[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFTXuXljVJToOAIsEf6Y8M68K3pDhkeh_mzshQYA-qIk":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"849ac5ed-bd82-4d89-a05a-ae3853507729","Canvas Hackers ShinyHunters Say Their Official Domain Was Suspended","canvas-hackers-shinyhunters-say-their-official-domain-was-suspended-9909f3","ShinyHunters says its shinyhunte.rs domain was suspended after the Canvas LMS attacks, forcing the group to move fully to its dark web (.onion) site.","The ShinyHunters hacking group reported that its clearnet domain shinyhunte.rs was suspended by the Serbian domain registry (RNIDS) following the group's recent large-scale compromise of Canvas LMS, affecting hundreds of universities globally. The suspension forced the group to relocate entirely to its Tor-based onion infrastructure for future announcements and data leaks. The timing and mechanics of the suspension remain unclear, with no public confirmation of law enforcement involvement, though the move reflects the group's shift toward more resilient decentralized operations.","ShinyHunters' clearnet domain suspended after Canvas LMS attacks; group relocates to dark web.","Cyber Crime SecurityCanvas Hackers ShinyHunters Say Their Official Domain Was Suspended ShinyHunters says its shinyhunte.rs domain was suspended after the Canvas LMS attacks, forcing the group to move fully to its dark web (.onion) site. byWaqasMay 12, 20263 minute read The notorious hacking group ShinyHunters, recently linked to the large-scale compromise and defacement of Instructure’s Canvas LMS platform, claims its official clearnet domain has been suspended by the domain registry, fueling online speculation that the site may have been targeted following the group’s recent attacks. The issue surfaced on Monday, May 11, 2026, when the group’s public-facing domain, shinyhunte.rs, suddenly went offline. Soon after, rumors spread across underground forums and social media platforms suggesting the domain may have been seized by law enforcement agencies, including speculation about possible FBI involvement. The timing of the outage comes shortly after ShinyHunters claimed responsibility for attacks targeting Canvas LMS, a widely used learning management system adopted by universities and educational institutions worldwide. Canvas LMS Attack Hackread.com previously reported on the cyberattack and confirmed that hundreds of universities experienced class disruptions following the Canvas LMS defacement incident. The attack affected multiple universities globally, with compromised Canvas portals displaying a defacement message allegedly posted by ShinyHunters. The page included statements about the breach and threats to leak stolen data if ransom demands were not met. Defacement message left by the ShinyHunters hacking group on the Canvas LMS portal (Image credit: Hackread.com) Despite the attention surrounding the group’s clearnet website, the domain itself was used only for announcements and operational updates. Data leaks connected to the group’s previous Salesforce and Anodot-related breaches were hosted separately on a dark web (.onion) leak accessible through the Tor network. homepage of the now-suspended domain of the ShinyHunters hackers (Image credit: Hackread.com) At the time of writing, the group’s onion domain remains active, along with a notice stating “The domain shinyhunte.rs was suspended, it is not operated and owned by us anymore.” The group also warned visitors not to trust the suspended domain in the future, claiming it could later be registered or reused by unrelated actors for malicious activity. “It may be reclaimed by unknown persons in the future for malicious use. We do not control shinyhunte.rs anymore; it has been suspended by the registry.” ShinyHunters further stated that all future announcements and leak activity will now be conducted exclusively through its onion-based infrastructure. “We will operate at this onion domain only moving forward. Anyone claiming to be us anywhere is impersonating.” ShinyHunters’ announcement on its dark web site (Image credit: Hackread.com) Understanding the .RS Domain The .rs domain is the country code top-level domain (ccTLD) assigned to Serbia. The abbreviation “RS” comes from “Republika Srbija,” meaning the Republic of Serbia. The namespace is managed by the Serbian National Internet Domain Registry, commonly known as RNIDS. While domain suspensions are not unusual in cases involving malware distribution, phishing, ransomware, or cybercrime operations, such actions generally require abuse complaints, supporting evidence, or requests from security organizations, hosting providers, CERT teams, or law enforcement agencies. It remains unclear whether Serbian authorities or the registry itself acted independently, or whether the suspension followed requests or evidence submitted by foreign agencies investigating ShinyHunters’ recent activity. At this stage, there is also no public evidence confirming that the domain was officially seized by the FBI or any other law enforcement body. Moving Away From the Clearnet Although losing a domain can temporarily disrupt operations, cybercriminal groups often recover quickly by registering replacement domains under different extensions or relocating activity to decentralized infrastructure. However, ShinyHunters’ decision to abandon clearnet operations entirely and rely only on its onion-based platform suggests the group is becoming more cautious about operational security and exposure following increased public attention surrounding the Canvas LMS attacks. Additionally, the group’s continued use of a Tor-based onion service makes disruption more difficult because onion domains operate outside the traditional DNS system managed by registries and ICANN-linked providers. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts CanvasCyber CrimeCybersecuritydata breachDomainInstructureLMSSerbiaShinyHunters Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Crime Scams and Fraud Microsoft Outlook Users Hit with ‘Discontinue Support’ Phishing Scam ‘Discontinue Support’—Latest Phishing Scam Targeting Microsoft Outlook Users. An email is being circulated by cybercriminals that appears to… byWaqas Read More Cyber Crime Cyber Attacks Security PowerSchool Paid Ransom, Now Hackers Target Teachers for More PowerSchool paid ransom after a major data breach; now hackers are targeting teachers and schools with direct extortion… byWaqas Cyber Attacks Cyber Crime Gaming Blizzard Suffers Yet Another DDoS Attack Another day another victim of DDoS attack — This time, it’s the Blizzard Entertainment, Inc. is an American video… byAgan Uzunovic Cyber Crime Android Malware Phishing Scam Scams and Fraud Security Fake Cryptocurrency Apps on Play Store Stealing User Data The US-based cryptocurrency exchange service Poloniex, which happens to be the largest exchange service in the world with… byWaqas","https:\u002F\u002Fhackread.com\u002Fcanvas-hackers-shinyhunters-official-domain-suspended\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Fcanvas-hackers-shinyhunters-official-domain-suspended.png","2026-05-12T21:18:09+00:00","2026-05-12T22:00:19.150964+00:00",7,[18,21,24,27,30],{"name":19,"type":20},"ShinyHunters","threat_actor",{"name":22,"type":23},"Canvas LMS","product",{"name":25,"type":26},"Instructure","vendor",{"name":28,"type":29},"Canvas LMS Attack","campaign",{"name":31,"type":32},"Tor (.onion)","technology","e7b231c8-5f79-4465-8d38-1ef13aea5a14",{"id":33,"icon":35,"name":36,"slug":37},null,"Threat Intelligence","threat-intelligence",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",[55],{"type":56,"value":57,"context":58},"domain","shinyhunte.rs","ShinyHunters' suspended clearnet domain (now inactive)"]