Wednesday, January 7, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Congrats, cybercrims: You just fell into a honeypot

TH Author

Resecurity offered its “congratulations” to the Scattered Lapsus$ Hunters cybercrime crew for falling into its threat intel team’s honeypot – resulting in a subpoena being issued for one of the data thieves. Meanwhile, the notorious extortionists have since removed their claims of gaining “full access” to the security shop’s systems.

The company’s Hunter unit set the trap in November 2025 after catching the group formerly known as ShinyHunters probing its public-facing services and applications, according to a Christmas Eve blog post.

“Understanding that the actor is conducting reconnaissance, our team has set up a honeytrap account,” Resecurity’s threat intelligence unit said on December 24. “This led to a successful login by the threat actor to one of the emulated applications containing synthetic data.”

Over the weekend, it trolled the criminals on social media.

The honeypot included fake employee accounts – including one purporting to be “Mark Kelly” with the email address mark@resecurity.com that was planted on stolen-data souk Russian Marketplace. It also included synthetic data and messages, such as 28,000 records impersonating consumers and more than 190,000 phony records of payment transactions.

“In our scenario, our goal was to allow the threat actor to conduct activity and feed them with synthetic data to observe their attack path and infrastructure,” the Resecurity team wrote.

It worked.

On January 3, the cybercrime crew claimed via Telegram that it had gained “full access” to Resecurity’s systems and stolen “everything,” which they said included internal chats and logs, employee data, threat intelligence reports and management files, and client information. “For months, REsecurity has been trying to social engineer us and groups we know,” the post said.

This, it turns out, was more social engineering on the part of Resecurity’s crew. According to the security sleuths, processing the fake data “led to several OPSEC mistakes” by Scattered Lapsus$ Hunters, including revealing the exact servers being used for automation. The security firm also published information about the attacker’s IPs, including some from Egypt and Mullvad VPN.

“Once the actor was located using available network intelligence and timestamps, a foreign law enforcement organization, a partner of Resecurity, issued a subpoena request regarding the threat actor.”

A day later, on January 4, the claims were removed from the Telegram channel.

Following publication, an account belonging to ShinyHunters said that it didn’t fall into the honeypot – Scattered LAPSUS$ Hunters did. “There is a misunderstanding, the previous outlets that reported on this situation mis-attributed it to ShinyHunters instead of Scattered LAPSUS$ Hunters (SLH). I want to make it clear that the TG channel is specifically associated with Scattered LAPSUS$ Hunters, not ShinyHunters. Any information or leaks that come out of that TG channel are associated with Scattered LAPSUS$ Hunters (SLH). However, ShinyHunters remains the spokesperson for both the ShinyHunters group and Scattered LAPSUS$ Hunters (SLH) collective.”

The Resecurity team declined to say which foreign law enforcement agency issued a subpoena, but told The Register that one of the suspects is a non-US person with associates in the US and the UK. ®

READ MORE HERE