According to some Hashcat benchmarks, a current Nvidia GPU can compute SHA-1 hashes at a rate of:
- NVIDIA GeForce RTX 3090 ~22.6×109 hashes per second
- NVIDIA GeForce RTX 3080 Ti ~21.7×109 hashes per second
And AMD graphics cards seems to perform in the same range as per this benchmark:
SHA-1 Speed.#1.........: 20.6×109
Given its MSRP price of ~\$649, the AMD RX 6800 XT seems to be our best candidate to conduct a similar attack. (Notwithstanding any chip shortage driving the prices up like crazy...)
Next, according to the 2017 shattered.it website and paper:
This attack required over 9,223,372,036,854,775,808 SHA1 computations [9×1018]. This took the equivalent processing power as 6,500 years of single-CPU computations and 110 years of single-GPU computations.
But as mentioned in fgrieu's comment, in 2020, a new paper ("SHA-1 is a Shambles") came out, further improving the SHAttered attack in which they estimated the cost of their attack to $~2^{61.6} = 3.5\times 10^{18}$ SHA-1 computations vs. the $2^{63}$ computations in the SHAttered one (see Table 4.)
We can thus compute that with the current GPUs it takes:
$$\frac{2^{61.6}}{20.6×10^9} \approx 169\times10^6$$
seconds with a single GPU, which is ~5.36 years.
But this parallelizes relatively well, so you could just add more GPUs to the mix and you could get one in six months with 10 GPUs, or in 2 months with 30 GPUs... And that's at a theoretical cost of ~\$19,470 of GPUs, plus ~ \$2,000 of electricity costs running your 30 GPUs for 2 months...
You can also just rent three p3.16xlarge AWS instance with a hash rate of ~135GH/s each at a cost of ~\$24.48 per instance per hour, for a total of 405GH/s for \$73.44 per hour. That would take you ~2397.12 hours (3 months) and cost you ~\$176,044.
Remarkably, we can see that in only 5 years, we're down from an attack costing ~110 GPU years to an attack costing ~8 GPU-years in 2020 (thanks to theoretical improvements & newer GPUs) to just ~5.4 GPU years nowadays (thanks to newer, faster GPUs).
Also note that this is not taking possible ASICs into account, unlike this 2021 paper ("On The Cost of ASIC Hardware Crackers: A SHA-1 Case Study") which answers your question when assuming custom ASICs are an option:
In particular, we remark that the chosen-prefix collisions for SHA-1 can be generated in under a minute, with an ASIC cluster that costs a few dozen Millions dollars. Such ability would allow an attacker to apply the SLOTH attack on TLS or SSH connections using SHA-1.
Finally, if we take into account supercomputers and the Bitcoin network, this question is already covered in this excellent answer by kelalaka from 2018, and things aren't looking good: the Bitcoin network could do it in 1s, given its current hashrate of over 200TH/s... Yup: one second! But that's not technically true since Bitcoin's dedicated hardware is actually specialized in computing SHA-256 hashes.
In a more realistic way, it would take less than a day to do it on a super-computer such as the one owned by the US Department of Energy's Oak Ridge National Laboratory (ORNL) named "Summit".