Threat actors associated with the “Scattered Lapsus$ Hunters” (SLH) claim to have breached the systems of cybersecurity firm Resecurity and stolen internal data, while Resecurity says the attackers only accessed a deliberately deployed honeypot containing fake information used to monitor their activity.
Today, threat actors published screenshots on Telegram of the alleged breach, claiming they stole employee data, internal communications, threat intelligence reports, and client information.
“We would like to announce that we have gained full access to REsecurity systems,” the group wrote on Telegram, claiming to have stolen “all internal chats and logs”, “full employee data”, “threat intel related reports”, and a “complete client list with details.”
As proof of their claims, the threat actors published screenshots they allege were stolen from Resecurity, including what appears to be a Mattermost collaboration instance showing communications between Resecurity employees and Pastebin personnel regarding malicious content hosted on the text-sharing platform.
The threat actors, who refer to themselves as “Scattered Lapsus$ Hunters” due to the alleged overlap between ShinyHunters, Lapsus$, and Scattered Spider threat actors, said the attack was retaliation for what they claim are ongoing attempts by Resecurity to socially engineer the group and learn more about its operations.
The threat actors say Resecurity employees pretended to be buyers during the sale of an alleged Vietnam financial system database, seeking free samples and additional information.
Resecurity says it was a honeypot
Resecurity disputes the threat actor’s claims, stating that the allegedly breached systems are not part of its legitimate production infrastructure but were instead a honeypot designed to attract and monitor the threat actors.
After BleepingComputer contacted Resecurity about the claim, they shared a report published on December 24, where the company says it first detected a threat actor probing their publicly exposed systems on November 21, 2025.
The company says its DFIR team identified reconnaissance indicators early and logged multiple IP addresses linked to the actor, including those originating from Egypt and Mullvad VPN services.
Resecurity said it responded by deploying a “honeypot” account within an isolated environment that allowed the threat actor to log in and interact with systems containing fake employee, customer, and payment data while it was being monitored by the researchers.
A honeypot is a deliberately exposed, monitored system or account designed to lure attackers, allowing them to be observed and analyzed and to gather intelligence on their activity without risking real data or infrastructure.
The company says it populated the honeypot with synthetic datasets designed to closely resemble real-world business data. These included more than 28,000 synthetic consumer records and over 190,000 synthetic payment transaction records, both generated from Stripe’s official API format.
According to Resecurity, the threat actor began attempting to automate data exfiltration in December, generating more than 188,000 requests between December 12 and December 24 while using large numbers of residential proxy IP addresses.
