The notorious hacking group ShinyHunters, recently linked to the large-scale compromise and defacement of Instructure’s Canvas LMS platform, claims its official clearnet domain has been suspended by the domain registry, fueling online speculation that the site may have been targeted following the group’s recent attacks.
The issue surfaced on Monday, May 11, 2026, when the group’s public-facing domain, shinyhunte.rs, suddenly went offline. Soon after, rumors spread across underground forums and social media platforms suggesting the domain may have been seized by law enforcement agencies, including speculation about possible FBI involvement.
The timing of the outage comes shortly after ShinyHunters claimed responsibility for attacks targeting Canvas LMS, a widely used learning management system adopted by universities and educational institutions worldwide.
Canvas LMS Attack
Hackread.com previously reported on the cyberattack and confirmed that hundreds of universities experienced class disruptions following the Canvas LMS defacement incident.
The attack affected multiple universities globally, with compromised Canvas portals displaying a defacement message allegedly posted by ShinyHunters. The page included statements about the breach and threats to leak stolen data if ransom demands were not met.
Despite the attention surrounding the group’s clearnet website, the domain itself was used only for announcements and operational updates. Data leaks connected to the group’s previous Salesforce and Anodot-related breaches were hosted separately on a dark web (.onion) leak accessible through the Tor network.
At the time of writing, the group’s onion domain remains active, along with a notice stating “The domain shinyhunte.rs was suspended, it is not operated and owned by us anymore.”
The group also warned visitors not to trust the suspended domain in the future, claiming it could later be registered or reused by unrelated actors for malicious activity. “It may be reclaimed by unknown persons in the future for malicious use. We do not control shinyhunte.rs anymore; it has been suspended by the registry.”
ShinyHunters further stated that all future announcements and leak activity will now be conducted exclusively through its onion-based infrastructure. “We will operate at this onion domain only moving forward. Anyone claiming to be us anywhere is impersonating.”
Understanding the .RS Domain
The .rs domain is the country code top-level domain (ccTLD) assigned to Serbia. The abbreviation “RS” comes from “Republika Srbija,” meaning the Republic of Serbia. The namespace is managed by the Serbian National Internet Domain Registry, commonly known as RNIDS.
While domain suspensions are not unusual in cases involving malware distribution, phishing, ransomware, or cybercrime operations, such actions generally require abuse complaints, supporting evidence, or requests from security organizations, hosting providers, CERT teams, or law enforcement agencies.
It remains unclear whether Serbian authorities or the registry itself acted independently, or whether the suspension followed requests or evidence submitted by foreign agencies investigating ShinyHunters’ recent activity.
At this stage, there is also no public evidence confirming that the domain was officially seized by the FBI or any other law enforcement body.
Moving Away From the Clearnet
Although losing a domain can temporarily disrupt operations, cybercriminal groups often recover quickly by registering replacement domains under different extensions or relocating activity to decentralized infrastructure.
However, ShinyHunters’ decision to abandon clearnet operations entirely and rely only on its onion-based platform suggests the group is becoming more cautious about operational security and exposure following increased public attention surrounding the Canvas LMS attacks.
Additionally, the group’s continued use of a Tor-based onion service makes disruption more difficult because onion domains operate outside the traditional DNS system managed by registries and ICANN-linked providers.
