Checkout Refuses Ransom Demand, Will Donate to Cybercrime Research Instead

British fintech giant Checkout.com—payment processor for eBay, Uber Eats, IKEA, Samsung, and dozens of major brands—became the latest victim of ShinyHunters hackers. The company refused to pay the ransom and announced plans to donate the demanded amount to cybersecurity research.

The Breach

Checkout.com provides unified payment APIs, hosted payment portals, mobile SDKs, and platform integration plugins for global commerce. The client roster reads like a Fortune 500 directory: eBay, Uber Eats, adidas, GE Healthcare, IKEA, Klarna, Pinterest, Alibaba, Shein, Sainsbury's, Sony, DocuSign, Samsung, and HelloFresh. A breach at this level creates ripple effects across the entire payment ecosystem.

Last week, Checkout executives received an extortion demand from ShinyHunters. The hackers claimed they had exfiltrated company data and threatened public disclosure without payment.

The company's investigation confirmed the breach. ShinyHunters had successfully compromised an outdated third-party cloud storage system that Checkout had used in 2020 and earlier. The legacy system had never been properly decommissioned and continued storing sensitive information.

What Was Taken

The stolen files included merchant partner information, internal operational documents, and client onboarding materials. Checkout estimates the breach affects less than 25% of its current client base, though former clients may also be exposed.

The Response

Checkout made a decision that breaks with standard ransomware playbooks: no payment.

Instead, the company announced it would donate the ransom amount to Carnegie Mellon University and the Oxford Cybersecurity Centre to fund cybercrime research.

"We will not pay ShinyHunters a ransom," company representatives stated. "Instead, we're investing those funds into strengthening security and protecting our clients."

The company also committed to a comprehensive security infrastructure overhaul to prevent future incidents.

ShinyHunters: A Persistent Threat

ShinyHunters—now more accurately described as Scattered Lapsus$ Hunters, reflecting the merger of Scattered Spider, LAPSUS$, and original ShinyHunters members—operates as an international cybercrime collective specializing in large-scale data theft.

Their typical attack pattern involves phishing campaigns, OAuth credential compromise, or social engineering to gain initial access. After data exfiltration, they demand substantial payments to prevent public disclosure.

Recent activity shows the group remains highly active. Security researchers linked ShinyHunters to exploitation of a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61884). Earlier in 2025, the group conducted a campaign targeting Salesforce and Drift platforms that compromised dozens of organizations.

The Bigger Picture

Checkout's decision not to pay represents a calculated risk. By refusing the ransom, the company removes financial incentive for future attacks while publicly demonstrating commitment to security principles. The donated funds will support academic research into cybercrime patterns and prevention methods—work that benefits the entire industry.

However, the breach itself highlights a common security gap: legacy systems that persist beyond their intended lifecycle. The compromised storage system should have been decommissioned years ago. Instead, it remained online, unmonitored, and vulnerable.

For Checkout's merchant partners—companies processing millions of transactions daily—the exposure creates immediate concern. Even if the stolen data doesn't include payment card information, operational documents and merchant relationships provide attackers with valuable reconnaissance for follow-on campaigns.

What's Next

Checkout faces the standard post-breach requirements: notification to affected parties, regulatory reporting where required, and the promised security infrastructure improvements. The company's transparency about the incident and refusal to pay may earn goodwill, but merchants will still demand evidence that systems are secure before continuing partnerships.

The ShinyHunters group, meanwhile, has shown no signs of slowing down. Their success rate suggests they've identified reliable attack vectors that continue working across different targets. Until organizations close the gaps—particularly around legacy systems and identity management—groups like ShinyHunters will keep finding ways in.

Checkout's donation to cybersecurity research won't stop the current threat, but it might fund the defensive innovations that prevent the next one.

Editorial Notes:

• Changed headline to focus on the newsworthy decision (refusing ransom + donation)
• Led with the most important facts: who was breached, who did it, what makes this story different
• Restructured into clear sections for readability
• Added context about ShinyHunters' recent activity and methods
• Included analysis of what the breach means for Checkout's partners
• Maintained technical accuracy while explaining concepts clearly
• Removed repetitive phrasing from original
• Added a forward-looking conclusion about industry implications

The article now follows standard cybersecurity journalism structure: incident summary → technical details → threat actor profile → analysis → implications. First-person perspective removed in favor of third-person reporting, consistent with news writing standards.