Resecurity Caught ShinyHunters in Honeypot

Resecurity caught ShinyHunters (SLH) using decoy accounts; the group attacked airlines, telecoms, and law enforcement in Sept 2025.

In an interesting development, Resecurity has caught actors known as “ShinyHunters” or “Scattered Lapsus$ Hunters” (SLH) leveraging honeypot (decoy) accounts. The company was one of the first to release a public report detailing the group’s activities in September 2025, when the threat actors conducted several major attacks against airlines, telecommunication companies, and law enforcement agencies.

Following this reporting, Resecurity identified malicious targeting against one of their employees and created a decoy account to simulate a realistic environment containing inactionable and useless data. To do this, they leveraged readily available datasets from the Dark Web (such as HITB) as well as outputs generated by OpenAI. In the context of threat hunting, previously breached data can be highly effective for designing deception models that appear extremely realistic and attract threat actors.

In Telegram, the group claims to have “compromised” Resecurity, not realizing they have fallen into a honeypot prepared for them. The group stated that they “gained full access to Resecurity systems,” which is a clear overstatement, as the honeypot environment was designed without any sensitive information. Deception and honeytraps accounts are

Previously, similar malicious targeting has been conducted against Mandiant (now part of Google) and CrowdStrike.

Resecurity published a report containing logged IP addresses and residential proxies used by the actors, along with several OPSEC mistakes that revealed their true sources of connection

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShinyHunters).