The cybersecurity community is buzzing over a dramatic claim of a major breach — but here's where it gets controversial: not everyone is convinced that the attackers really gained access to sensitive data as they say. Recently, members of the hacking group known as the 'Scattered Lapsus$ Hunters' (SLH) announced on Telegram that they had penetrated the systems of cybersecurity firm Resecurity and extracted internal data. They claimed to have stolen a trove of information, including employee records, internal communications, threat intelligence reports, and client details. To bolster their claims, they even shared screenshots appearing to show internal chats and logs, including a conversation between Resecurity staff and Pastebin moderators about malicious content hosted on the platform.
However, Resecurity firmly disputes these claims, asserting that the systems in question were not their operational infrastructure but instead a honeypot — a fake, carefully monitored environment set up specifically to trap and analyze malicious actors. This technique, known as a honeypot, involves deploying decoy data and systems in a controlled manner, allowing cybersecurity teams to observe attacker behavior without putting real, confidential information at risk.
The attackers, who call themselves the 'Scattered Lapsus$ Hunters,' linked their actions to a supposed cadre of hacking groups including ShinyHunters, Lapsus$, and Scattered Spider, suggesting a coordinated effort meant as retaliation. They allege that Resecurity attempted to spy on them by pretending to sell a Vietnamese financial database, gathering intelligence under false pretenses.
But after the attack, ShinyHunters disavowed involvement. A spokesperson clarified to BleepingComputer that ShinyHunters did not partake in this operation, despite claims suggesting otherwise. This correction has been updated in the original reporting.
Resecurity explains that it detected suspicious activity on their publicly accessible systems starting November 21, 2025, a date widely seen as an anomaly since it’s technically in the future — likely a typo or a mistake in the report. The company's Digital Forensics and Incident Response (DFIR) team traced back the activity to multiple IP addresses across Egypt and through VPN services, indicating international and deceptive traffic.
The firm responded by deploying a honeypot environment, featuring synthetic datasets modeled after real business data — over 28,000 fictitious customer records and 190,000 payment transactions modeled after Stripe's formats — intended to mimic legitimate data. The intent was to observe and analyze malicious activity without risking exposure of genuine assets.
In December, the attackers attempted to automate data theft from this fake environment, generating over 188,000 requests within a short period, often using residential proxies to hide their true origin. Throughout this time, Resecurity collected detailed telemetry, monitoring attack methods, infrastructure, and patterns of behavior. They also identified compromised servers and provided this intelligence to law enforcement agencies.
According to Resecurity, once the attacker’s infrastructure was sufficiently mapped, a law enforcement partner issued a subpoena to track down the perpetrators further. The threat actors responded via Telegram with a cryptic message indicating that more information would soon be released — but as of now, no additional proof has been provided.
This incident raises key questions about cybersecurity tactics like honeypots and the credibility of claims made in cyberattacks. Could engaging in deception tools like honeypots lead to better attack intelligence, or do such tactics sometimes muddy the waters of actual breach attribution? And with attackers claiming and showing screenshots of data breaches, yet the defending party insisting it's all part of a trap — who should we believe? Share your thoughts in the comments: Do you think such claims are genuine or often exaggerated? Is deploying honeypots a smart strategy or potentially a cybersecurity risky game? Let us know your opinions.
