Cybersecurity company Resecurity denies that it has been the victim of a hack by criminals presenting themselves as Scattered Lapsus$ Hunters. The discussion was prompted by messages on Telegram in which the group claimed to have gained access to internal systems and stolen sensitive data.
However, according to Resecurity, as quoted by SiliconANGLE, this did not involve a real production system. It was a deliberately set up honeypot with completely synthetic data.
The attackers’ claims had already been highlighted by BleepingComputer. This media outlet reported that the group had published screenshots of what appeared to be internal communications and company information. It claimed that employee data, internal chat logs, threat reports, and customer information had been stolen. The group positions itself as a collaboration of several well-known threat actors, including ShinyHunters and Scattered Spider, although a spokesperson for ShinyHunters later told BleepingComputer that they were not involved in this specific action.
Controlled honeypot
According to Resecurity, the screenshots and datasets shown are part of a controlled environment set up specifically to mislead and observe attackers. The company says it observed suspicious reconnaissance activities on publicly accessible systems in November 2025. An isolated environment was then actively used in which fake accounts and realistic-looking but completely fabricated data were placed.
BleepingComputer reports that Resecurity deliberately made an account available that the attackers could use to log in. During this interaction, the behavior of the threat actors was extensively monitored. This honeypot contained tens of thousands of synthetic consumer files and a large amount of fictitious payment data, generated in a format that corresponds to real business data.
When the attackers attempted to exfiltrate the data on a large scale in December, Resecurity says it recorded hundreds of thousands of automated requests from a changing network of proxy and VPN addresses. According to the company, this activity provided valuable technical and operational information about the infrastructure and attack methods used. Some of that information was reportedly shared with law enforcement agencies.
Resecurity emphasizes that no actual employees, customers, or production environments were compromised. All data viewed or copied was created solely for deception purposes. The company presents the incident as an example of active cyber defense, in which organizations not only try to block attacks, but also use them to gain more insight into the methods of threat groups.
Meanwhile, the attackers insist that more information will follow. However, no additional evidence has been published to date that points to an actual breach of Resecurity’s real infrastructure.