“`html
Resecurity implements artificial data honeypots to outwit threat actors, converting reconnaissance into useful intelligence. A recent operation not only ensnared an Egyptian-associated hacker but also misled the ShinyHunters collective into believing there were breach incidents.
Resecurity has enhanced deceptive technologies for counterintelligence, simulating enterprise settings to entice threat actors into monitored traps.
These innovations build upon conventional honeypots, misconfigured services, or phony resources that quietly record intruders, now augmented by AI-generated synthetic data that imitate real-world patterns without revealing proprietary details. Previously compromised data from dark web sources boosts authenticity, deceiving even sophisticated actors who verify targets.
On November 21, 2025, Resecurity’s DFIR team identified a threat actor probing public-facing services following an attempt to compromise a low-privilege employee. Indicators included IPs such as 156.193.212.244 and 102.41.112.148 (Egypt), along with VPNs 45.129.56.148 (Mullvad) and 185.253.118.70.
Responders set up a honeytrap in a simulated app with synthetic datasets: 28,000 consumer records (usernames, emails, fake PII from combo lists) and 190,000 payment transactions reminiscent of Stripe created using tools like SDV, MOSTLY AI, and Faker. A decoy account, “Mark Kelly,” was positioned on Russian Marketplace to attract attackers.
The actor accessed the honeytrap, leading to over 188,000 requests from December 12-24 to extract data through custom automation and residential proxies.
This resulted in “abuse data” concerning tactics, infrastructure, and OPSEC errors, with genuine IPs leaked during proxy failures. Resecurity hindered proxies, compelling the reuse of known hosts, and communicated findings with law enforcement, culminating in a foreign subpoena.
Isolated decoys like Office 365, VPNs, and a deactivated Mattermost instance showcasing 2023 fake conversations (six groups, AI-generated via OpenAI) proved optimal for high-value imitation without risk.
ShinyHunters Captured in Update
A January 3, 2026, update disclosed that ShinyHunters, previously identified by Resecurity, fell into the identical trap, claiming Telegram “full access” to “[honeytrap].b.idp.resecurity.com” and fictitious systems.
Screenshots displayed fictitious Mattermost for “Mark Kelly,” non-existent domains like “resecure.com,” bcrypt-hashed API tokens from duplicate tester accounts, and irrelevant old logs.
The group recognized disruptions caused by Resecurity’s strategies; social engineering uncovered links to jwh*****y433@gmail.com, a US phone number, and a Yahoo account registered during the operation.
This confirms the effectiveness of cyber deception for threat hunting and investigations, generating IOCs/IOAs from managed engagements. Adherence to privacy regulations remains crucial.
Logs from Resecurity and earlier ShinyHunters revelations suggest that retaliation backfired, leading to self-incrimination. Organizations can mirror these tactics through monitored decoys in non-production environments, advancing proactive defense against financially motivated threat actors.
“`