Resecurity says security breach was nothing more than hackers duped by a honeypot
A hacking group claiming to have breached the defenses of Resecurity and gained access to internal data was actually fooled by a honeypot stuffed with synthetic data, says the security firm at the center of the story.
Dating back a few weeks, the data breach was originally thought to have been the work of the notorious ShinyHunters group. It is now clear that this group was not involved, and that no real data was accessed.
Rather than ShinyHunters, the group involved in the incident is actually Scattered Lapsus$ Hunters (SLH). The group posted a message on Telegram making bold claims about having accessed swathes of data, including employee records.
The post, as shared by Bleeping Computer, reads:
We would like to announce that we have gained full access to REsecurity systems :)
We took everything:
· All internal chats and logs
· Full employee data: names, emails, tokens, etc..
· Threat intel related, reports, scrapes, and all management files
· Complete client list with details
· All their plans from chats
This didn't happen for nothing. For months, REsecurity has been trying to social engineer us and groups we know. For example, when ShinyHunters put the Vietnam financial system database up for sale, their staff pretended to be buyers to get free samples and more info from us.
They go around telling companies they will "protect" them from cyber attacks, sell expensive services, act like experts... but in the end, just like we did with CrowdStrike and the FBI, they got fully owned :(((
We would also like to thank our friends at Devman Ransomware for the help with this attack.
What actually happened was very different, requiring endless planning and preparation by Resecurity. The company explains in a blog post:
Resecurity identified a threat actor attempting to conduct malicious activity targeting our resources. The actor was probing various publicly facing services and applications. Prior to that, the actor targeted one of our employees who had no sensitive data or privileged access. Our DFIR team logged the threat actor at an early stage and documented the following Indicators of Attack (IOA):
156.193.212.244 (Egypt)
102.41.112.148 (Egypt)
45.129.56.148 (Mullvad VPN)
185.253.118.70 (VPN)Understanding that the actor is conducting reconnaissance, our team has set up a honeytrap account. This led to a successful login by the threat actor to one of the emulated applications containing synthetic data. While the successful login could have enabled the actor to gain unauthorized access and commit a crime, it also provided us with strong proof of their activity. Both Office 365 and VPN accounts are highly effective for creating honeypot (honeytrap) accounts to detect, track, and analyze hacker activity. Such accounts are widely used in enterprise environments to detect unauthorized access attempts and gather threat intelligence. The most successful honeypot deployments use realistic, well-monitored decoy accounts that mimic high-value targets but are isolated from real assets. In addition, you can use honeytrap accounts for own applications - on emulated environment, isolated from production resources and closely monitored.
Such accounts could be planted via Dark Web marketplaces and forums, so potential attackers will find and use them. One such account ("Mark Kelly") has been frequently planted on a marketplace commonly used for purchasing compromised data, called Russian Marketplace.
For synthetic data, we used two different datasets: over 28,000 records impersonating consumers and over 190,000 records of payment transactions, and generated messages. Notably, in both cases, we utilized already known breached data available on the Dark Web and underground marketplaces—potentially containing PII—making the data even more realistic for threat actors. Such data is readily available from open sources and can be used as an important element for cyber deception—especially when the threat actor is advanced and may perform various checks to verify that the data is not completely fake. Otherwise, this could affect their further tactics or lead to a complete halt of their planned actions. In our scenario, our goal was to allow the threat actor to conduct activity and feed them with synthetic data to observe their attack path and infrastructure. This task has not involved the use of passwords or API credentials.
This weekend, the company adds:
Following our publication, the group called ShinyHunters, previously profiled by Resecurity, fell into a honeypot. Our previous reports about them can be found at the following links:
ShinyHunters Launches Data Leak Site: Trinity of Chaos Announces New Ransomware Victims
https://www.resecurity.com/blog/article/shinyhunters-launches-data-leak-site-trinity-of-chaos-announ...Trinity of Chaos: The LAPSUS$, ShinyHunters, and Scattered Spider Alliance Embarks on Global Cybercrime Spree
https://www.resecurity.com/blog/article/trinity-of-chaos-the-lapsus-shinyhunters-and-scattered-spide...In Telegram, the group claims to have "compromised" Resecurity, not realizing they have fallen into a honeypot prepared for them. The group claimed that "they have gained full access to Resecurity systems," which is a clear overstatement, as the honeypot environment prepared by us did not contain any sensitive information.
The screenshots shared by the threat actors relate to "[honeytrap].b.idp.resecurity.com" (a system emulated with compromised data from the Dark Web and not associated with any actual Resecurity customers) and the Mattermost application, which was provisioned for the honeytrap account "Mark Kelly" around November 2025 for this purpose.
The group admitted that Resecurity's efforts disrupted their operations. Our team used social engineering to acquire data from the group and tracked their activity.
What threat actors did not realize:
The populated accounts contained records from non-existent domains such as "resecure.com" (a domain that does not exist and did not belong to the company) and non-existing accounts flagged as "developers" / "testers";
API keys, along with other "tokens," are hashed with bcrypt and belong to "dummy accounts" with duplicated records, which hold no value.
In-actionable (useless) data from a few years ago, planted by our engineers and mixed with AI-generated content enabled us to document their activities using honeytrap account. The generated data was based on the output of OpenAI, acting as a GPT assistant. The activity has been imaged and retained, including exact timestamps and network connections, which have been shared with law enforcement.
Why are honeytrap accounts effective? They enable defenders to simulate a realistic environment for advanced attackers and collect valuable information about their activities.
It is worth remembering that ShinyHunters has denied involvement, and the actually perpetrators (or victims) are Scattered Lapsus$ Hunters.
