Resecurity deploys artificial knowledge honeypots to outsmart menace actors, turning reconnaissance into actionable intelligence. A latest operation not solely trapped an Egyptian-linked hacker but additionally duped the ShinyHunters group into false breach claims.
Resecurity has refined deception applied sciences for counterintelligence, mimicking enterprise environments to lure menace actors into managed traps.
These construct on conventional honeypots, misconfigured providers, or dummy assets that passively log intruders, now powered by AI-generated artificial knowledge that resemble real-world patterns with out exposing proprietary info. Beforehand breached knowledge from darkish internet sources enhances realism, fooling even superior actors who validate targets.
On November 21, 2025, Resecurity’s DFIR group noticed a menace actor scanning public-facing providers after concentrating on a low-privilege worker. Indicators included IPs like 156.193.212.244 and 102.41.112.148 (Egypt), plus VPNs 45.129.56.148 (Mullvad) and 185.253.118.70.
Responders deployed a honeytrap in an emulated app with artificial datasets: 28,000 client data (usernames, emails, faux PII from combo lists) and 190,000 Stripe-like fee transactions generated by way of instruments like SDV, MOSTLY AI, and Faker. A bait account, “Mark Kelly,” was planted on Russian Market to attract attackers.
data from Honeypot
The actor logged into the honeytrap, prompting over 188,000 requests from December 12-24 to scrape knowledge by way of customized automation and residential proxies.
This yielded “abuse knowledge” on techniques, infrastructure, and OPSEC slips, actual IPs leaked throughout proxy failures. Resecurity blocked proxies, forcing the reuse of identified hosts, and shared findings with regulation enforcement, culminating in a international subpoena.
Remoted decoys like Workplace 365, VPNs, and a decommissioned Mattermost occasion with 2023 faux chatter (six teams, AI-generated by way of OpenAI) proved excellent for high-value mimicry with out danger.
ShinyHunters Caught in Replace
A January 3, 2026, replace revealed ShinyHunters beforehand profiled by Resecurity fell into the identical entice, boasting Telegram “full entry” to “[honeytrap].b.idp.resecurity.com” and faux techniques.
Telegram group replace
Screenshots confirmed dummy Mattermost for “Mark Kelly,” non-existent domains like “resecure.com,” bcrypt-hashed API tokens from duplicate tester accounts, and ineffective outdated logs.
The group acknowledged disruptions brought on by Resecurity’s techniques; social engineering recognized hyperlinks to jwh*****[email protected], a US telephone quantity, and a Yahoo account registered throughout the exercise.
This validates cyber deception’s energy for menace searching and investigations, producing IOCs/IOAs from managed engagements. Compliance with privateness legal guidelines stays key.
Resecurity’s logs and prior ShinyHunters exposés recommend retaliation backfired into self-incrimination. Enterprises can replicate by way of monitored decoys in non-production environments, enhancing proactive protection towards financially motivated menace actors.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
