Full Report
Subpoena issued to former ShinyHunters member Resecurity offered its "congratulations" to the Scattered Lapsus$ Hunters cybercrime crew for falling into its threat intel team's honeypot – resulting in a subpoena being issued for one of the data thieves. Meanwhile, the notorious extortionists have since removed their claims of gaining "full access" to the security shop's systems.…
Analysis Summary
# Incident Report: Threat Actor Entrapment and Subpoena of Cybercriminal
## Executive Summary
Resecurity's threat intelligence team successfully lured members of the Scattered Lapsus$ Hunters cybercrime crew into interacting with a sophisticated honeypot environment designed to mimic production systems. This engagement led to demonstrable operational security (OPSEC) failures by the attackers, allowing Resecurity to identify the threat actors' infrastructure, which subsequently resulted in a foreign law enforcement organization issuing a subpoena for one of the involved data thieves. The attackers' claims of a full system compromise were retracted following the operation.
## Incident Details
- **Discovery Date:** November 2025 (Initial probing detected)
- **Incident Date:** December 24, 2025 (Honeypot activated); January 3, 2026 (Attackers claimed success)
- **Affected Organization:** Resecurity (Target of the initial reconnaissance)
- **Sector:** Cybersecurity / Threat Intelligence
- **Geography:** Global (Attacker IPs traced to Egypt and via Mullvad VPN; Suspect linked internationally)
## Timeline of Events
### Initial Access
- **Date/Time:** November 2025
- **Vector:** Reconnaissance against public-facing services and applications.
- **Details:** Resecurity detected initial probing activities by the cybercrime crew.
### Lateral Movement
- **Date/Time:** Post-December 24, 2025 (within the honeypot environment)
- **Vector:** Successful login to an emulated application via a honeytrap account.
- **Details:** The threat actor moved within the sandboxed environment, interacting with synthetic data.
### Data Exfiltration/Impact
- **Date/Time:** January 3, 2026
- **Vector:** Attempted theft of synthetic data presented as sensitive organizational information.
- **Details:** The group publicly claimed to have stolen internal chats, logs, threat intelligence reports, management files, and client information. These claims were later retracted.
### Detection & Response
- **Date/Time:** December 24, 2025 – January 4, 2026
- **Details:** Resecurity activated a trap account ("Mark Kelly") placed on a dark web marketplace, feeding the actor synthetic data (28,000 consumer records, 190,000 payment records). Processing this fake data induced OPSEC mistakes by the threat actor. On January 3, following the public boasts, network intelligence and timestamps were used to identify attacker IPs. A partner foreign law enforcement agency subsequently issued a subpoena request. Claims were removed by January 4.
## Attack Methodology
*Note: This section describes the *attacker's* perceived methodology against the honeypot, and the *victim's* counter-methodology using deception.*
- **Initial Access (Attacker):** Credential compromise or use of pre-existing compromised credentials for public-facing services targeted by the attackers to reach the honeytrap account.
- **Persistence (Attacker):** Not explicitly detailed beyond maintaining access to the compromised emulated application.
- **Privilege Escalation (Attacker):** Not detailed.
- **Defense Evasion (Attacker/Victim Interaction):** The attacker believed they were evading detection by targeting a security firm, but the environment was designed for observation.
- **Credential Access (Attacker):** May have utilized credentials posted on the Russian Marketplace.
- **Discovery (Attacker):** Initial internal reconnaissance within the emulated environment.
- **Lateral Movement (Attacker):** Movement within the emulated infrastructure.
- **Collection (Attacker):** Gathering of synthetic data, including fake PII and transaction records.
- **Exfiltration (Attacker):** Attempted exfiltration of data claimed to be sensitive organizational assets.
- **Impact (Attacker):** Intended financial extortion and reputational damage against Resecurity.
## Impact Assessment
- **Financial:** The operation aimed to lead to legal/investigative costs associated with the subpoena process for the threat actor, though direct financial loss to Resecurity from data theft was nullified.
- **Data Breach:** Zero actual proprietary data breach occurred; the compromise involved only synthetic, fabricated data.
- **Operational:** Minimal operational disruption; the incident was an intentional engagement orchestrated by the victim’s threat intelligence team.
- **Reputational:** Initial minor reputational risk when the attackers publicly claimed full access, which was quickly mitigated by revealing the entrapment strategy.
## Indicators of Compromise
*Note: Indicators relate to the threat actors responding to the engagement.*
- **Network Indicators (Defanged):** IPs traced from Egypt and connections using Mullvad VPN infrastructure.
- **File Indicators:** None stated, as the interaction involved accessing emulated applications.
- **Behavioral Indicators:** Posting claims of comprehensive data theft on Telegram channels and engaging in social engineering/counter-social engineering tactics.
## Response Actions
- **Containment measures:** The threat actor's activity was strictly contained within the isolated, monitored honeypot environment utilizing synthetic data.
- **Eradication steps:** Not applicable to the victim's environment; the successful objective was to capture attacker artifacts.
- **Recovery actions:** None required regarding data; the primary outcome was the collection of intelligence leading to legal action.
## Lessons Learned
- **Key takeaways:** Sophisticated deception techniques (honeypots combined with fake data placement on external marketplaces) are highly effective in inducing OPSEC mistakes from sophisticated actors like Scattered Lapsus$ Hunters.
- **What could have been done better:** The article does not specify shortcomings, but highlights the success of proactively baiting reconnaissance-stage actors.
## Recommendations
- **Prevention measures for similar incidents:** Continue proactive threat intelligence operations involving deception technology (honeypots) to turn reconnaissance into direct intelligence gathering on attacker infrastructure and identity.
- **Operational Security:** Maintain strict separation between deceptive environments and production systems to ensure actors cannot pivot from the honeypot to real assets.
- **Legal Readiness:** Ensure legal partners are established in advance to rapidly act upon identifying threat actor infrastructure that results from covert operations.