**Cybersecurity Firm Resecurity Targeted in Alleged Breach by "Scattered Lapsus$ Hunters"**
Threat actors identifying as Scattered Lapsus$ Hunters (SLH) claimed to have breached cybersecurity firm Resecurity, publishing screenshots on Telegram as proof of the alleged compromise. The group asserted it had stolen internal data, including employee records, client details, threat intelligence reports, and communications from a Mattermost collaboration platform. The attack was framed as retaliation for what the actors described as Resecurity’s attempts to infiltrate their operations, including posing as buyers to obtain samples of a purported Vietnam financial database.
However, Resecurity disputed the claims, stating the accessed systems were part of a deliberately deployed honeypot—a decoy environment designed to monitor and analyze attacker behavior. According to the company, the threat actor first probed its systems on November 21, 2025, prompting Resecurity’s digital forensics team to deploy the honeypot in an isolated environment. The decoy contained synthetic datasets, including over 28,000 fake consumer records and 190,000 payment transactions generated via Stripe’s API, mimicking real-world data to lure the attackers.
Between December 12 and 24, the threat actor made 188,000 automated exfiltration attempts using residential proxy IP addresses, exposing their infrastructure during proxy failures. Resecurity collected telemetry on the attacker’s tactics, later identifying servers linked to the operation and sharing intelligence with law enforcement. A foreign law enforcement agency, acting on Resecurity’s findings, issued a subpoena to investigate the threat actor.
The group, which has previously been associated with ShinyHunters, Lapsus$, and Scattered Spider, later clarified that ShinyHunters was not involved in this incident. As of the latest update, the threat actors have not provided additional evidence beyond a Telegram post teasing further disclosures. Resecurity maintains that no legitimate production systems were compromised.
Resecurity cybersecurity rating report: https://www.rankiteo.com/company/resecurity
"id": "RES1767484920",
"linkid": "resecurity",
"type": "Breach",
"date": "12/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Fake client data (synthetic '
'records)',
'industry': 'Cybersecurity',
'name': 'Resecurity',
'type': 'Cybersecurity Firm'}],
'attack_vector': 'Probing publicly exposed systems, honeypot interaction',
'data_breach': {'data_exfiltration': 'Attempted (188,000+ automated requests '
'for data exfiltration)',
'number_of_records_exposed': '28,000+ synthetic consumer '
'records, 190,000+ synthetic '
'payment transaction records',
'personally_identifiable_information': 'Fake PII (synthetic '
'records)',
'sensitivity_of_data': 'Low (synthetic/fake data)',
'type_of_data_compromised': ['Employee data',
'Internal communications',
'Threat intelligence reports',
'Client information']},
'date_detected': '2025-11-21',
'description': "Threat actors associated with the 'Scattered Lapsus$ Hunters' "
'(SLH) claim to have breached the systems of cybersecurity '
'firm Resecurity and stolen internal data. Resecurity disputes '
'the claims, stating the attackers only accessed a '
'deliberately deployed honeypot containing fake information '
'used to monitor their activity. The threat actors published '
'screenshots on Telegram as proof of the alleged breach, '
'including employee data, internal communications, threat '
'intelligence reports, and client information. Resecurity '
'maintains the systems accessed were part of a honeypot '
'operation.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'public claims of breach',
'data_compromised': 'Fake data (synthetic datasets, including '
'employee data, internal communications, '
'threat intelligence reports, and client '
'information)',
'systems_affected': 'Honeypot environment (isolated, '
'non-production systems)'},
'initial_access_broker': {'entry_point': 'Publicly exposed systems',
'reconnaissance_period': 'November 21, 2025 - '
'December 2025'},
'investigation_status': 'Ongoing (threat actor activity still being '
'monitored)',
'lessons_learned': 'Effectiveness of honeypots in monitoring and gathering '
'intelligence on threat actors; importance of OPSEC in '
'threat actor operations; challenges in attributing '
'attacks due to overlapping threat actor groups.',
'motivation': 'Retaliation for alleged social engineering attempts by '
'Resecurity',
'post_incident_analysis': {'corrective_actions': 'Continued monitoring of '
'threat actor '
'infrastructure; sharing '
'intelligence with law '
'enforcement; potential '
'legal action via subpoena.',
'root_causes': 'Threat actor probing of publicly '
'exposed systems; social '
'engineering retaliation motive; '
'OPSEC failures by threat actor '
'(exposed IPs, proxy connection '
'failures).'},
'recommendations': 'Organizations should consider deploying honeypots for '
'threat intelligence gathering; enhance monitoring of '
'publicly exposed systems; collaborate with law '
'enforcement for threat actor attribution and disruption.',
'references': [{'source': 'BleepingComputer'},
{'source': 'Resecurity Report'},
{'source': 'Telegram (Scattered Lapsus$ Hunters)'}],
'response': {'communication_strategy': 'Public statement denying breach of '
'real systems, disclosure of honeypot '
'operation',
'containment_measures': 'Isolated honeypot environment, '
'monitoring of threat actor activity',
'enhanced_monitoring': 'Yes (telemetry collection on attacker '
'tactics and infrastructure)',
'incident_response_plan_activated': 'Yes (honeypot deployment '
'and monitoring)',
'law_enforcement_notified': 'Yes (intelligence shared with law '
'enforcement)',
'network_segmentation': 'Isolated honeypot environment'},
'stakeholder_advisories': 'Resecurity has publicly denied the breach of real '
'systems and clarified the honeypot operation.',
'threat_actor': 'Scattered Lapsus$ Hunters (SLH)',
'title': 'Scattered Lapsus$ Hunters Claims Breach of Resecurity, Resecurity '
'Denies Compromise',
'type': 'Data Breach'}