Resecurity has reported that the supposed Scattered Lapsus$ Hunters hack was limited to a decoy environment specifically created to monitor attacker actions.
The cybersecurity company Resecurity intentionally attracted threat actors associated with the Scattered Lapsus$ Hunters (SLH) group into a honeypot after these individuals asserted that they had breached the company and exfiltrated internal and client data.
“Recognizing that the actor was conducting reconnaissance, our team established a honeypot account,” Resecurity stated in a blog entry, revealing prior awareness of the threat actor's probing activities. “This resulted in a successful login by the threat actor to one of the simulated applications containing synthetic data.”
The attackers, who identified themselves as SLH’s “ShinyHunters,” initially shared screenshots and claimed to have infiltrated Resecurity’s systems. However, once the company clarified it was a honeypot, the actual group acknowledged they were not involved in the breach.
“We would like to announce that we have gained full access to Resecurity systems,” the attackers reportedly declared in a Telegram message. “For months, Resecurity has been attempting to social engineer us and groups we are familiar with. When ShinyHunters listed the Vietnam financial system database for sale, their personnel pretended to be buyers to obtain free samples and further information from us.”
To substantiate their claims, the threat actors attached screenshots of internal communications among Resecurity employees within a Mattermost collaboration platform.
Resecurity's Account of Events
Resecurity explains that its security teams detected reconnaissance activities aimed at externally exposed services before the attackers publicly made their assertions. In response, the company redirected the activity toward a honeypot filled with synthetic data designed to mimic internal systems.
The honeypot contained fabricated consumer records and simulated payment data crafted to look realistic while being completely isolated from Resecurity’s actual production environment. The company stated this approach allowed the attackers to believe they had achieved significant access while enabling defenders to observe their actions without revealing real data.
“For the synthetic data, we employed two distinct datasets: over 28,000 records representing consumers and more than 190,000 records of payment transactions, along with generated messages,” Resecurity detailed in the post. “Significantly, in both instances, we used known breached data available on the Dark Web and underground marketplaces; potentially containing personally identifiable information; making the data appear even more authentic to the threat actors.”
Resecurity noted that the attackers engaged with the decoy environment for an extended duration, producing automated requests that offered insights into their tools and techniques.
Lack of Evidence for a Genuine Breach
Despite Resecurity's comprehensive account, the threat actors have not substantiated their initial claims with any additional verifiable proof. Following the release of the screenshots, there have been no confirmed leaks of internal systems or actual client data. Independent evaluations by various cybersecurity analysts reinforce Resecurity’s position that no production assets were compromised.
Conversely, Resecurity’s analysis of interaction patterns aligned with familiar tactics used by threat actors. The company’s investigation indicated that the activity commenced with reconnaissance of publicly exposed systems, which corresponded with MITRE ATT&CK techniques such as Active Scanning (T1595) and Gather Victim Host Information (T1592), based on network telemetry and log data. Following the publication of these claims, a spokesperson claiming to represent ShinyHunters denied the group's involvement, stating they were not accountable for the activities that Resecurity attributed to the alleged attackers.
