Threat actors associated with Scattered Lapsus$ Hunters (SLH) claimed to have breached cybersecurity firm Resecurity and stolen internal data. Instead, they’d fallen into a deliberately deployed honeypot—and the intelligence gathered from monitoring their activity led to a law enforcement subpoena identifying one of the attackers.
Incident overview
| Attribute | Details |
|---|---|
| Claimed victim | Resecurity (cybersecurity firm) |
| Actual outcome | Honeypot trap successful |
| Threat actor | Scattered Lapsus$ Hunters (SLH) |
| Synthetic consumer records | 28,000+ |
| Synthetic payment records | 190,000+ |
| Automated requests logged | 188,000+ |
| Law enforcement action | Foreign subpoena issued |
| Production data compromised | None confirmed |
Timeline
| Date | Event |
|---|---|
| November 21, 2025 | Resecurity detects threat actor probing public-facing systems |
| November 2025 | Hunter DFIR team deploys honeypot environment with “Mark Kelly” account |
| December 12-24, 2025 | Attackers make 188,000+ automated requests to honeypot |
| December 24, 2025 | Resecurity publishes report confirming synthetic data access |
| January 3, 2026 | SLH posts breach claims to Telegram |
| January 4, 2026 | Claims removed from Telegram after honeypot revealed |
| January 2026 | Telegram channel suspended for policy violations |
| January 2026 | Resecurity offers “congratulations” to attackers for falling into trap |
The claim
The group posted screenshots on Telegram claiming “full access to Resecurity systems” and theft of:
| Claimed data | Attacker assertion |
|---|---|
| Employee data | Names, contacts, roles |
| Internal communications | Chat logs, discussions |
| Threat intelligence reports | Customer-facing research |
| Management files | Internal documents |
| Client information | Customer list and details |
What actually happened
When Resecurity detected probing activity in November 2025, their Hunter DFIR team didn’t just block the attacker—they deployed a honeypot account within an isolated environment. The attacker was allowed to log in and interact with systems containing synthetic data while being monitored.
Honeypot architecture
| Component | Purpose |
|---|---|
| ”Mark Kelly” account | Honeypot user identity |
| Mattermost instance | Fake internal communications |
| Synthetic consumer records | 28,000+ realistic-looking entries |
| Synthetic payment transactions | 190,000+ records in Stripe API format |
| Fabricated internal messages | Believable but traceable content |
| Complete isolation | No paths to production systems |
| Comprehensive logging | Full activity capture |
The data was structured to closely resemble real business data while remaining completely isolated from production systems. The payment records were generated using the official Stripe API format for maximum realism.
Synthetic data design
| Element | Realism factor |
|---|---|
| Consumer records | Names, addresses, contact info following real patterns |
| Payment data | Stripe API format, realistic transaction patterns |
| Internal comms | Believable business discussions |
| File structure | Mimicked real organizational layout |
| Timestamps | Recent activity to appear current |
Attacker activity
Between December 12 and December 24, 2025, Resecurity recorded detailed telemetry:
| Metric | Value |
|---|---|
| Automated requests | 188,000+ |
| Primary proxy location | Residential IPs from Egypt |
| Secondary proxy | Mullvad VPN |
| Tools used | Automated scraping/exfiltration |
| Session duration | 12+ days |
| Data exfiltrated | Synthetic records only |
The attackers’ automation and persistence provided extensive behavioral data for attribution.
OPSEC mistakes
Processing the fake data “led to several OPSEC mistakes” by Scattered Lapsus$ Hunters:
| Mistake | Impact |
|---|---|
| Revealed automation servers | Infrastructure identified |
| Consistent proxy patterns | Attribution possible |
| Gmail account linkage | Connected to US phone number |
| Yahoo account linkage | Secondary identity exposed |
| Residential proxy usage patterns | Behavioral fingerprinting |
| Time zone indicators | Geographic narrowing |
| Tool signatures | Technical capabilities revealed |
Attribution and “The Com”
Resecurity identified the attackers as Scattered Lapsus$ Hunters (SLH), a group claiming affiliation with ShinyHunters, Lapsus$, and Scattered Spider.
Group naming origin
| Component | Source |
|---|---|
| ”Scattered” | Scattered Spider affiliation |
| ”Lapsus$“ | Lapsus$ group connection |
| ”Hunters” | ShinyHunters association |
The Com ecosystem
These groups are linked to “The Com”, a predominantly English-speaking cybercriminal ecosystem:
| Characteristic | Details |
|---|---|
| Demographics | Primarily teenage actors |
| Language | English-speaking |
| Organization | Loosely organized, shifting allegiances |
| Overlap | Lapsus$, ShinyHunters, Scattered Spider |
| Communication | Telegram, Discord |
| Targets | High-profile tech companies, crypto |
| Tactics | Social engineering, SIM swapping |
Security researchers describe it as a “cybercrime youth movement”—a loosely organized network with constantly shifting membership and allegiances.
Related group activities
| Group | Notable activities |
|---|---|
| Lapsus$ | Microsoft, Nvidia, Okta breaches |
| ShinyHunters | Multiple data breach operations |
| Scattered Spider | Casino and hospitality attacks |
| SLH | Combination of above tactics |
ShinyHunters denial
After the story broke, a ShinyHunters spokesperson told BleepingComputer they were not involved in this specific action:
“There is a misunderstanding… I want to make it clear that the TG channel is specifically associated with Scattered LAPSUS$ Hunters, not ShinyHunters.”
Law enforcement action
The intelligence gathered from the honeypot had real consequences:
| Action | Details |
|---|---|
| Network telemetry shared | Timestamps and connection data to law enforcement |
| Subpoena issued | Foreign law enforcement partner |
| Gmail identified | Linked to US-based phone number |
| Yahoo account | Secondary identity confirmed |
| Attribution chain | Established through residential proxy patterns |
| Ongoing investigation | Additional actions expected |
Resecurity offered “congratulations” to the attackers for falling into the trap.
Independent verification
Security researcher Dissent Doe reviewed available evidence:
“In sum, DataBreaches found no evidence that SLH acquired any data from any of Resecurity’s real clients.”
| Verification finding | Status |
|---|---|
| Customer data stolen | No evidence |
| Production compromise | No evidence |
| Synthetic data accessed | Confirmed |
| Honeypot effectiveness | Validated |
Aftermath
On January 4, 2026—one day after publicizing their claims—the group removed all Telegram posts about the alleged breach. They acknowledged that Resecurity’s efforts “disrupted their operations.”
| Aftermath event | Details |
|---|---|
| Telegram posts removed | January 4, 2026 |
| Channel suspended | Telegram policy violation |
| Operations disrupted | Group acknowledgment |
| Reputation damage | Credibility among peers affected |
Lessons for defenders
Deception technology benefits
| Benefit | How it works |
|---|---|
| Early detection | Attackers interact with decoys before reaching real assets |
| Intelligence gathering | Behavioral data supports attribution and prosecution |
| Attacker resource waste | Time spent on fake data is time not spent on real targets |
| Legal evidence | Documented intrusion supports prosecution |
| Psychological impact | Attackers unsure what data is real |
| Deterrence | Risk of honeypots deters future attacks |
Implementation requirements
| Factor | Consideration |
|---|---|
| Realism | Synthetic data must be believable enough to engage attackers |
| Isolation | Complete separation from production—no paths to real systems |
| Monitoring | Comprehensive logging to capture attribution data |
| Response plan | Include law enforcement coordination |
| Maintenance | Honeypots need updates to remain convincing |
| Legal review | Ensure compliance with applicable laws |
Honeypot design principles
| Principle | Application |
|---|---|
| Attractive target | Appears valuable to attackers |
| Accessible | Attackers can find and access it |
| Realistic | Content matches expected patterns |
| Instrumented | Every action is logged |
| Isolated | Cannot lead to real systems |
| Sustainable | Can be maintained long-term |
When to deploy honeypots
| Scenario | Value |
|---|---|
| Initial reconnaissance detected | High—can monitor escalation |
| Targeting by known groups | High—intelligence gathering |
| High-value organization | Medium—defense in depth |
| Limited security resources | Low—maintenance burden |
| Security vendor | High—expected target |
Recommendations for security teams
| Priority | Action |
|---|---|
| High | Develop deception technology capability |
| High | Establish law enforcement coordination channels before incidents |
| High | Create realistic honeypot environments for high-risk scenarios |
| Medium | Train DFIR teams on honeypot deployment |
| Medium | Integrate honeypots with threat intelligence |
| Ongoing | Monitor for reconnaissance activity as deployment trigger |
Honeypot success factors
| Factor | Importance |
|---|---|
| Rapid deployment capability | Critical |
| Realistic data generation | Critical |
| Comprehensive monitoring | Critical |
| Law enforcement relationships | High |
| Attribution capability | High |
| Legal preparation | High |
Context
The Resecurity incident demonstrates that cybersecurity firms aren’t just targets—they’re also capable of turning attacks into intelligence operations. For threat actors targeting security companies, the risk of encountering sophisticated deception technology is significantly higher than with typical corporate victims.
For defenders considering deception technology, this case provides a template: detect early, deploy realistic decoys, monitor comprehensively, and coordinate with law enforcement for maximum impact.
The incident also highlights the evolving nature of threat actor ecosystems. The overlapping membership between Lapsus$, ShinyHunters, and Scattered Spider—all connected through “The Com”—creates attribution challenges but also opportunities when attackers make OPSEC mistakes. Young, inexperienced actors in these groups may have technical skills but often lack the operational discipline to avoid identification.
The subpoena resulting from this honeypot operation demonstrates that active defense can have real consequences for attackers, potentially deterring future operations against both Resecurity and other security-conscious targets.