Real estate giant confirms vishing incident as ShinyHunters and Qilin both come knocking

Cushman & Wakefield activated incident response protocols after serial extortionists issued separate threats

by · The Register

Real estate giant Cushman & Wakefield has confirmed a data breach after two cybercrime groups, ShinyHunters and Qilin, separately claimed responsibility for attacks on the company.

A spokesperson told The Register the attack was "limited" in scope and stemmed from vishing (voice phishing), suggesting an employee was socially engineered.

The representative said: "Cushman & Wakefield recently became aware of a limited data security incident due to vishing. We have activated our response protocols, including taking steps to contain the unauthorized activity and engaging third-party expert advisors to support a comprehensive response. 

"Our systems and operations continue to run normally, and we are working diligently to investigate the incident. We recognize the trust placed in us to protect sensitive data and we take this responsibility very seriously."

Cushman & Wakefield (C&W) did not address the apparent dual targeting by both ShinyHunters, which operates a pay-or-leak model, and Qilin, currently viewed as the world's most prolific ransomware group.

There is no previously established coalition between ShinyHunters and Qilin, which suggests the two alleged attacks are separate but coincidentally timed.

In a message sent to The Register, ShinyHunters claimed they attacked the company on May 1, while Qilin listed C&W on its data leak site on May 4.

Qilin's website listing did not detail how it allegedly attacked C&W, although ShinyHunters claimed it stole "over 500,000 Salesforce records containing PII and other internal corporate data."

ShinyHunters set a May 6 deadline for C&W to make contact to prevent the data from being leaked, but the cybercriminals claimed this had yet to happen.

ShinyHunters has been on something of a tear recently. Known for its large-scale, high-impact attacks, the group's latest wave of activity began in March when it laid claim to an expansive supply chain attack after breaching Salesforce customers via the CRM giant itself.

At the time, it said it had stolen data belonging to Salesforce and more than 100 of its high-profile customers.

Since then, big-name brands like ADT, Carnival Cruise Line, Rockstar Games, Vimeo, and others have all confirmed ShinyHunters-linked cyberattacks, although not all were explicitly linked to its earlier Salesforce compromise. ®

ShinyHunters claims dump puts 119K Vimeo emails in the wild: Vimeo points finger at analytics supplier Anodot, says no logins or card data were touchedCarly Page, 05 May 2026Have I Been Pwned claims Pitney Bowes hit by 8.2M email address leakUpdated: Names, phone numbers, physical addresses also included in Shiny Hunters alleged data dumpConnor Jones, 28 Apr 2026Medical and utility tech companies admit digital breakins: Itron, Medtronic disclose breaches in Friday filingsJessica Lyons, 27 Apr 2026Burglar alarm biz burgled: ADT confirms cyber intrusion after ShinyHunters extortion attempt: Security giant says attackers grabbed 'limited set' of data. Crooks claim 10 million recordsCarly Page, 27 Apr 2026