Daily Threat Intel Digest - 2026-01-04

[NEW] “Scattered Lapsus$ Hunters” claim Resecurity breach; firm says it was a honeypot

A threat actor group identifying as “Scattered Lapsus$ Hunters” (SLH) has claimed to have breached the cybersecurity firm Resecurity, allegedly stealing internal data, employee information, and client lists [BleepingComputer; BleepingComputer (updated)]. Resecurity has strongly disputed the claim, stating the attackers accessed only a deliberately deployed honeypot containing synthetic data, allowing the company to monitor their activities and gather intelligence for law enforcement. The group published screenshots on Telegram, including what appears to be internal communications, as proof of the breach and stated the attack was retaliation for Resecurity employees allegedly attempting to socially engineer them by posing as buyers for a database.

Resecurity detailed its deception operation, revealing it first detected reconnaissance activity on November 21, 2025, and subsequently deployed the honeypot in an isolated environment. The firm populated the system with over 28,000 fake consumer records and 190,000 synthetic payment transactions to closely resemble legitimate data. According to Resecurity, the actor generated over 188,000 requests in an attempt to exfiltrate this fake data between December 12 and December 24, a period during which the company collected extensive telemetry on the attacker’s tactics, techniques, and infrastructure [BleepingComputer; BleepingComputer (updated)]. Resecurity claims that attacker OPSEC failures, including exposed IP addresses due to proxy issues, allowed them to identify and share intelligence with a foreign law enforcement partner, which issued a subpoena for the threat actor. In an update to the initial claims, the well-known ShinyHunters group clarified that while they are often associated with the “Scattered Lapsus$ Hunters” moniker, they were not involved in this specific incident against Resecurity [BleepingComputer (updated)].