Canvas Hackers ShinyHunters Say Their Official Domain Was Suspended

The recent compromise of Instructure’s Canvas learning‑management system sent shockwaves through the education sector. By injecting a defacement page across dozens of university portals, ShinyHunters disrupted class schedules and hinted at a broader data‑exfiltration campaign, pressuring institutions to scramble for remediation. Canvas, deployed at more than 5,000 campuses worldwide, serves as a central hub for coursework, grades and personal information, making any breach a high‑visibility event. The public nature of the defacement amplified media attention, prompting swift investigations by both campus IT teams and federal cyber‑crime units.

The abrupt disappearance of shinyhunte.rs points to a domain‑suspension request filed with the Serbian National Internet Domain Registry (RNIDS). Registries typically act on verified abuse complaints, which can originate from security firms, CERTs, or law‑enforcement agencies such as the FBI. While officials have not confirmed a seizure, the timing—days after the Canvas attack—suggests coordinated pressure to dismantle the group’s clearnet communication channel. A suspended .rs domain also illustrates how geopolitical jurisdiction can be leveraged to disrupt cyber‑criminal infrastructure without a formal extradition process.

By retreating to an exclusive .onion address, ShinyHunters embraces a more resilient, anonymity‑preserving model. Onion services bypass traditional DNS, rendering takedown orders ineffective and complicating attribution efforts. Threat‑intel teams will now rely on dark‑web monitoring and traffic analysis rather than simple domain reputation checks. This shift may embolden other ransomware and data‑leak groups to adopt similar tactics, raising the bar for defenders who must invest in specialized tools and cross‑jurisdictional collaboration to keep pace.