Cybercrime Crew Nets Subpoena After Falling Into Resecurity Honeypot

TL;DR

Resecurity's threat intel team lured a cybercrime group into a decoy environment and fed it synthetic data, prompting operational mistakes that exposed the attackers' infrastructure. A foreign law enforcement partner issued a subpoena for one suspected actor after the intrusion was traced.

What happened

Resecurity's Hunter unit set up a decoy account and emulated applications in November 2025 after detecting probing activity from a group formerly linked to ShinyHunters. The trap included fabricated employee profiles—one using the name "Mark Kelly" and an email planted on an underground marketplace—alongside thousands of synthetic consumer and payment records to observe how the intruders would operate. The threat actors later claimed on Telegram that they had obtained full access and stolen internal material, but those posts were removed within days. According to Resecurity, interacting with the fake data caused the attackers to make operational security errors that revealed the servers used for automation and exposed IP addresses, including some tied to Egypt and connections via Mullvad VPN. Using timestamps and network intelligence, Resecurity says a foreign law enforcement partner issued a subpoena for one suspect, described as a non‑US person with associates in the US and UK. The company declined to identify the agency involved.

Why it matters

• Deception operations can yield evidence that helps attribute and disrupt criminal operations.
• Public claims of large breaches can be misleading when defenders control the exposed environment.
• OPSEC failures by attackers provide investigation leads, including IPs and server details.
• Cross‑border cooperation between private firms and law enforcement can produce legal action such as subpoenas.

Key facts

• Resecurity's Hunter team created a honeytrap after detecting reconnaissance by the group formerly known as ShinyHunters.
• The decoy environment was established in November 2025 and detailed in a December 24 blog post.
• Fake assets included a planted employee account (marked as "Mark Kelly") and synthetic datasets: about 28,000 consumer records and over 190,000 payment transaction records.
• On January 3 the cybercrime crew posted claims of full access to Resecurity systems; those claims were removed from Telegram on January 4.
• Resecurity says attacker mistakes exposed automation servers and IP addresses; published IPs included some from Egypt and connections via Mullvad VPN.
• A foreign law enforcement partner issued a subpoena for one suspect identified through network intelligence and timestamps.
• Resecurity declined to disclose which law enforcement agency issued the subpoena.
• Resecurity publicly taunted the attackers on social media after the operation led to their identification.

What to watch next

• Whether the subpoena leads to formal charges or arrests: not confirmed in the source.
• If additional legal requests or cross‑jurisdictional actions follow from the identified infrastructure: not confirmed in the source.
• Whether any clients or third parties were actually exposed or affected by the incident: not confirmed in the source.

Quick glossary

• Honeypot: A decoy system or environment set up to attract attackers so defenders can observe behavior and collect intelligence.
• OPSEC: Operational security practices that limit information leakage and protect details of operations or capabilities.
• Threat intelligence: Information gathered about cyber threats, including actors, infrastructure, tactics, and indicators of compromise.
• Subpoena: A legal document ordering a person or organization to produce evidence or testify, often used in investigations.
• Synthetic data: Artificially generated data designed to resemble real datasets without exposing actual sensitive information.

Reader FAQ

Did the attackers actually steal real Resecurity data?
The cybercriminals claimed full access, but Resecurity says they were interacting with fabricated accounts and synthetic data; the source indicates those public claims were removed and does not confirm a theft of real data.

Which law enforcement agency issued the subpoena?
Resecurity declined to name the foreign law enforcement organization that issued the subpoena; not confirmed in the source.

Were any customers compromised?
Not confirmed in the source.

Who are the attackers involved?
The activity was attributed to a crew described as Scattered Lapsus$ Hunters, a group formerly associated with ShinyHunters; further identities of suspects were not confirmed in the source.

SECURITY Congrats, cybercrims: You just fell into a honeypot Subpoena issued to former ShinyHunters member Jessica Lyons Mon 5 Jan 2026 // 20:21 UTC Resecurity offered its "congratulations" to the Scattered Lapsus$ Hunters cybercrime…

Sources

• Congrats, cybercrims: You just fell into a honeypot
• Synthetic Data: A New Frontier for Cyber Deception and …
• Hackers claim to hack Resecurity, firm says it was a honeypot
• Inside Resecurity's Honeypot Cybersecurity Operation

Related posts

• Hacktivist erases three white supremacist sites live at Chaos Communication Congress
• Offshore wind firms sue over Trump administration halt to $25B projects
• Why Python Can’t Be Safely Sandboxed and How to Isolate AI Agents