ShinyHunters Alleged Breach and Honeypot Operation at Resecurity
The hacking group ShinyHunters claimed to have breached the internal systems of Resecurity, a US-based cybersecurity firm, releasing screenshots purportedly showing access to sensitive dashboards, user management panels, API keys, employee data, and internal communications. ShinyHunters alleged they exfiltrated internal chats, client lists, threat intelligence data, and employee information, framing the attack as retaliation for Resecurity's alleged attempts to infiltrate threat actor groups by posing as buyers on dark web markets. The group also credited Devman Ransomware for assistance in the attack and published evidence to support their claims.
However, Resecurity responded by stating that the data accessed by ShinyHunters was part of a sophisticated honeypot operation designed to monitor and log threat actor activity. According to Resecurity, the honeypot included simulated data and a planted honeytrap account, and there was no impact on actual customers or internal operations. Resecurity confirmed that all data referenced by ShinyHunters originated from the honeypot, and they had already logged the attackers' IP addresses. The incident highlights the ongoing cat-and-mouse dynamics between cybersecurity firms and threat actors, as well as the use of deception technologies in cyber defense.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Foreign law enforcement issues subpoena tied to a suspect
By January 5, 2026, reporting indicated that intelligence gathered during the honeypot operation had contributed to a subpoena from a foreign law enforcement agency targeting one suspect. Resecurity said the suspect was a non-US person with associates in the US and UK.
Attackers retract or remove public breach claims after exposure
After Resecurity revealed the honeypot operation, the threat actors reportedly denied involvement or removed their public claims that they had breached the company. This marked a shift from their earlier assertions of a successful compromise.
Independent review finds no evidence the leaked data was real
By January 5, 2026, outside reporting and review of the material supplied by the attackers found no evidence that the alleged Resecurity data was genuine customer or internal data. These assessments supported Resecurity's account that the exposed material was synthetic and part of a deception operation.
Resecurity releases evidence and shares intelligence with law enforcement
As part of its response, Resecurity published logs and other evidence supporting its honeypot claim and said it had identified attacker infrastructure, IP addresses, email accounts, and a phone number. The firm reported that this intelligence was provided to law enforcement for follow-up.
Resecurity says attackers only accessed synthetic honeypot data
On January 3, 2026, Resecurity publicly denied that its real systems were breached, stating the screenshots and purported stolen data came from an isolated honeypot populated with fake but realistic datasets. The company said no production systems, customer data, or operational assets were compromised.
ShinyHunters/SLH publicly claims a breach of Resecurity
On January 3, 2026, actors identifying as ShinyHunters, SLH, or Scattered Lapsus$ Hunters claimed on Telegram that they had fully compromised Resecurity. They alleged theft of internal chats, employee data, client lists, management files, and threat intelligence, and published screenshots as proof.
Attackers interact with honeypot and expose infrastructure
After the honeypot was deployed, the threat actors accessed the decoy environment and attempted automated exfiltration, generating more than 188,000 requests. Resecurity said the operation let it log IP addresses, observe tooling and OPSEC mistakes, and collect infrastructure details that were later shared with law enforcement and ISPs.
Resecurity detects reconnaissance and deploys a honeypot
In November 2025, Resecurity said it detected probing and reconnaissance activity by actors tied to Scattered Lapsus$ Hunters/ShinyHunters. The company responded by setting up a decoy environment with synthetic data and honeytrap accounts to study the attackers and protect production systems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
Scattered Lapsus$ Hunters Snared in Cyber Researcher Honeypot
darkreading.com
Open sourceCongrats, cybercrims: You just fell into a honeypot
go.theregister.com
Open sourceCybersecurity firm turns tables on threat actors with decoy data trap
csoonline.com
Open sourceThreat actors insisted that Resecurity’s honeypot was real data. We found no evidence that it was.
databreaches.net
Open sourceHackers claim to hack Resecurity, firm says it was a honeypot
bleepingcomputer.com
Open sourceShinyHunters claims Resecurity hack, firm says it’s a honeypot
bleepingcomputer.com
Open sourceResecurity Says ShinyHunters Fell for Honeypot After Breach Claim
hackread.com
Open sourceShinyHunters claims to have compromised Resecurity, but it looks like they fell for a honeypot
databreaches.net
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Data-Extortion Claims Target Crunchbase and Waltio
**Crunchbase** confirmed a cybersecurity incident after the **ShinyHunters** cybercrime group claimed it stole **over 2 million personal records**. ShinyHunters reportedly posted a **402 MB compressed archive** online after an extortion attempt failed, and Crunchbase stated the threat actor **exfiltrated certain documents from its corporate network**. Crunchbase said business operations were not disrupted, the incident was **contained**, external cybersecurity experts were engaged, and **federal law enforcement** was notified while the company reviews the exposed data to determine required legal notifications. In a separate ShinyHunters-linked extortion case, French crypto tax platform **Waltio** was reported to be facing a ransom threat tied to alleged theft of personal data for **nearly 50,000 users**, including threatened exposure of users’ **2024 tax reports**. Waltio stated its services and production systems remained secure and that **no sensitive banking or crypto access data** was compromised. The activity aligns with ShinyHunters’ established pattern of **data theft and leak-site pressure** when ransom demands are not met.
Mar 21, 2026
Scattered Lapsus$ Hunters Resurgence and ShinySp1d3r RaaS Platform Launch
The Scattered Lapsus$ Hunters threat group has re-emerged after a period of inactivity, unveiling a new Ransomware-as-a-Service (RaaS) platform called ShinySp1d3r. This platform is reportedly a collaboration involving operators from ShinyHunters, Scattered Spider, and Lapsus$, and marks a shift in the group’s tactics toward structured insider recruitment and commission-based access deals. The group is actively seeking insiders from large organizations, particularly those with annual revenues over $500 million, and is excluding targets in Russia, China, North Korea, Belarus, and the healthcare sector. Recruitment efforts are focused on individuals who can provide privileged access to corporate systems, with tiered commissions for different types of access, and the group is leveraging underground forums and Telegram channels to coordinate these activities. Simultaneously, security researchers have been monitoring and countering the group’s activities. Resecurity deployed a honeypot that successfully engaged members of the Scattered Lapsus$ Hunters, leading to the exposure of internal communications and operational details. These communications revealed ongoing harassment campaigns against U.S. government officials and connections to high-profile breaches, such as the Snowflake incident, which impacted at least 160 organizations. The group’s renewed operations and aggressive insider recruitment strategy represent a significant escalation in their threat profile, with implications for a wide range of industries and government entities.
Apr 11, 2026
ShinyHunters-Linked Vishing Campaign Steals MFA Codes to Breach SaaS Platforms for Extortion
Google-owned **Mandiant** reported an expansion in **ShinyHunters**-style intrusions using **voice phishing (vishing)** and spoofed credential-harvesting sites to steal **SSO credentials** and **MFA codes**, enabling unauthorized access to cloud **SaaS** environments. Mandiant tracked the activity across multiple clusters (**UNC6661**, **UNC6671**, and **UNC6240** / *ShinyHunters*) and assessed the objective as data theft from cloud applications (including internal communications) followed by **extortion**, with some incidents involving escalatory pressure such as **harassment of victim personnel**. In observed tradecraft, operators impersonated IT staff, directed employees to phishing links under the pretext of updating MFA settings, then used captured credentials to enroll attacker-controlled devices for MFA. Separate reporting characterized the same campaign as a broad vishing operation with **hundreds of organizations** in scope, reinforcing that the activity is not limited to a single SaaS provider and is focused on identity-layer compromise rather than software exploitation. Other items in the set were unrelated: a supply-chain compromise of *eScan* antivirus update infrastructure distributing a backdoor, a Fortinet write-up on **Interlock** ransomware tradecraft, an article on EU vulnerability identifier policy, and general security-awareness/detection-engineering content; these do not describe the ShinyHunters vishing activity and should not be treated as part of the same incident thread.
Mar 21, 2026