Members of the infamous Scattered Lapsus$ Hunters cybercrime group fell right into a cleverly crafted lure and uncovered details about their assault servers, Resecurity says.
In early January, the Scattered Lapsus$ Hunters hackers boasted on their Telegram channel about hacking the cybersecurity agency Resecurity and stealing massive quantities of knowledge.
The hackers have since eliminated the put up, after studying that that they had, in truth, stepped right into a lure that Resecurity had been making ready for months.
To catch the attackers within the act, the corporate’s researchers arrange a honeypot containing a considerable amount of artificial information, planted a faux account on an underground market for compromised credentials, after which sat again to watch the hackers’ actions.
Resecurity determined to set the lure in November, after noticing that the hackers had been probing their publicly dealing with companies and purposes for reconnaissance.
They arrange the honeypot in an emulated atmosphere, remoted from actual belongings and carefully monitored, planted the honeytrap account on the darkish internet, and gathered information from open sources to populate the honeypot and make it enticing.
“For artificial information, we used two completely different datasets: over 28,000 data impersonating shoppers and over 190,000 data of fee transactions, and generated messages. Notably, in each circumstances, we utilized already identified breached information out there on the Darkish Internet and underground marketplaces,” Resecurity stated on Christmas Eve.
The information combo, the cybersecurity agency says, was meant to imitate a enterprise utility, full with monetary transactions, and the lure was enhanced with chatter referencing outdated logs from 2023.Commercial. Scroll to proceed studying.
The preliminary risk actor exercise was noticed in November and resumed towards mid-December, when automated instruments counting on residential IP proxies had been used to dump the artificial information.
“Between December 12 and December 24, the risk actor remodeled 188,000 requests trying to dump artificial information. Throughout this era, the Resecurity staff documented the exercise and collaborated with related legislation enforcement authorities and ISPs to share details about it,” Resecurity says.
Monitoring the hackers
By carefully observing the hackers’ actions, the cybersecurity agency gathered data on their ways, methods, and procedures (TTPs) and recognized their server IP addresses (together with two in Egypt) following proxy connection failures.
Per week after Resecurity printed a weblog detailing the lure, Scattered Lapsus$ Hunters introduced on Telegram that they breached the safety agency and stole worker information, chats, logs, and consumer data.
The hacking group claimed it was conscious of Resecurity’s try to “social engineer” them, and that they “totally owned” the group. Actually, it was the opposite approach round.
“The screenshots shared by the risk actors relate to ‘[honeytrap].b.idp.resecurity.com’ (a system emulated with compromised information from the Darkish Internet and never related to any precise Resecurity prospects) and the Mattermost utility, which was provisioned for the honeytrap account ‘Mark Kelly’ round November 2025 for this objective,” Resecurity notes in a January 3 replace.
The cybersecurity agency additionally notes that the out there community intelligence and timestamps gathered from observing the hackers’ actions had been utilized by a legislation enforcement company to problem a subpoena request concerning the risk actor.
Along with figuring out the attacker, the researchers linked a Gmail account to a US-based telephone quantity and to a Yahoo account and shared the knowledge with the related legislation enforcement.
Associated: CrowdStrike Insider Helped Hackers Falsely Declare System Breach
Associated: Extortion Group Leaks Tens of millions of Data From Salesforce Hacks
Associated: Scattered Spider Suspect Arrested in US
Associated: Safety Business Skeptical of Scattered Spider-ShinyHunters Retirement Claims
