Resecurity deploys synthetic data honeypots<\/a> to outsmart threat actors, turning reconnaissance into actionable intelligence. A recent operation not only trapped an Egyptian-linked hacker but also duped the ShinyHunters group into false breach claims.\u200b<\/p>\n Resecurity has refined deception technologies for counterintelligence, mimicking enterprise environments to lure threat actors into controlled traps.<\/p>\n These build on traditional honeypots, misconfigured services, or dummy resources that passively log intruders, now powered by AI-generated synthetic data that resemble real-world patterns without exposing proprietary information. Previously breached data from dark web sources enhances realism, fooling even advanced actors who validate targets.\u200b<\/p>\n On November 21, 2025, Resecurity\u2019s DFIR team spotted a threat actor scanning public-facing services after targeting a low-privilege employee. Indicators included IPs like 156.193.212.244 and 102.41.112.148 (Egypt), plus VPNs 45.129.56.148 (Mullvad) and 185.253.118.70.<\/p>\n Responders deployed a honeytrap in an emulated app with synthetic datasets: 28,000 consumer records (usernames, emails, fake PII from combo lists) and 190,000 Stripe-like payment transactions generated via tools like SDV, MOSTLY AI, and Faker. A bait account, \u201cMark Kelly,\u201d was planted on Russian Marketplace to draw attackers.\u200b<\/p>\n The actor logged into the honeytrap, prompting over 188,000 requests from December 12-24 to scrape data via custom automation and residential proxies.<\/p>\n This yielded \u201cabuse data\u201d on tactics, infrastructure, and OPSEC<\/a> slips, real IPs leaked during proxy failures. Resecurity blocked proxies, forcing the reuse of known hosts, and shared findings with law enforcement, culminating in a foreign subpoena.<\/p>\n Isolated decoys like Office 365, VPNs, and a decommissioned Mattermost instance with 2023 fake chatter (six groups, AI-generated via OpenAI) proved ideal for high-value mimicry without risk.\u200b<\/p>\n A January 3, 2026, update revealed ShinyHunters previously profiled by Resecurity fell into the same trap, boasting Telegram \u201cfull access\u201d to \u201c[honeytrap].b.idp.resecurity.com\u201d and fake systems.<\/p>\n Screenshots showed dummy Mattermost for \u201cMark Kelly,\u201d non-existent domains like \u201cresecure.com,\u201d bcrypt-hashed API tokens from duplicate tester accounts, and useless old logs.<\/p>\n The group acknowledged disruptions caused by Resecurity\u2019s tactics; social engineering identified links to jwh*****y433@gmail.com, a US phone number, and a Yahoo account registered during the activity.\u200b<\/p>\n This validates cyber deception\u2019s power for threat hunting and investigations, generating IOCs\/IOAs from controlled engagements. Compliance with privacy laws remains key. <\/p>\n Resecurity\u2019s logs and prior ShinyHunters expos\u00e9s suggest retaliation backfired into self-incrimination. Enterprises can replicate via monitored decoys in non-production environments, enhancing proactive defense against financially motivated threat actors.\u200b<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Trapped in Resecurity\u2019s Honeypot During Targeted Attack on Employee Network<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Hackers](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjYZy27QG3LNINZGBGkKh9Y7B3MWBOZdR3DXHPjJeXMaHei1Ru-YSGv-t0puGS1MQxmclvCgV0Tld9YeQR9gvp1rZD62TNZv1odLDP-ljD54T3DBrI2mB7qw-M-RvEjswhIlUNtslkbgsDHm-4e_M0DTMujNkJikAmIRuz_LSqDHYJ-Tj8_XPvebN3ixPeA\/s16000\/Hon1.webp?ssl=1\")
ShinyHunters Caught in Update<\/strong><\/h2>\n
![\"Hackers](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjVOEaS24LCgh7IqC9V8PqKaTrUKMiV0jPpjQfVqGJiDcq7y4zZtyze6kEwEeaMLp5bhsQJhAC2T0WaNeMsX1Fl-GKdYVvzHCBcAiHV-p_CRVSxt-FJWRGCIlwZ9kEM_YMIBbAReZIxJz8n6GV5bVEqRCuMgbptSbdRGaZKXopCh8rfB7pTjs4lwm-7SNeW\/w640-h478\/Hon2.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhpYy64W_zVrYwK89KmQca6n4bi_JgqgHuWoh9tvYbz3yzmOyP37vtUeTt5CCFhnF0clFd4IoZkH3xf3zhTw5nG3i1HCOwoURLvmtkqwbdRvHhYPGXPi8fBR4daKF761ClWB10Wz-8NSuV3de-aniEQ9G3EMkgONjTu14VAUcCjslgQvw8d_kaHq-mI9o2g\/s16000\/Hon3.webp?ssl=1\")
<\/figure>\n