Executive Summary

On January 3, 2026, multiple threat actors, self-identified as Scattered Lapsus$ Hunters (SLH), publicly claimed to have breached the systems of cybersecurity firm Resecurity and exfiltrated sensitive internal data. The attackers released screenshots on Telegram, purporting to show access to employee data, internal communications, threat intelligence reports, and client information. However, Resecurity responded with a detailed statement and technical evidence confirming that the accessed environment was a deliberately deployed honeypot containing only synthetic, non-production data. Independent analysis by BleepingComputer, HackRead, and DataBreaches.net corroborates that no real customer or production data was compromised. The incident demonstrates the use of honeypots as an effective threat intelligence and attribution tool within the cybersecurity sector. All claims and technical details in this report are directly supported by primary sources, with explicit references and evidence quality assessments.

Technical Information

The incident began with reconnaissance activity detected by Resecurity on November 21, 2025, when their Digital Forensics and Incident Response (DFIR) team observed probing of publicly exposed systems. The threat actor utilized a combination of residential proxy IP addresses and VPN services, including those originating from Egypt and the Mullvad VPN, to mask their origin and automate access attempts. This activity aligns with MITRE ATT&CK techniques T1595 (Active Scanning) and T1592 (Gather Victim Host Information), as confirmed by network telemetry and log analysis (BleepingComputer, Jan 3, 2026).

In response to the reconnaissance, Resecurity deployed a honeypot environment isolated from production systems. This environment was populated with synthetic datasets, including over 28,000 fake consumer records and more than 190,000 synthetic payment transaction records, generated using the official Stripe API format. The honeypot also included decoy employee records, client lists, and internal communication channels, all designed to closely mimic real business data and workflows (BleepingComputer, HackRead).

Between December 12 and December 24, 2025, the threat actor initiated automated data exfiltration attempts, generating more than 188,000 requests against the honeypot. The attackers interacted with user management panels, authentication tokens, and internal chat systems, all of which were synthetic and decoupled from any real operational environment. Screenshots released by the attackers depicted interfaces such as Mattermost collaboration channels, user management dashboards, and token databases, but all content was confirmed by Resecurity and independent media to be inactionable and synthetic (HackRead).

Technical analysis of the attack methods reveals the use of automation scripts or bots, residential proxy services, and credential access attempts. The attackers’ behavior mapped to several MITRE ATT&CK techniques, including T1090 (Proxy) for obfuscation, T1041 (Exfiltration Over C2 Channel) and T1567 (Exfiltration Over Web Service) for data exfiltration, T1078 (Valid Accounts) and T1555 (Credentials from Password Stores) for credential access, and T1589 (Gather Victim Identity Information) for collection of synthetic employee and client data. No specific malware samples or custom tools were identified in the public reporting, and all technical artifacts matched the decoy systems intentionally deployed by Resecurity (BleepingComputer, HackRead).

Throughout the incident, Resecurity monitored the attackers’ tactics, techniques, and infrastructure, collecting telemetry on their use of proxies and automation. The company observed multiple operational security (OPSEC) failures by the attackers, including brief exposures of real IP addresses due to proxy connection failures. This intelligence was shared with law enforcement, and a foreign law enforcement partner issued a subpoena request regarding the threat actor’s infrastructure (BleepingComputer).

Attribution of the attack remains at medium confidence. While the group self-identified as Scattered Lapsus$ Hunters and claimed overlap with ShinyHunters, Lapsus$, and Scattered Spider, a spokesperson for ShinyHunters later denied involvement in this specific incident. No technical artifacts directly link the group to the attack, and attribution is based primarily on self-identification and circumstantial evidence (BleepingComputer, DataBreaches.net).

The incident fits a broader pattern of threat actors targeting cybersecurity and technology firms for retaliation, intelligence gathering, or reputational damage. However, in this case, the use of a honeypot by Resecurity ensured that no real customer or production data was compromised. The incident highlights the effectiveness of honeypot operations for threat intelligence, attacker attribution, and sector defense.

Affected Versions & Timeline

The incident did not impact any production systems, software versions, or real customer environments. All accessed data and systems were synthetic and isolated within a honeypot environment. The timeline of key events is as follows:

Initial reconnaissance and probing of Resecurity’s exposed systems began on November 21, 2025, as detected by the company’s DFIR team (BleepingComputer). Automated exfiltration attempts against the honeypot occurred between December 12 and December 24, 2025, with over 188,000 requests logged. On December 24, 2025, Resecurity published a report and statement clarifying the nature of the incident and confirming that only synthetic data was accessed. Public reporting and threat actor claims surfaced on January 3, 2026, with independent media and Resecurity confirming the honeypot nature of the environment (BleepingComputer, HackRead, DataBreaches.net).

Threat Activity

The threat activity observed in this incident included initial reconnaissance of public-facing systems, use of residential proxies and VPNs for obfuscation, automated data exfiltration attempts, and interaction with decoy user management and communication systems. The attackers claimed to have exfiltrated full internal chats and logs, internal plans, a complete client list, threat intelligence data, and employee information. However, all accessed data was synthetic and inactionable, as confirmed by Resecurity and independent analysis (HackRead).

The attackers’ tactics mapped to several MITRE ATT&CK techniques, including T1595 (Active Scanning), T1592 (Gather Victim Host Information), T1090 (Proxy), T1041 (Exfiltration Over C2 Channel), T1567 (Exfiltration Over Web Service), T1078 (Valid Accounts), T1555 (Credentials from Password Stores), and T1589 (Gather Victim Identity Information). No malware deployment or ransomware activity was observed, and the attack relied primarily on automation and credential access attempts.

Attribution to Scattered Lapsus$ Hunters is based on self-identification in public Telegram posts. The group claimed overlap with other well-known threat actors but provided no technical evidence linking them to the incident. ShinyHunters later denied involvement, and no unique technical artifacts were identified. The incident demonstrates a pattern of targeting cybersecurity firms for reputational impact, but in this case, the attackers were contained within a controlled honeypot environment (BleepingComputer, DataBreaches.net).

Mitigation & Workarounds

No mitigation is required for Resecurity’s production systems or customer environments, as no real data or operational infrastructure was compromised. However, the incident provides several sector-relevant recommendations, prioritized by severity:

Critical: Organizations should implement honeypot environments to monitor and analyze threat actor behavior, especially for high-value targets in the cybersecurity and technology sectors. Honeypots provide valuable telemetry for attribution and can prevent real data exposure by diverting attackers to controlled environments (BleepingComputer).

High: Regularly monitor public-facing systems for reconnaissance activity, including scanning, probing, and unauthorized access attempts. Employ network telemetry and logging to detect anomalous behavior and potential OPSEC failures by attackers.

Medium: Use synthetic datasets and decoy credentials in non-production environments to reduce the risk of real data exposure during security incidents or red team exercises.

Low: Share threat intelligence and telemetry with law enforcement and trusted partners to support attribution and legal action against threat actors.

No customer action is required as a result of this incident. All evidence confirms that only synthetic, non-production data was accessed, and there is no risk to real customer information or operational systems.

References

BleepingComputer, January 3, 2026: https://www.bleepingcomputer.com/news/security/hackers-claim-resecurity-hack-firm-says-it-was-a-honeypot/amp/

HackRead, January 3, 2026: https://hackread.com/shinyhunters-breach-us-cybersecurity-resecurity-firm/

DataBreaches.net, January 3, 2026: https://databreaches.net/

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, monitor, and mitigate risks associated with their external vendors and partners. Our platform enables continuous assessment of third-party security posture, supports the deployment of decoy environments for threat intelligence, and facilitates the sharing of actionable telemetry with internal and external stakeholders. For questions regarding this incident or our capabilities, please contact us at ops@rescana.com.