Cybersecurity firm Resecurity says it deliberately lured threat actors linked to Scattered Lapsus$ Hunters (SLH) alliance into a honeypot, after the group claimed that it had hacked the company and stolen internal and client data.
“Understanding that the actor is conducting reconnaissance, our team has set up a honey pot account,” Resecurity said in a blog post, indicating prior knowledge of threat actor probing. “This led to a successful login by the threat actor to one of the emulated applications containing synthetic data.”
The threat actors claiming to be SLH’s “ShinyHunters” initially posted screenshots and claimed that they had breached Resecurity’s systems, but soon after the firm said it was a honeypot, the actual group confirmed they had no connection to the attack.
“We would like to announce that we have gained full access to Resecurity systems,” the threat actors reportedly said in a Telegram post. “For months, REsecurity has been trying to social engineer us and groups we know. When ShinyHunters put the Vietnam financial system database up for sale, their staff pretended to be buyers to get free samples and more info from us.”
As proof, the threat actors had attached screenshots of Resecurity employees’ internal communication in a Mattermost collaboration instance.
What Resecurity says really happened
According to Resecurity, its security teams observed reconnaissance activity targeting externally exposed services before the attackers made their claims public. In response, the company said it steered the activity toward a honeypot environment populated with synthetic data designed to resemble internal systems.
The honeypot included fabricated consumer records and simulated payment data structured to appear realistic while remaining fully isolated from Resecurity’s production environment. The company said this allowed the attackers to believe they had gained meaningful access, while enabling defenders to monitor activity without exposing real data.
“For synthetic data, we used two different datasets: over 28,000 records impersonating consumers and over 190,000 records of payment transactions, and generated messages,” Resecurity said in the post. “Notably, in both cases, we utilized already known breached data available on the Dark Web and underground marketplaces—potentially containing PII—making the data even more realistic for threat actors.”
Resecurity added that the attackers interacted with the decoy environment over an extended period, generating automated requests that provided insight into their tooling and methods.
Evidence of real breach remains thin
Despite Resecurity’s detailed account, the threat actors have not backed up their original claims with additional verifiable evidence. After posting the screenshots, no substantiated leaks of internal systems or actual client data have appeared. Independent analysis by various cybersecurity researchers supports Resecurity’s assertion that no production assets were compromised.
On the other hand, Resecurity’s own analysis of the interaction patterns aligned with common threat actors’ tactics. According to the company’s investigation, the activity began with reconnaissance of publicly exposed systems, which matched MITRE ATT&CK techniques such as Active Scanning (T1595) and Gather Victim Host Information (T1592), based on network telemetry and log data. Following the publication of the claims, a spokesperson claiming to represent ShinyHunters denied the group’s involvement, saying it was not responsible for the activity Resecurity attributed to the alleged attackers.
No Responses