- Scattered $Lapse Hunters Resurface Claiming Resecurity Breach
- Resecurity revealed that it was a decoy, tricking SLH into stealing fake data and exposing its infrastructure.
- Investigators now have IP addresses, linked accounts, and timestamps shared with authorities, increasing the chances of arrests.
After a few months in the dark, the infamous Scattered Lapsus$ Hunters (SLH) are back to their usual antics. This time, however, it would have been better for them to remain hidden.
For those who don’t know SLH, this is a hacker collective made up of members of the cybercriminal groups Scattered Spider, Lapsus$ and ShinyHunters.
They became very popular in September 2025, when they claimed responsibility for a major breach at Jaguar Land Rover. This incident halted vehicle production worldwide and attracted extensive media attention due to its scale and impact, resulting in one of the costliest attacks in UK history.
The ‘gotcha’ moment
Shortly afterward they announced their retirement, probably to get out of the spotlight. However, earlier this week they announced to break into the cybersecurity company Resecurity:
“We would like to announce that we have gained full access to Resecurity’s systems. We took everything,” SLH said on Telegram, Cybernews reports. They said Resecurity became “fully owned,” losing internal chats, employee data, customer lists and other sensitive information.
But it seems they fell for a pretty sophisticated bait. Resecurity said this was, in fact, a honeypot full of fake accounts, fake data, and fake content:
“Following our publication, the group called ShinyHunters, previously profiled by Resecurity, fell into a honeypot. In fact, we are dealing with its renamed version, which calls itself SLH due to the alleged overlap between threat actors ShinyHunters, Lapsus$ and Scattered Spider,” the company said.
“The group claimed that ‘they have gained full access to Resecurity’s systems’, which is a clear exaggeration, as the honeypot environment prepared by us did not contain any sensitive information.”
The ramifications are quite serious for SLH. Resecurity has now exposed the IP addresses they use and was even able to “identify the actor and link one of his active Gmail accounts to a US phone number and a Yahoo account.” It’s not full-blown doxxing, but it’s the best option.
“The activity, including exact timestamps and network connections, has been photographed and preserved and shared with authorities.”
Now, let’s see if this development leads to arrests and if, as some researchers claim, the group has minors among its members.
Through cyber news
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
