What Financially Motivated Criminals Have in Common

Heists in the digital world may seem fundamentally different from heists in the physical world, but I see a common tie — financially motivated criminals of all types often use social engineering and intensive reconnaissance to achieve their goals.

In February 2023, the “heist of the century” occurred when more than $100 million worth of diamonds, gold, silver and other jewelry were stolen from the Antwerp Diamond Centre in Belgium by five criminals. This heist involved significant time spent on reconnaissance and social engineering by the mastermind of the operation, Leonardo Notarbartolo. He used these tactics to better understand and bypass various layers of physical security implemented at the site.

Most notably, this involved Notarbartolo signing a lease for an office at the heist site while posing as a multilingual gem importer from Italy, which gave him access to a safe deposit box in the site’s underground vault. The criminals ultimately left behind little forensic evidence and most of the loot has yet to be recovered.

On the digital side, Unit 42 and other security researchers see the same sort of attention to reconnaissance and social engineering.

Take the example of recent data extortion theft activity reported by Google in June 2025 that is designed to compromise and steal data from Salesforce instances. A hallmark of this activity is threat actor usage of voice-based phishing (aka vishing) to establish initial access, followed by extensive reconnaissance and collection of customer-centric data from digital platforms within a victim’s environment. From there, the data is exfiltrated to a location under the attackers’ control, where they will threaten to leak it if the victim does not pay a ransom.

Similar to the criminals behind the Antwerp Diamond Centre heist, these threat actors leave behind little digital evidence given their lack of malware or custom tool usage.

The Rise of Data Extortion in Luxury Commerce

Based on Unit 42 insights and public reporting, this data theft extortion activity has likely been occurring since at least December 2024 and has impacted companies operating within the aviation, financial services, technology and, most notably, retail sectors. The targeted retailers are also primarily those that offer high-end goods to global clientele, such as jewelry, apparel, footwear and various types of accessories. At this time, it seems that UNC6040 may be the cluster responsible for establishing initial access, conducting internal reconnaissance to identify data of interest, and exfiltrating data, whereas Bling Libra (aka ShinyHunters) is responsible for performing the actual extortion activities.

As part of these attacks, the threat actors appear focused on collecting and exfiltrating customer data including names, dates of birth, physical and email addresses, phone numbers, and account metadata. Although most of the extortion attempts occurred via email communications with victim organizations, it is possible the threat actors will migrate to a dedicated leak site (DLS) similar to operators of ransomware-as-a-service (RaaS) programs.

Unit 42 has responded to several incidents thus far in 2025 targeting retail organizations that are highly likely to be associated with this ongoing data theft extortion activity. The following are high-level observations from internal and external sources:

• Initial Access (T1566.004)
  • Social engineering using vishing, where the threat actors typically pose as IT support personnel and attempt to collect end user credentials via phishing pages or entice victims to connect to a modified version of Salesforce’s Data Loader application.
• Collection (T1213.002, T1213.004. T1114.002)
  • Searching for and collecting sensitive information from digital platforms such as SharePoint, Microsoft 365 and, most notably, Salesforce.
• Impact (T1657)
  • In addition to exfiltrating data and holding it for ransom, in at least one instance, the threat actors attempted to purchase goods from a victim’s affiliated stores by applying a discount. It’s unclear if this was an attempt by the threat actors to directly obtain purchased goods for personal use or resell the items on underground forums for personal financial gain.

To be clear, this is not a new trend in terms of cybercriminals conducting data theft extortion attacks targeting customers of prominent cloud-based data platforms. For example, Google previously documented a campaign impacting Snowflake tenants in June 2024.

We also previously documented Bling Libra’s shift from using ransomware to pure data theft extortion in August 2024, including their targeting of Amazon Web Services (AWS) environments. It appears the group remains active even after French authorities announced the arrest of four alleged members in June 2025.

We expect this variety of attacks to continue. In Unit 42 incident response cases involving social engineering as an initial access method, 23% involved callback or voice-based techniques. This is a widely concerning trend as traditional perimeter defenses (e.g., email security) aren’t readily available for this form of social engineering.

To learn more about how threat actors implement social engineering and reconnaissance to further their goals, read the 2025 Unit 42 Global Incident Response Report: Social Engineering Edition.