- Scattered Lapsus$ Hunters resurfaced claiming a breach at Resecurity
- Resecurity revealed it was a honeypot that tricked SLH into stealing fake data and exposing their infrastructure
- Investigators now have IPs, linked accounts and timestamps shared with law enforcement, increasing the prospect of arrests
After a few months in the dark, the infamous Scattered Lapsus$ Hunters (SLH) are back to their usual infamy. This time, however, it would have been better for them to have been hidden.
For those unfamiliar with SLH, this is a hacking collective made up of members of cybercriminal groups Scattered Spider, Lapsus$, and ShinyHunters.
They became very popular in September 2025 when they claimed responsibility for a major breach at Jaguar Land Rover. This incident halted car production worldwide and attracted huge media attention due to its scale and impact – becoming one of the costliest attacks in UK history.
The ‘gotcha’ moment
Soon after, they announced their retirement, probably to get out of the limelight. However, earlier this week they announced that they are hacking the cyber security company Resecurity:
“We would like to announce that we have gained full access to resecurity systems. We took everything,” SLH said on Telegram, Cybernews reports. They said Resecurity was “fully owned” and lost internal chats, employee data, client lists and other sensitive information.
But it seems they fell for a pretty sophisticated bait. Resecurity said this was in fact a honeypot filled with fake accounts, fake data and fake content:
“Following our disclosure, the group called ShinyHunters, previously profiled by Resecurity, fell into a honeypot. In fact, we are dealing with its rebranded version calling itself SLH due to the alleged overlap between the ShinyHunters, Lapsus$ and Scattered Spider threat actors,” the company said.
“The group claimed that ‘it gained full access to security systems’, which is a clear exaggeration as the honeypot environment prepared by us did not contain any sensitive information.”
The consequences are quite serious for SLH. Resecurity has now revealed the IP addresses they use and was even able to “identify the actor and link one of his active Gmail accounts to a US-based phone number and a Yahoo account.” It’s not full-blown doxxing, but it’s the next best thing.
“The activity has been imaged and retained, including accurate timestamps and network connections, which have been shared with law enforcement.”
Now let’s see if this development leads to any arrests and if the group, as some researchers claim, has minors as members.
Via Cyber news
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
