Penn data leaked after University refused to pay $1 million ransom, hacker group says

Last October, the notorious cybercrime group ShinyHunters infiltrated Penn’s internal data system and demanded a $1 million ransom from the University to prevent the release of the files on the dark web. After the ransom went unpaid, the hackers surfaced online to take credit for the attack and set the record straight.

Since 2019, ShinyHunters has gained notoriety in the hacking community for orchestrating large-scale attacks on major corporations such as Google, AT&T Wireless, Ticketmaster, and SoundCloud. This fall, the group set its sights on Penn.

“We decided to hit Penn same-day,” a spokesperson for the group said via Signal, an encrypted messaging app. “Some planning and preparation goes into attacking a new organisation, but we can move pretty quickly.” 

Requests for comment were left with a University spokesperson.

The DP confirmed the individual’s affiliation with ShinyHunters by verifying they were able to edit the online forum where the group originally published the data.

ShinyHunters released the cache of confidential University files — including dated records and donor contact information — on its website on Feb. 4. The release came just two days after Penn stated that less than 10 individuals were impacted by the breach in a court filing. 

The group stated the University’s claim was “100%” what prompted them to release more files. 

“That was personal,” they wrote. 

According to the group, the recent release included the extent of information obtained in the breach.

“Everything in our possession was released,” the spokesperson wrote. “Once things are leaked, no going back, it’s a pretty straightforward process.”

In a “Note to Affected Organizations” on the group’s data release forum, ShinyHunters wrote that an organization’s name and data appears on the site if they “failed to respond or come to an agreement with us.” 

The site lists three “key criteria” organizations must satisfy to have their data released on the dark web. Among the requirements is the hackers’ determination that the organization “failed to respond” after “multiple attempts” to make contact over a financial ransom — or what ShinyHunters “prefers” to call a “settlement.” 

“We asked for a reasonable $1M to prevent the release,” the ShinyHunters spokesperson said. “It was a simple email sent to UPenn with our demands, they did not reply, we do not preserve the emails and we would not want the email released because it follows a private format and protocol.”

According to the group’s spokesperson, Penn was given multiple attempts to respond to the demands through a general information technology email address.

A request for comment was left with a Penn Informations Systems and Computing spokesperson.

The hack first became apparent on Oct. 31, when mass spam emails were sent from multiple University-affiliated email addresses to students, alumni, faculty and, in some cases, individuals with no affiliation with Penn. The messages contained criticisms of the University’s security measures and admissions practices. 

“The University of Pennsylvania is a dogshit elitist institution full of woke retards … We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits,” the Oct. 31 emails read. “We love breaking federal laws like FERPA (all your data will be leaked) and Supreme Court rulings like SFFA.”

Despite the language of the emails, ShinyHunters wrote they are “primarily concerned with making money and not with politics or the admissions policies of higher ed.”

“That said, we view legacy admissions, prioritizing students from elite private high schools, and prioritizing donors’ children as extremely unethical and a much bigger problem than affirmative action,” the group added.

While the initial emails criticized Penn’s “terrible security practices,” ShinyHunters told the DP “Penn’s cybersecurity in terms of resistance to our specific types of attacks was average compared to that of peer institutions — maybe slightly below average.”

The emails were “just a misdirection for investigators, media and UPenn,” the group wrote, doubling down on previous claims that they were a “fun rant” as opposed to the primary focus of the hack. 

One day after the emails were sent, over 3.5GB of data — containing donor records and confidential internal University memos — were released on a site called LeakForum. In a message attached to the file dump, the hackers wrote some data exfiltrated in the breach would be “kept private for our own use for a short period of time, but it will be released publicly within the next 1-2 months after our group has used it.”

In a Signal message, the ShinyHunters spokesperson stated that they “cannot elaborate” on what the personal uses of the data consisted of, but reiterated that they reviewed the files before publishing them on their site — and “very much made use of those files before releasing them.”

The hackers emphasized that they are “not conducting a large-scale campaign against universities.”

“We attacked Penn and other Ivy Leagues in hopes to get a settlement payment from them because they store highly sensitive data in CRM apps like Salesforce and in the cloud,” the hackers stated, adding that they felt the universities would pay to “prevent the release and deletion” of stolen data. “However, [Penn] did not respond nor pay us, subsequently their data was leaked.”

ShinyHunters claimed that Penn’s “data was released” because the University “showed negligence” in its security measures and did not agree to “a settlement/extortion/ransom whatever you want to call it.”

“While we attacked several universities a few months ago and consider all different types of organizations (except government) as targets, higher ed is not currently a priority for us,” the hackers added. 

The group also targeted Harvard University, where administrators discovered a breach on Nov. 18, 2025. In an FAQ published after the incident, Harvard attributed the breach to a “phone-based phishing attack.”

---