ShinyHunters Demands $1.5M From Wynn Resorts Over Stolen Data

Ransomware group ShinyHunters is extorting Wynn Resorts over what the gang claims is more than 800,000 stolen employee records containing Social Security numbers, salaries, and personal information. The attackers have set today—February 23, 2026—as the deadline for the casino giant to pay approximately $1.5 million in Bitcoin.

What Was Stolen

According to samples posted by ShinyHunters, the stolen data includes:

• Full names and email addresses
• Phone numbers and physical addresses
• Job positions and salary information
• Start dates and birthdays
• Social Security numbers

The breach scope—over 800,000 records—suggests the attackers obtained comprehensive HR data spanning Wynn's current and former workforce across multiple properties.

ShinyHunters is demanding 22.34 Bitcoin (roughly $1.5 million at current rates) as a "starting price," implying negotiations could push the final figure higher. The group threatened to release the data publicly along with "several annoying digital problems" if Wynn fails to engage.

Oracle PeopleSoft as Entry Point

The attackers claim they gained initial access to Wynn's network in September 2025 via an Oracle PeopleSoft vulnerability, using compromised employee credentials. PeopleSoft runs Wynn's human resources systems—the same systems that would contain the exfiltrated employee data.

If accurate, this represents a five-month dwell time before the extortion campaign went public. That's ample time for attackers to map internal systems, identify valuable data, and establish persistence.

Oracle PeopleSoft vulnerabilities have been a recurring issue. CISA has previously issued warnings about actively exploited PeopleSoft flaws, and the platform's complexity makes it a frequent target for attackers seeking access to sensitive HR and financial data.

Casino Industry Continues to Be a Target

This attack follows a pattern of high-profile casino breaches. MGM Resorts and Caesars Entertainment both suffered major incidents in 2023 involving the Scattered Spider group, with Caesars reportedly paying $15 million to attackers.

The casino sector presents an attractive target profile: large employee bases, high-value customer data, and complex technology environments spanning hospitality, gaming, and financial systems. The Aflac breach earlier this year demonstrated similar techniques against another large employer with sensitive workforce data.

ShinyHunters has been active throughout 2026. The group's recent victims include major retail and technology companies, with their data breach samples frequently appearing on underground forums. They've built a reputation for following through on leak threats when negotiations fail.

Wynn's Response

Wynn Resorts has not publicly confirmed the breach or commented on negotiations. The company did not immediately respond to media inquiries about the incident.

For employees worried about exposure, Wynn would typically be required under Nevada data breach notification laws to inform affected individuals if the breach is confirmed. However, the timeline for such notifications can stretch weeks after an incident becomes public.

What Affected Employees Should Do

If you work or have worked for Wynn Resorts:

1. Freeze your credit with all three bureaus (Equifax, Experian, TransUnion)
2. Monitor financial accounts for unauthorized activity
3. Be alert for phishing using your personal details
4. Consider an IRS Identity Protection PIN to prevent tax fraud

The combination of SSNs with salary and employment details creates a potent identity theft package. Criminals can use this data to file fraudulent tax returns, open credit accounts, or conduct targeted social engineering attacks.

Why Deadline Pressure Works

Ransomware and extortion groups use hard deadlines to force rapid decisions. The psychology is simple: victims weighing weeks of careful deliberation face pressure to act before data goes public.

Whether Wynn engages with ShinyHunters or not, the stolen data represents long-term risk. Even if the company pays, there's no guarantee the attackers won't retain copies or sell them separately—as we've seen in numerous post-payment breach situations.

The GrubHub extortion incident earlier this year demonstrated how ShinyHunters operates: public pressure, hard deadlines, and a willingness to follow through on leak threats. Organizations dealing with this group should prepare for data exposure regardless of negotiation outcomes.