Hackers Trapped in Resecurity Honeypot After Targeted Attack on Employee Network

Cybersecurity firm Resecurity successfully lured threat actors using deception technology after hackers targeted its systems in November 2025.

The operation exposed the attacker’s infrastructure and prompted law enforcement involvement, demonstrating the effectiveness of synthetic data honeypots against financially motivated cybercriminals.

Initial Attack and Honeytrap Deployment

The incident began on November 21, 2025, when Resecurity’s DFIR team detected a threat actor probing publicly facing services and targeting an employee with limited access.

Investigators documented initial connections from Egyptian IP addresses (156.193.212.244 and 102.41.112.148) alongside VPN services.

Rather than blocking the intrusion, security teams deployed a honeytrap account containing synthetic data to monitor attacker behavior.

The trap used more than 28,000 fake consumer records and 190,000 fabricated payment transactions, built from publicly available data.

This realistic-looking but worthless information included dummy Stripe payment records and generated email addresses from combo lists.

Resecurity also created a decommissioned Mattermost messaging environment with outdated 2023 logs to complete the deception. The threat actor took the bait.

Between December 12 and December 24, attackers made more than 188,000 automated requests to steal synthetic data using residential IP proxies.

During this period of intense activity, connection failures resulted in multiple operational security issues, exposing the attacker’s actual IP addresses.

Resecurity documented these errors and shared abuse data with law enforcement and Internet Service Providers (ISPs) to track the threat actors.

The honeypot successfully captured extensive evidence of the attack methodology, tools used, and infrastructure employed by the cybercriminals.

This intelligence proved invaluable for understanding the attackers’ capabilities and techniques.

Following publication of the operation, the notorious ShinyHunters cybercrime group falsely claimed they had “compromised” Resecurity systems.

The group unknowingly accessed the honeytrap environment at “honeytrap.b.idp.resecurity.com” under the planted “Mark Kelly” account.

The screenshots they shared as proof actually confirmed they had fallen directly into the trap. Resecurity investigators linked the activity to a US-based Gmail account through social engineering techniques.

They recovered phone numbers via password reset functions, strengthening the evidence chain.

All collected intelligence has been provided to law enforcement agencies for further investigation and potential prosecution.

The case demonstrates how honeypots and synthetic data create powerful defensive mechanisms against cybercriminals, turning attackers’ own greed against them while exposing their operational infrastructure and real identities.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyber Press as a Preferred Source in Google.

The post Hackers Trapped in Resecurity Honeypot After Targeted Attack on Employee Network appeared first on Cyber Security News.