Addi.com Ransomware Attack by ShinyHunters (May 2026)

Claim Summary

On May 5, 2026, the ransomware group ShinyHunters allegedly posted a claim on their dark web leak site targeting Adelante Soluciones Financieras, which operates under the domain Addi.com. According to the threat actor, they have exfiltrated over 16 million unique person records totaling 518GB (compressed) from the Colombian financial services company. The group claims the data includes significant personally identifiable information (PII), financial transaction data (including credit card details), Know Your Customer (KYC) documentation, and background check data sourced from TransUnion and Experian. The group alleges that Adelante Soluciones Financieras “failed to reach an agreement” despite what they describe as “incredible patience, all the chances and offers we made.” The leak site entry was updated on May 5, 2026, and includes a SHA256 hash for verification purposes. This information has NOT been independently verified by Yazoul Security.

Threat Actor Profile

ShinyHunters is a threat actor group known primarily for data breach extortion rather than traditional ransomware encryption. The group has historically targeted financial services, e-commerce, and technology companies, often claiming large-scale database exfiltration. Their known tactics include exploiting exposed credentials, SQL injection vulnerabilities, and misconfigured cloud storage to gain initial access. They typically exfiltrate data before demanding payment, threatening public release if demands are not met. While the group’s total known victim count is unclear due to inconsistent public reporting, they have been linked to several high-profile breaches in the past. However, their credibility is mixed - some claims have been verified by third-party researchers, while others have been found to exaggerate data volumes or repackage older breaches. No specific YARA rules or detection guidance is publicly available for ShinyHunters at this time, though organizations should monitor for unusual database access patterns and large outbound data transfers.

Alleged Data Exposure

According to the leak site, the compromised data allegedly includes:

• Over 16 million unique person records
• PII such as names, identification numbers, addresses, and contact details
• Financial transaction data, including credit card information
• KYC documentation (likely copies of government-issued IDs, proof of address, etc.)
• Background check data sourced from TransUnion and Experian

The group claims the data is 518GB in compressed format. The inclusion of credit bureau data is particularly concerning, as it suggests the breach may have extended beyond Addi.com’s internal systems to third-party integrations. The SHA256 hash provided (520d50dc384fc474e419fdd19cb3517ed6ce778a187ae7d6f44b93ccef5687db) could be used for verification once samples are obtained. However, Yazoul Security has NOT independently verified the authenticity, accuracy, or completeness of this data.

Potential Impact

If the claim is accurate, the impact on Adelante Soluciones Financieras and its customers would be severe. For the organization, this could result in regulatory penalties under Colombian data protection laws, reputational damage, loss of customer trust, and potential legal action from affected individuals. For customers, the exposure of PII combined with financial and credit bureau data creates significant risks of identity theft, financial fraud, and targeted phishing attacks. The inclusion of KYC documents is especially dangerous, as these can be used to bypass security measures at other financial institutions. The alleged involvement of TransUnion and Experian data also raises questions about whether those credit bureaus were directly compromised or if Addi.com was simply storing their reports.

What to Watch For

Yazoul Security recommends the following monitoring actions:

• Watch for any official statement from Adelante Soluciones Financieras regarding the alleged breach.
• Monitor for samples of the leaked data appearing on other forums or data leak sites, which could confirm or refute the claim.
• Be alert for phishing campaigns targeting Addi.com customers using the exposed PII.
• Financial institutions in Colombia should watch for unusual account opening attempts using stolen KYC documents.
• Organizations using similar third-party credit bureau integrations should review their data handling practices.

Disclaimer

This report is based solely on unverified claims posted by the ShinyHunters ransomware group on their dark web leak site. Yazoul Security has NOT independently verified any of the information presented. Ransomware groups routinely exaggerate or fabricate claims to pressure victims into payment. The data volumes, types, and victim details described above should be treated as allegations until confirmed through independent investigation. No PII, download links, data samples, credentials, or access methods have been included in this report. Organizations should not take action based solely on this intelligence without further verification. For more information, visit Yazoul Security’s dark web monitoring section at /intel/.