- Scattered Lapsus$ Hunters resurfaced claiming a breach at Resecurity
- Resecurity revealed it was a honeypot, tricking SLH into stealing fake data and exposing their infrastructure
- Investigators now have IPs, linked accounts, and timestamps shared with law enforcement, raising prospects of arrests
After a few months in the dark, the infamous Scattered Lapsus$ Hunters (SLH) are back to their usual shenanigans. This time around, however, it would have been better for them to have remained hidden.
For those who are unaware of SLH, this is a hacking collective made from members of cybercriminal groups Scattered Spider, Lapsus$, and ShinyHunters.
They became widely popular in September 2025, when they claimed responsibility for a major breach at Jaguar Land Rover. This incident halted vehicle production worldwide and drew huge media attention, because of its scale and impact - materializing into one of the costliest attacks in UK history.
The 'gotcha' moment
Soon after, they announced their withdrawal, most probably to get out of the spotlight. Earlier this week, though, they announced breaking into the cybersecurity company Resecurity:
“We would like to announce that we have gained full access to Resecurity systems. We took everything,” SLH said on Telegram, Cybernews reports. They said Resecurity got “fully owned”, losing internal chats, employee data, client lists, and other sensitive information.
But it seems they fell for a rather sophisticated bait. Resecurity said that this was, in fact, a honeypot filled with fake accounts, fake data, and fake content:
“Following our publication, the group called ShinyHunters, previously profiled by Resecurity, fell into a honeypot. In fact, we are dealing with its rebranded version, which calls itself SLH due to the alleged overlap between the threat actors ShinyHunters, Lapsus$, and Scattered Spider,” the company said.
“The group claimed that ‘it has gained full access to Resecurity systems,’ which is a clear overstatement, as the honeypot environment prepared by us did not contain any sensitive information.”
The ramifications are quite severe for SLH. Resecurity has now exposed the IP addresses they use and were even able to “identify the actor and link one of his active Gmail accounts to a US-based phone number and a Yahoo account.” It’s not full-blown doxxing, but it is the next best thing.
“The activity has been imaged and retained, including exact timestamps and network connections, which have been shared with law enforcement.”
Now, let’s see if this development leads to any arrests and if, as some researchers claim, the group has minors as members.
Via Cybernews
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.