ShinyHunters Breach EU Commission: 350GB Including Signing Keys Stolen

ShinyHunters claimed responsibility on March 30, 2026 for a 350GB breach of European Commission infrastructure. The alleged stolen data includes NextCloud file shares used for internal document collaboration, data from Athena — the EU's military financing and off-balance-sheet funding mechanism — and internal signing keys. If the signing keys claim is accurate, this is not just a document exfiltration: it's a potential supply chain compromise of EU-authenticated communications and software.

Who ShinyHunters Is

ShinyHunters is one of the most active financially-motivated threat actors operating since 2020. The group's attributed breaches include TicketMaster (560 million records, 2024), AT&T (73 million records, 2024), Santander Bank (30 million records, 2024), and hundreds of smaller targets. They are prolific, financially motivated, and experienced at targeting cloud storage and SaaS platforms — which maps exactly to a NextCloud breach pattern.

ShinyHunters members have faced prosecution across multiple jurisdictions. Sebastien Raoult, a French national alleged to be a core member, was extradited from Morocco to the US in 2023 and sentenced in 2024. The group continues operating despite law enforcement pressure, consistent with a cell structure where individual arrests don't disrupt operations.

What Was Allegedly Taken

NextCloud data: The EU Commission uses NextCloud, the open-source self-hosted file collaboration platform, for internal document sharing. A NextCloud breach typically yields the full directory of files accessible to compromised accounts — documents, spreadsheets, presentations, attachments. The scope depends on which accounts were compromised and what permissions those accounts had.

Athena financing data: Athena is the EU's off-budget mechanism for funding joint military operations and defense equipment procurement. It was created to allow member states to share military costs outside the EU's regular budget framework. Data from Athena could include procurement amounts, member state contributions, operational details of EU-funded military missions. This is specifically sensitive because Athena's records are not publicly disclosed in the same way regular EU budget items are.

Signing keys: This is the most consequential claim. Signing keys — whether code signing certificates, document signing keys, or authentication tokens — allow whoever holds them to impersonate the EU Commission in digital communications, sign documents that appear legitimate, or (if code signing keys) distribute software that appears to come from EU-authenticated sources. The EU Commission has not confirmed or denied this specific claim.

How a NextCloud Breach Typically Happens

NextCloud is self-hosted infrastructure, not a SaaS platform, which means the EU runs its own NextCloud instances. Common attack vectors against self-hosted NextCloud include: unpatched CVEs (NextCloud has had multiple critical RCEs, including CVE-2023-49103 which exposed credentials via debug logs), credential stuffing using credentials from prior breaches, and SSRF vulnerabilities that allow server-side request forgery to access internal services.

The EU Commission runs extensive internal IT infrastructure. A NextCloud breach of this scale — 350GB — suggests either a long-term persistent presence that exfiltrated data gradually, or access to an account with unusually broad file access. Neither scenario requires a zero-day; both are achievable with known techniques against misconfigured or unpatched NextCloud deployments.

Why Signing Keys Change the Severity Assessment

Most large data breaches are exfiltration events — data is copied, the victim loses confidentiality, and the remediation is notification, password resets, and monitoring. Signing key compromise is different. It allows ongoing impersonation and active attacks that don't require continued access to the breached system.

If ShinyHunters holds EU Commission code signing certificates, they can distribute malware signed with legitimate EU certificates — a supply chain vector that bypasses most endpoint detection. If they hold document signing keys, they can produce forged documents that pass signature verification. If they hold OAuth or JWT signing keys, they can forge authentication tokens for EU systems.

The EU Commission's response will indicate how seriously they take the signing key claim. Key rotation — immediately invalidating all current keys and reissuing — is the correct response. Certificate revocation lists (CRLs) and OCSP revocation need to propagate. If the Commission downplays the signing key claim without evidence of key rotation, that's a signal the claim is either false or the response is inadequate.

ShinyHunters' Financial Motivation

ShinyHunters typically monetizes breaches through dark web data sales. Government data — unlike consumer PII — has a different buyer profile: other nation-state threat actors, intelligence brokers, and ransomware groups who can use the data for targeted spear-phishing. The Athena military financing data specifically has obvious value to state actors interested in EU defense posture.

The signing keys, if real, are more valuable than the documents. They enable active attacks rather than passive intelligence. Asking price for valid government signing keys in threat actor forums is substantially higher than bulk PII.

Key Takeaways

• ShinyHunters claimed 350GB from EU Commission systems on March 30, 2026 — including NextCloud files, Athena military financing data, and alleged signing keys
• ShinyHunters attribution is credible: the group has executed multiple large-scale cloud storage breaches since 2020, with documented member arrests
• Athena data is specifically sensitive: this is the EU's off-budget military financing mechanism with non-public procurement details
• Signing key theft is the critical claim to watch: if valid, enables supply chain attacks and document forgery with EU-authenticated signatures
• NextCloud is the likely attack vector: self-hosted deployment with known CVEs (CVE-2023-49103 and others) and credential-based access
• Remediation signal: watch for EU Commission announcements of key rotation and certificate revocation — absence of that response indicates either the keys claim is false or the response is insufficient