Hack or Honeypot? ShinyHunters Claims Victory While Resecurity Claims a Masterful Trap
The hacking group known as ShinyHunters has claimed responsibility for breaching the infrastructure of Resecurity and exfiltrating internal data. Resecurity, however, maintains that the attackers gained access only to a deliberately constructed decoy—a segregated system filled with fabricated information designed to observe and analyze malicious activity.
ShinyHunters published screenshots on Telegram that they allege substantiate a successful intrusion. According to the group, they obtained employee data, internal communications, cyber-threat reports, and customer information. As purported evidence, they shared images of a Mattermost interface displaying internal conversations, including discussions related to the moderation of malicious content on Pastebin.
The group refers to itself as “Scattered Lapsus$ Hunters,” implying ties to other well-known collectives such as Lapsus$ and Scattered Spider. They claim the attack was carried out in retaliation for Resecurity’s attempts to study the group’s structure through social engineering.
Resecurity’s account of events diverges sharply. Company representatives insist that the compromised systems were entirely unrelated to their core infrastructure. According to a report released on December 24, suspicious activity had already been detected in November. The security team identified signs of reconnaissance originating from an external source and traced IP addresses linked to Egypt and the Mullvad VPN service.
In response to the perceived threat, Resecurity deployed an isolated environment populated with falsified data, intentionally embedding an account that granted access to the monitored intruder.
This environment contained fabricated records, including more than 28,000 fictitious user profiles and over 190,000 transactions structured to resemble the Stripe API. The objective of this honeypot was to gather intelligence on the attacker’s behavior, tactics, and tooling.
In December, Resecurity observed a large-scale automated data-exfiltration attempt, during which the attacker, operating through proxy networks, initiated nearly 190,000 requests. During the operation, intermittent connection failures briefly exposed some real IP addresses, which were subsequently shared with law enforcement authorities.
Additional fabricated data were later introduced into the decoy environment to prolong observation of the attacker’s behavior. This led to further operational errors on the adversary’s part, enabling investigators to narrow down the associated infrastructure and identify servers used to automate the attack. According to the company, one international law-enforcement partner has even initiated an extradition request based on the evidence collected.
As of publication, ShinyHunters have provided no further proof to support their claims, though they have promised to release additional information in the near future.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
