Replace: Article up to date to replicate that the ShinyHunters says they weren’t concerned on this exercise. We now have up to date our story and title.
Risk actors related to the “Scattered Lapsus$ Hunters” (SLH) declare to have breached the methods of cybersecurity agency Resecurity and stolen inner information, whereas Resecurity says the attackers solely accessed a intentionally deployed honeypot containing pretend info used to observe their exercise.
As we speak, risk actors revealed screenshots on Telegram of the alleged breach, claiming they stole worker information, inner communications, risk intelligence reviews, and consumer info.
“We wish to announce that we’ve got gained full entry to REsecurity methods,” the group wrote on Telegram, claiming to have stolen “all inner chats and logs”, “full worker information”, “risk intel associated reviews”, and a “full consumer listing with particulars.”
Supply: BleepingComputer
As proof of their claims, the risk actors revealed screenshots they allege have been stolen from Resecurity, together with what seems to be a Mattermost collaboration occasion exhibiting communications between Resecurity workers and Pastebin personnel relating to malicious content material hosted on the text-sharing platform.
The risk actors, who seek advice from themselves as “Scattered Lapsus$ Hunters” because of the alleged overlap between ShinyHunters, Lapsus$, and Scattered Spider risk actors, mentioned the assault was retaliation for what they declare are ongoing makes an attempt by Resecurity to socially engineer the group and be taught extra about its operations.
The risk actors say Resecurity workers pretended to be consumers in the course of the sale of an alleged Vietnam monetary system database, looking for free samples and extra info.
After publishing this text, the ShinyHunters spokesperson advised BleepingComputer that they weren’t concerned on this exercise. Whereas ShinyHunters has at all times claimed to be a part of Scattered Lapsus$ Hunters, they state they weren’t concerned on this assault.
We now have up to date our article with this info.
In case you have any info relating to this incident or different undisclosed assaults, you possibly can contact us confidentially by way of Sign at 646-961-3731 or at ideas@bleepingcomputer.com.
Resecurity says it was a honeypot
Resecurity disputes the risk actor’s claims, stating that the allegedly breached methods will not be a part of its official manufacturing infrastructure however have been as a substitute a honeypot designed to draw and monitor the risk actors.
After BleepingComputer contacted Resecurity in regards to the declare, they shared a report revealed on December 24, the place the corporate says it first detected a risk actor probing their publicly uncovered methods on November 21, 2025.
The corporate says its DFIR group recognized reconnaissance indicators early and logged a number of IP addresses linked to the actor, together with these originating from Egypt and Mullvad VPN companies.
Resecurity mentioned it responded by deploying a “honeypot” account inside an remoted surroundings that allowed the risk actor to log in and work together with methods containing pretend worker, buyer, and fee information whereas it was being monitored by the researchers.
A honeypot is a intentionally uncovered, monitored system or account designed to lure attackers, permitting them to be noticed and analyzed and to assemble intelligence on their exercise with out risking actual information or infrastructure.
The corporate says it populated the honeypot with artificial datasets designed to intently resemble real-world enterprise information. These included greater than 28,000 artificial client data and over 190,000 artificial fee transaction data, each generated from Stripe’s official API format.
In line with Resecurity, the risk actor started making an attempt to automate information exfiltration in December, producing greater than 188,000 requests between December 12 and December 24 whereas utilizing massive numbers of residential proxy IP addresses.
Throughout this exercise, the corporate says it collected telemetry on the attacker’s techniques, methods, and infrastructure.
Supply: Resecurity
Resecurity claims that the attacker briefly uncovered confirmed IP addresses on a number of events resulting from proxy connection failures, and that the intel was reported to regulation enforcement.
After observing further exercise, Resecurity says it added additional pretend datasets to check the attacker’s habits, which led to further OPSEC failures and helped slim down the risk actor’s infrastructure.
The agency says it later recognized servers used to automate the assault by way of residential proxies and shared the intelligence with regulation enforcement as nicely.
“As soon as the actor was situated utilizing obtainable community intelligence and timestamps, a international regulation enforcement group, a accomplice of Resecurity, issued a subpoena request relating to the risk actor,” says Resecurity.
On the time of writing, the risk actors haven’t offered any additional proof, solely issuing a brand new Telegram publish stating that extra info shall be coming quickly.
“Good injury management Resecurity. Extra info coming quickly!,” reads a publish on Telegram.
It is funds season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the yr forward. This report compiles their insights, permitting readers to benchmark methods, establish rising traits, and examine their priorities as they head into 2026.
Find out how prime leaders are turning funding into measurable impression.
