Resecurity denies breach, says attackers hit a honeypot

Published: 4 January 2026
Last updated: 4 January 2026
cybercriminal

Threat actors claimed to have successfully breached cybersecurity firm Resecurity. The catch? According to Resecurity, the attackers have actually accessed a honeypot full of fake information, designed specifically to monitor their activity.

The criminal group Scattered LAPSUS$ Hunters published screenshots on Telegram claiming that they have gained full access to Resecurity systems, accessing swathes of data, including client information, threat intelligence reports, and employee records.

“We would like to announce that we have gained full access to REsecurity systems :),” the post, as shared by BleepingComputer, says.

ADVERTISEMENT

The attackers claim they took everything, including all internal chats and logs; full employee data: names, emails, tokens; threat intelligence-related reports, scrapes, and all management files; complete client list with details; plans from internal chats.

“This didn't happen for nothing,” the attackers add. “For months, REsecurity has been trying to social engineer us and groups we know. For example, when ShinyHunters put the Vietnam financial system database up for sale, their staff pretended to be buyers to get free samples and more info from us.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us

“They go around telling companies they will ‘protect’ them from cyber attacks, sell expensive services, act like experts... but in the end, just like we did with CrowdStrike and the FBI, they got fully owned :(((

“We would also like to thank our friends at Devman Ransomware for the help with this attack.”

The post was accompanied by screenshots attached as proof – BleepingComputer cites an example of what appears to be interactions between Resecurity employees and Pastebin personnel regarding malicious content hosted on the platform.

What really happened

Resecurity argues, however, that is not what happened. According to them, the attackers accessed a honeypot that is in no way connected to their production infrastructure, but was rather designed to attract the cybercriminals.

ADVERTISEMENT

The firm shared a report published on December 24th, which describes the attacker probing their publicly-facing services and applications on November 21st. Earlier, the actor also targeted one of Resecurity’s employees who had no sensitive data or privileged access.

The company identified the threat actor at an early stage and logged multiple associated IP addresses, some geolocated to Egypt and others linked to Mullvad VPN services.

In response, the team has set up a honeytrap account, which led to a successful login by the threat actor.

“The most successful honeypot deployments use realistic, well-monitored decoy accounts that mimic high-value targets but are isolated from real assets,” the researchers explain. “Such accounts could be planted via Dark Web marketplaces and forums, so potential attackers will find and use them. One such account (‘Mark Kelly’) has been frequently planted on a marketplace commonly used for purchasing compromised data, called Russian Marketplace.”

The honeypot used two different datasets for synthetic data: over 28,000 records impersonating consumers and over 190,000 records of payment transactions, and generated messages.

Following the attack claims, Resecurity updated its original report on January 3rd, saying:

“Following our publication, the group called ShinyHunters, previously profiled by Resecurity, fell into a honeypot.

“In Telegram, the group claims to have ‘compromised’ Resecurity, not realizing they have fallen into a honeypot prepared for them. The group claimed that ‘they have gained full access to Resecurity systems,’ which is a clear overstatement, as the honeypot environment prepared by us did not contain any sensitive information.”

The researchers added that the attackers did not realize that the populated accounts contained records from non-existent domains. API keys, along with other "tokens," were hashed with bcrypt and belonged to "dummy accounts" with duplicated records, and all activity was logged, including exact timestamps and network connections, and shared with law enforcement.

Initial reports linked the attack to a cybercriminal group, ShinyHunters, although a spokesperson later reached out to BleepingComputer to confirm that they were not involved in the attack. The threat actors are associated with the "Scattered Lapsus$ Hunters" and typically refer to themselves that way because of an overlap in tactics and branding.

ADVERTISEMENT

Although the threat actors behind the claimed breach have not provided additional evidence as of yet, BleepingComputer cites a new Telegram post suggesting that more information will be coming soon:

"Nice damage control Resecurity. More information coming soon!”

Share
Post
Share
Share
Share
More from Cybernews
What is fearmaxxing? Experts question the self-improvement trend
EU plans stricter rules for Amazon and Microsoft cloud services to ease switching between providers
Microsoft: 2 ransomware groups hit SharePoint in parallel attacks
27 million passwords seized as Microsoft and EU authorities knock down malware infrastructure
What sovereignty? Internet traffic of millions of Europeans flows through Chinese routers
Samsung thinks a 7-year-old TV might be too old, but users disagree
ADVERTISEMENT