Cushman & Wakefield confirms Vishing-linked cyberattack amid claims by ShinyHunters and Qilin

Cushman & Wakefield, a global commercial real estate services and investment management company headquartered in Chicago, confirmed a cybersecurity incident tied to a vishing attack after cybercrime groups ShinyHunters and Qilin separately claimed to have compromised the company’s systems.

The company said the breach was limited in scope and originated from a voice phishing scheme in which an employee was socially engineered into granting unauthorized access. The incident prompted the activation of internal response protocols and the engagement of third-party cybersecurity specialists to investigate and contain the activity.

Cushman & Wakefield said its systems and business operations continue to function normally while the investigation remains ongoing. The company did not confirm claims made by either cybercrime group regarding the scale of the alleged data theft.

ShinyHunters claimed it breached the company on May 1 and alleged that it obtained more than 500,000 Salesforce records containing personally identifiable information and internal corporate data. The group issued a May 6 deadline demanding contact from the company before the data would allegedly be leaked.

Separately, the Qilin ransomware group listed Cushman & Wakefield on its dark web leak site on May 4. The listing did not include technical details, proof samples, or a publication countdown typically used in ransomware extortion campaigns. The circumstances surrounding the Qilin claim remain unclear, and no established connection between Qilin and ShinyHunters has been identified.

The appearance of both groups in connection with the same victim raised questions about whether the incidents were related or represented separate attacks occurring within a similar timeframe. Previous cases involving multiple ransomware gangs targeting the same organization have occurred in high-profile public-sector attacks.

ShinyHunters has intensified its activity in recent months through a series of high-profile intrusions linked to social engineering and credential theft campaigns targeting Salesforce customers and cloud-based enterprise platforms. The group has recently claimed attacks involving organizations across the technology, education, retail, hospitality, financial services, and healthcare sectors.

Security researchers have linked the group to sophisticated phishing and vishing operations designed to obtain credentials for single sign-on systems connected to Microsoft, Google, Okta, and Salesforce environments.

Qilin has also emerged as one of the most active ransomware operations in 2025, expanding its presence across multiple industries through data theft and extortion campaigns.

Cushman & Wakefield operates more than 400 offices across over 60 countries and employs approximately 52,000 people worldwide. The company reported annual revenue of $10.3 billion in 2025 and is considered one of the largest commercial real estate firms globally alongside CBRE, JLL, and Colliers International.