They thought they had hacked the Pentagon, but ended up in a sandbox. An awkward situation for top hackers.
Cybercriminals thought they had hit the jackpot, but in reality, they only exposed their IP addresses.
Cybercriminals thought they had hit the jackpot, but in reality, they only exposed their IP addresses.
The hacker group ShinyHunters claimed to have breached the infrastructure of the company Resecurity and stolen internal data. However, Resecurity itself is confident that the cybercriminals only gained access to a specially created trap—an isolated system with fake information designed to monitor the actions of the attackers.
ShinyHunters published screenshots on Telegram allegedly confirming a successful attack. According to them, the group obtained employee data, internal communications, cyber threat reports, and client information. As proof, images of the Mattermost interface with correspondence were provided, including discussions about moderating malicious content on Pastebin.
Resecurity's position is different. Company representatives insist that the compromised systems had no relation to the main infrastructure. According to a report published on December 24, suspicious activity was detected back in November. The company's team identified signs of reconnaissance from an external source and recorded IP addresses linked to Egypt and the Mullvad VPN service.
In response to the potential threat, Resecurity specialists deployed an isolated environment with falsified data, into which an account with access for the observed attacker was intentionally embedded.
The system contained fake records, including over 28,000 fictitious user profiles and more than 190,000 transactions formatted according to the Stripe API. The purpose of such a trap was to gather information about the attacker's behavior, methods, and tools.
In December, Resecurity recorded a large-scale automated attempt to extract information, when the attacker, using proxy networks, initiated nearly 190,000 requests. During the attack, some real IP addresses temporarily became visible due to connection failures. This data was handed over to law enforcement agencies.
Subsequently, new fake data was added to the trap to continue analyzing the attacker's behavior. This led to new errors on their part, narrowing down the search for their infrastructure. The servers used to automate the attack were also identified. According to the company, one of the international law enforcement partners even initiated an extradition request based on the obtained data.
At the time of publication, ShinyHunters had not provided additional evidence but promised to release new information soon.
