campaign used Microsoft Teams to impersonate IT staff, a tactic that CoE employees should now be especially wary of.
Due to CoE employees working on sensitive human rights cases, bad actors could also sell the information to parties seeking to pressure or silence specific individuals.
The research team also highlighted the most immediate risk. According to their assessment, the first wave of abuse would most likely arrive as convincing scam calls and emails, with attackers posing as HR departments or financial institutions.
The team noted that these scams would be particularly hard to detect because the attackers hold enough personal details to appear completely credible.
ShinyHunters Adds CoE to a Growing List of Victims
ShinyHunters has built a formidable reputation for high-impact data theft and extortion. In the past week alone, the gang claimed breaches at Ralph Lauren Corporation, Madison Square Garden Sports (the ownership group behind the New York Knicks), and retail chain JCPenney. In March, the group also claimed a breach of the European Commission, alleging access to more than 350GB of data.
The group has operated since 2019. Security researchers have linked ShinyHunters to a broader criminal network alongside Scattered Spider and LAPSUS$, three groups that share overlapping members and roots in a youth cybercrime subculture known as “The Com.”
Arrests across Canada, France, Turkey, and Finland have done little to slow the gang down. ShinyHunters continues to target high-profile institutions with apparent confidence.
For CoE employees, the priority is immediate: monitor bank accounts for unusual activity, stay alert to unsolicited calls or emails requesting personal or financial details, and report any suspicious contact to relevant authorities.
If the breach is confirmed, the scale and sensitivity of the exposed data would make this one of the most damaging leaks to hit a major European institution in recent years.