Resecurity says a claimed breach was only a monitored honeypot, while the attackers insist they stole real data—here’s what that standoff tells defenders about using deception safely.
What changed
Threat actors calling themselves “Scattered Lapsus$ Hunters” posted screenshots on Telegram claiming they exfiltrated employee records, threat intel files, and client data from security vendor Resecurity. The company countered that the intruders only touched a deliberately exposed honeypot seeded with synthetic data and watched from an isolated network. Resecurity says it first saw probing on November 21, 2025 and let the actor roam inside the decoy, logging 188,000 scripted requests routed through residential proxies between December 12 and December 24. The fake environment contained more than 28,000 synthetic consumer records and over 190,000 Stripe-formatted payment transactions to mirror production structure without risking customer data. During repeated proxy failures, Resecurity says the attacker leaked real IP addresses, which the company reported to law enforcement.
The group framed the intrusion as retaliation for supposed social-engineering attempts by Resecurity during a separate database sale. After publication, a ShinyHunters spokesperson denied involvement even though that brand has been linked to Scattered Lapsus$ Hunters. No further evidence beyond screenshots has been released. Resecurity’s response hinges on deception: the breach claims target a trap whose only purpose was to collect telemetry. The dispute highlights both the value and risk of running production-like honeypots when adversaries broadcast partial artifacts from them.
Source: BleepingComputer coverage of the Resecurity honeypot incident and Resecurity’s synthetic data honeypot report.
Why it matters
Deception has moved from research labs into frontline incident response. When attackers publicize partial screenshots from a honeypot, defenders must prove the boundary between decoy and real assets. That requires inventory discipline, synthetic data hygiene, and audit logs that can withstand public scrutiny. The Resecurity episode is a live case study in how quickly threat actors weaponize ambiguity: the same evidence can be spun as a catastrophic breach or as deliberate counter-intelligence.
For defenders, the stakes are operational: if your honeypot telemetry is not clearly segregated, lawyers, regulators, and customers may treat any exposure as a material incident. Conversely, a well-run honeypot turns attempted extortion into intelligence on proxy infrastructure, automation scripts, and opsec mistakes. That is exactly what Resecurity claims to have harvested during the 188,000 scripted requests.
Operational checklist
- Map data lineage: keep synthetic datasets tagged, immutable, and traceable so you can prove no regulated records were touched.
- Isolate identity paths: do not reuse SSO, MFA, or directory backends between decoys and production; use disposable credentials.
- Instrument egress: log every outbound connection and block destinations that overlap with real third-party APIs.
- Plan the message: pre-write public statements that explain decoy scope, so you can respond within hours if screenshots leak.
- Close the loop: deliver collected indicators—IP addresses, user agents, scripts—to fraud and abuse teams that can block them across other services.
Internal reference: see how a previous decoy story translated to learnings in Honeypot defense turns breach claim into intelligence.
How the honeypot worked
Resecurity’s playbook combined three ingredients: a production-shaped service boundary, synthetic data generated in realistic formats, and continuous monitoring of ingress and egress. The decoy exposed a login surface tied to LDAP, then funneled authenticated sessions into an isolated network segment. Data tables mirrored production schema but held AI-generated consumer identities and Stripe-style payment records so downstream queries looked legitimate. Because the target was credentialed, the attacker invested in automation—188,000 requests over twelve days—giving defenders a rich signal on timing, endpoints called, and payload structures.
Telemetry captured the proxy mix: Mullvad exit nodes, Egypt-origin IPs, and a rotating pool of residential addresses. Occasional proxy failures revealed source IPs, letting analysts pivot to ASN metadata and submit them to law enforcement. By staging additional fake datasets mid-incident, the team provoked more automation runs and broadened visibility into the actor’s tooling. This iterative lure-and-observe loop is the core of deception: shape the environment so adversaries reveal more than they take.
Guardrails to copy
- Isolate compute and identity: separate VPC, separate IAM, unique SSH keys, and denylist production CIDRs.
- Tag and watermark data: embed canary records and distinct formatting to prove origin if screenshots leak.
- Throttle and log: set rate limits that slow exfiltration without stopping it; preserve full packet captures for the duration.
- Plan a graceful shutdown: design triggers (e.g., real IP exposure) that stop the session before it threatens adjacent systems.
The risk surface lives in the details. If session cookies, VPN configs, or outbound traffic rules overlap with real services, a honeypot can become a lateral movement bridge. Immutable logging, separate identity stores, and explicit egress denies are non-negotiable controls when you invite attackers inside.
Context and threat backdrop
Scattered Lapsus$ Hunters is a loose label that nods to overlaps between ShinyHunters, Lapsus$, and Scattered Spider. Those crews have a history of combining data theft with publicity campaigns designed to pressure victims. The Telegram post fits that pattern: loud claims, selective screenshots, and promises of more. In this case, the noise ran into a deception strategy that anticipated the narrative and seeded believable—but fake—records.
Honeypots are hardly new, but the accessibility of synthetic data, public cloud isolation, and cheap residential proxies changes the economics. Defenders can mirror realistic payroll, CRM, and payment flows without touching regulated data. Attackers can blend into residential traffic and rapidly script exfiltration. That symmetry makes deception a viable way to turn recon into attribution and infrastructure mapping. It also means any messaging misstep will be punished in the court of public opinion, as security vendors face higher expectations of transparency.
Defensive considerations
- Legal pre-work: align deception plans with counsel so evidence gathered from adversaries can be shared without privacy conflicts.
- Third-party parity: if you simulate SaaS integrations (e.g., Stripe), ensure API keys are fake and network access cannot reach real endpoints.
- Rotation cadence: refresh synthetic datasets and credentials on a schedule so attackers cannot reuse tokens elsewhere.
- Cross-team visibility: route honeypot telemetry to fraud, SRE, and SOC channels so they can compare with production patterns.
Past cases show the stakes: when honeypots leaked real API keys or session tokens, they enabled follow-on intrusions. When they were cleanly isolated, they produced early warning on botnet infrastructure or new ransomware playbooks. The Resecurity case sits in the middle—public claims amplified the story, forcing the defender to share their deception architecture to preserve credibility.