The hacking group known as ShinyHunters has asserted that it successfully breached the cybersecurity firm Resecurity and compromised internal data. In response, Resecurity has firmly denied these claims, stating that the accessed systems were part of a honeypot designed to capture and analyze hacker activities. The conflict has escalated as ShinyHunters published alleged evidence of the breach on Telegram, claiming to have obtained sensitive employee data, internal communications, and client information.
In their Telegram announcement, ShinyHunters declared, “We would like to announce that we have gained full access to Resecurity systems,” and detailed their alleged haul, which included “all internal chats and logs,” “full employee data,” and a “complete client list with details.” The group, referring to itself as “Scattered Lapsus$ Hunters,” suggested that their actions were a response to Resecurity’s attempts to investigate their operations. They accused Resecurity employees of posing as buyers during a previous interaction, which further inflamed tensions between the two parties.
Resecurity has pushed back against the assertions made by ShinyHunters, stating that the purported breach is a misunderstanding. According to the company’s statements, the systems accessed were not part of their legitimate infrastructure but a honeypot specifically created to monitor threats. Resecurity highlighted a report published on December 24, 2025, in which they disclosed that they first detected probing activities from a threat actor on November 21, 2025.
The company described how its Digital Forensics and Incident Response (DFIR) team identified early reconnaissance indicators, tracking multiple IP addresses linked to the threat actor, some of which were traced back to Egypt as well as using Mullvad VPN services. Resecurity’s strategy involved deploying a honeypot account in an isolated environment, allowing the attacker to engage with systems that contained fabricated employee, customer, and payment data while being monitored by researchers.
A honeypot is a security resource whose value lies in being probed, attacked, or compromised. It is designed to lure attackers and collect intelligence without risking real data. In this instance, Resecurity populated the honeypot with synthetic datasets that closely resemble authentic business data, including over 28,000 synthetic consumer records and more than 190,000 synthetic payment transaction records generated according to Stripe’s official API format.
Resecurity reported that the threat actor began automating data exfiltration by December, generating over 188,000 requests in a span of just twelve days. The company noted that during this period, it gathered telemetry on the attacker’s tactics and infrastructure, revealing several operational security failures on the part of ShinyHunters.
After further monitoring, Resecurity added additional datasets to the honeypot to study the attacker’s behavior, which led to new insights into the infrastructure used by the threat actor. They identified servers that facilitated the attack through residential proxies and shared this intelligence with law enforcement agencies. A foreign law enforcement organization, which collaborates with Resecurity, subsequently issued a subpoena request concerning the identified threat actor.
As of now, ShinyHunters has not provided further evidence to substantiate their claims. Their latest statement on Telegram hinted at more information to follow, stating, “Nice damage control Resecurity. More information coming soon!”
As both parties continue to engage in this high-stakes cybersecurity dispute, the incident underscores the ongoing challenges that organizations face in safeguarding sensitive data against increasingly sophisticated cyber threats.
