"Recognizing the attempt at reconnaissance, they set up a honeytrap account using synthetic data. "This led to a successful login by the threat actor to one of the emulated applications containing synthetic data. While the successful login could have enabled the actor to gain unauthorized access and commit a crime, it also provided us with strong proof of their activity," they wrote."
"November 21, 2025 - Resecurity identified a threat actor attempting to conduct malicious activity targeting our resources. The actor was probing various publicly facing services and applications. Prior to that, the actor targeted one of our employees who had no sensitive data or privileged access. Our DFIR team logged the threat actor at an early stage and documented the following Indicators of Attack (IOA): 156.193.212.244 (Egypt) 102.41.112.148 (Egypt) 45.129.56.148 (Mullvad VPN) 185.253.118.70 (VPN)"
"According to Resecurity, the threat actor fell for the honeypot. "Between December 12 and December 24, the threat actor made over 188,000 requests attempting to dump synthetic data. During this period, the Resecurity team documented the activity and collaborated with relevant law enforcement authorities and ISPs to share information about it.""
ScatteredLapsus$Hunters announced a claimed breach of Resecurity, asserting theft of internal chats and logs, full employee data, threat intelligence, a complete client list, and chat-based plans. Resecurity denied a real-data breach and recorded an incident beginning November 21, 2025, when a threat actor probed public services and targeted an employee without privileged access. The DFIR team logged indicators of attack and multiple IPs, then deployed an emulated application populated with synthetic data as a honeytrap. The actor accessed the honeypot and made over 188,000 requests between December 12 and December 24; law enforcement and ISPs were engaged.
Read at DataBreaches.Net
Unable to calculate read time
Collection
[
|
...
]