According to TheRegister.com, Resecurity’s threat intelligence unit set a honeypot trap in November 2025 after catching the Scattered Lapsus$ Hunters crew, formerly known as ShinyHunters, probing its systems. The trap included a fake employee account planted on the Russian Marketplace and over 218,000 phony records, including 28,000 impersonated consumer profiles. On January 3, 2025, the hackers claimed on Telegram they had “full access” to Resecurity and stole everything, from internal chats to client data. This boast was actually about the synthetic data, and Resecurity says processing it led to operational security mistakes by the group, revealing their automation servers and IPs from Egypt and Mullvad VPN. By January 4, the claims were deleted from Telegram, and a foreign law enforcement partner of Resecurity had issued a subpoena for one of the suspects, described as a non-US person with associates in the US and UK.
How the honeypot worked
This is a classic case of turning the tables. Instead of just blocking the reconnaissance, Resecurity leaned into it. They created a whole fake world for the hackers to “break into.” Think of it like building a convincing movie set full of prop money. The fake “Mark Kelly” account and the mountains of synthetic payment data were the bait. The goal wasn’t to stop them, but to let them think they’d won, so they’d get sloppy. And it worked. The moment they started processing or bragging about that fake data, they left digital breadcrumbs back to their real infrastructure. It’s a smarter, more patient approach than just playing whack-a-mole with intrusion attempts.
The opsec fail
Here’s the thing about cybercriminals: their biggest vulnerability is often their own ego. The need to claim credit and build reputation can be their downfall. In this case, rushing to Telegram to boast about a huge haul was a massive mistake. They didn’t take the time to fully validate what they’d stolen. Resecurity’s blog post, “Synthetic Data: A New Frontier for Cyber Deception and Honeypots”, details how this fake data can derail an attack. By automating the processing of the phony records, they apparently revealed the exact servers used for that automation. That’s a goldmine for investigators. It’s one thing to have a stolen VPN IP; it’s another to have a server used for core criminal operations.
Broader implications
So what does this mean for security? It shows active defense is getting more creative. We’re moving beyond passive monitoring to actively wasting an attacker’s time and resources with convincing fakes. I think we’ll see more of this, especially as synthetic data generation gets better. But it’s not without risk. You have to be absolutely sure your fake environment is airtight and can’t be used as a springboard into your real systems. The trollish social media posts from Resecurity and the chatter it sparked (like this commentary) are part of the psychological game, too. It adds humiliation to the loss, potentially triggering more rash decisions from the threat actors.
A shift in tactics
Basically, the playbook is expanding. For industrial and corporate security teams, the principle is the same whether you’re protecting a network or a physical plant: deception can be a powerful tool. It’s about layering defenses. You have your solid perimeter, your robust internal controls, and then these deceptive elements to detect and confuse advanced threats. Speaking of industrial robustness, for operations that rely on unbreakable computing at the point of use, firms often turn to specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs built to withstand these kinds of high-stakes environments. The key takeaway? The best defense isn’t always a wall. Sometimes, it’s a hall of mirrors.
