Pink is the Latest Goon Squad Using Fake Helpdesk Calls to Steal Credentials

New Extortion Tactics by Pink 🚨

A new extortion brand called Pink is making waves by using voice phishing and fake help-desk calls to gain initial access to organizations’ IT environments. This group steals sensitive data and threatens to leak it unless victims pay a ransom.

Palo Alto Networks’ Unit 42 first spotted this gang, tracking it as cluster CL-CRI-1147, and noted that their data-leak site went live on May 31. According to their LinkedIn post, “Pink uses vishing and IT impersonation to phish credentials/MFA, then exfiltrates enterprise cloud storage and productivity data to extort victims.”

This style of phone-based intrusion was popularized by the chaotic crime crew Lapsus$ during their 2021 and 2022 extortion spree, which targeted major companies like Nvidia, Microsoft, and Okta.

After investigating multiple extortion attacks, Unit 42 discovered Pink’s name-and-shame website on June 1, 2026. They noted that the actor provided a new qTox ID and a leak site associated with the Pink brand, referencing similar information from previous extortion notices. Pink data thieves set a 72-hour deadline for victims to respond before leaking the stolen data.

The criminals exploit compromised accounts and internal messages to extort companies, snooping for valuable corporate and customer data from platforms like SharePoint and OneDrive.

Warning to Network Defenders ⚠️

Unit 42 analysts Richard Emerson and Cuong Dinh emphasized the importance of being cautious with help desk calls, especially from individuals claiming to be locked out of corporate accounts or support staff rolling out mandatory MFA updates.

For more details, check out the full article: Read full article