- Scattered Lapsus$ Hunters Resurface, Claiming Resecurity Vulnerability
- Resecurity revealed it was a honeypot, tricking SLH into stealing fake data and exposing its infrastructure.
- Investigators now have IP addresses, linked accounts, and timestamps shared with law enforcement, increasing the chances of arrest.
After a few months in the dark, the infamous Scattered Lapsus$ Hunters (SLH) are back to their usual shenanigans. But this time, it would have been better if they had remained hidden.
For those unfamiliar with SLH, it is a hacker collective made up of members of the cybercriminal groups Scattered Spider, Lapsus$ and ShinyHunters.
They became very popular in September 2025, when they claimed responsibility for a major breach at Jaguar Land Rover. The incident disrupted vehicle production worldwide and attracted media attention due to its scale and impact, resulting in one of the costliest attacks in UK history.
The “I got you” moment
Shortly after, they announced their withdrawal, probably to get out of the way. However, earlier this week they announced they were going into cybersecurity company Resecurity:
“We would like to announce that we have gained full access to Resecurity systems. We have taken everything,” SLH said on Telegram, Cybernews reports. They said Resecurity had become “fully proprietary,” losing internal chats, employee data, customer lists and other sensitive information.
But it seems that they have fallen for a rather sophisticated bait. Resecurity said it was actually a honeypot filled with fake accounts, fake data, and fake content:
“Following our publication, the group called ShinyHunters, previously profiled by Resecurity, fell into a honeypot. In fact, we are dealing with its renamed version, which is called SLH due to the alleged overlap between the threat actors ShinyHunters, Lapsus$ and Scattered Spider,” the company said.
“The group claimed that it had gained full access to Resecurity systems, which is clearly an exaggeration, as the honeypot environment we prepared did not contain any sensitive information.”
The consequences are quite serious for SLH. Resecurity has now revealed the IP addresses they are using and was even able to “identify the actor and link one of their active Gmail accounts to a US-based phone number and a Yahoo account.” It’s not full-blown doxxing, but it’s the next best thing.
“The activity was photographed and preserved, including exact timestamps and network connections, which were shared with law enforcement.”
Now let’s see if this development leads to arrests and if, as some researchers claim, the group includes minors among its members.
Via Cybernews
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
