Resecurity Synthetic Data A New Frontier for Cyber Deception and Honeypots

pCyber Threat Intelligenceppdeception threat hunting network intelligence threat actor honeypot honeytrapppInvestigating numerous incidents Resecurity has developed a unique practice of using deception technologies for counterintelligence purposes This may include solutions tools models and methods that mimic legitimate enterprise environments to mislead potential threat actors and allow them to conduct malicious activities in a controlled manner Many of these concepts originate from traditional honeypots which enable network defenders to perform threat hunting passivelyby deploying traps using misconfigured applications and network services or dummy resources to log intrudersppWith the rapid evolution of AI and ML deception could be accelerated by using synthetic datapurposely generated data that has patterns and characteristics of realworld data without containing actual proprietary information In the context of threat hunting previously breached data can be highly effective for designing deception models that appear extremely realistic and attract threat actors For example a purposely planted honeypotcontaining realistically looking but practically useless recordscan motivate threat actors to attempt to steal itppNovember 21 2025 Resecurity identified a threat actor attempting to conduct malicious activity targeting our resources The actor was probing various publicly facing services and applications Prior to that the actor targeted one of our employees who had no sensitive data or privileged access Our DFIR team logged the threat actor at an early stage and documented the following Indicators of Attack IOA 156193212244 Egypt 10241112148 Egypt 4512956148 Mullvad VPN 18525311870 VPNppUnderstanding that the actor is conducting reconnaissance our team has set up a honeytrap account This led to a successful login by the threat actor to one of the emulated applications containing synthetic data While the successful login could have enabled the actor to gain unauthorized access and commit a crime it also provided us with strong proof of their activity Both Office 365 and VPN accounts are highly effective for creating honeypot honeytrap accounts to detect track and analyze hacker activity Such accounts are widely used in enterprise environments to detect unauthorized access attempts and gather threat intelligence The most successful honeypot deployments use realistic wellmonitored decoy accounts that mimic highvalue targets but are isolated from real assets In addition you can use honeytrap accounts for own applications on emulated environment isolated from production resources and closely monitoredppSuch accounts could be planted via Dark Web marketplaces and forums so potential attackers will find and use them One such account Mark Kelly has been frequently planted on a marketplace commonly used for purchasing compromised data called Russian MarketplaceppFor synthetic data we used two different datasets over 28000 records impersonating consumers and over 190000 records of payment transactions and generated messages Notably in both cases we utilized already known breached data available on the Dark Web and underground marketplacespotentially containing PIImaking the data even more realistic for threat actors Such data is readily available from open sources and can be used as an important element for cyber deceptionespecially when the threat actor is advanced and may perform various checks to verify that the data is not completely fake Otherwise this could affect their further tactics or lead to a complete halt of their planned actions In our scenario our goal was to allow the threat actor to conduct activity and feed them with synthetic data to observe their attack path and infrastructure This task has not involved the use of passwords or API credentialsppExampleppNone of these accounts are our actual customers they are email addresses collected from publicly available combo lists and email lists botnet data available on the Dark Web including generated addresses Some of the records were duplicated multiple times In fact none of our products have such user countpp Payment Information Stripe RecordsTo prepare this we used specialized synthetic data generation tools eg SDV MOSTLY AI Faker to create realistic schemacompliant Stripe transaction and customer data Our goal was to reproduce exactly the same structure that the data would have according to Stripes official API schemas for customers transactions and subscriptions In the official Stripe API a transaction is typically represented as an object with fields such as id Unique identifier for the transaction  amount Amount of the transaction  currency Currency code eg USD  created Timestamp of when the transaction occurred  type Type of transaction charge refund payout etc  status Status of the transaction succeeded pending failed etc  customer Reference to the customer object  metadata Custom keyvalue pairs for additional information Faked Customer Records Consumer Recordsusername email firstname lastname organisation datepp OpenSource Messenger Application such as MattermostppDepending on the level of deception you can use nonsensitive data and chatter In our case we prepared an environment with chatter consisting of very outdated logs from 2023 to serve as a shiny object with 6 groups having no sensitive communications placed in decomissioned system  ppA combination of these datasets allows for mimicking a possible business application that involves consumers with financial transactions which could be of interest to financially motivated threat actors ppThe threat actor fell into our trap and began planning automation to dump the available data It took some time and on December 12 they resumed activity It is possible that the threat actor was developing a custom scraper to facilitate data dumping By that time they used a large number of residential IP proxies to automate their activity which helped our DFIR team gather substantial knowledge about their TTPs and the network infrastructure they used This data is typically called abuse dataartifacts collected as a result of the threat actor abusing a specific application or service or misusing it Abuse data can also be used for earlystage threat detection when the same actor targets other enterprises acting as Indicators of Compromise IOCs Sharing fresh abuse data can help network defenders hunt for threat actors operating on the same infrastructure more effectivelyppBetween December 12 and December 24 the threat actor made over 188000 requests attempting to dump synthetic data During this period the Resecurity team documented the activity and collaborated with relevant law enforcement authorities and ISPs to share information about it The attacker aimed to scrape the data using malicious automationppNotably the actor became quite busy and at some point disclosed his real IP addresses due to proxy connection failures creating an OPSEC issueppA similar issue occurred during new attempts leading to another disclosure In both cases information about the attackers hosts was reported to law enforcementppObserving this activity our team generated additional synthetic data of a different nature to give the actor more room for maneuvering This led to the disclosure of other important details that confirmed his originppProcessing a large dataset of synthetic data led to several OPSEC mistakes resulting in the identification of the exact servers used by the attacker for automationwhere he was using lists of residential IP proxies to spoof the sourceppAfter acquiring a substantial number of residential proxies we began blocking them which limited the actor to a smaller number of possible hosts for proxifying the traffic This led to the resurgence of the same IPs identified earlierppOnce the actor was located using available network intelligence and timestamps a foreign law enforcement organization a partner of Resecurity issued a subpoena request regarding the threat actorThe conclusion of this activity confirms that cyber deception using synthetic data can be highly effective not only in threat intelligence gathering but also in investigative tasks Depending on the jurisdiction cybersecurity teams should ensure compliance with privacy laws and consult legal counsel before deploying such measuresppUpdate from January 3 2026ppFollowing our publication the group called ShinyHunters previously profiled by Resecurity fell into a honeypot In fact we are dealing with their rebranded version which calls itself Scattered Lapsus Hunters due to the alleged overlap between the threat actors ShinyHunters Lapsus and Scattered SpiderppLAPSUS ShinyHunters and Scattered Spider are linked to The Com a predominantly Englishspeaking cybercriminal ecosystem This loosely organized network operates more as a cybercrime youth movement encompassing a broad and constantly shifting range of actors mainly teens Some of the announcements related to successful data breaches by these actors were published at the associated Telegram channel known as The Comm Leaks The FBI issued a Public Service Announcement PSA warning about the risks associated with joining such movementsppOur previous reports about them can be found at the following linksppTrinity of Chaos The LAPSUS ShinyHunters and Scattered Spider Alliance Embarks on Global Cybercrime SpreehttpswwwresecuritycomblogarticletrinityofchaosthelapsusshinyhuntersandscatteredspideppShinyHunters Launches Data Leak Site Trinity of Chaos Announces New Ransomware VictimshttpswwwresecuritycomblogarticleshinyhunterslaunchesdataleaksitetrinityofchaosannounppIn Telegram the group claims to have compromised Resecurity not realizing they have fallen into a honeypot prepared for them The group claimed that they have gained full access to Resecurity systems which is a clear overstatement as the honeypot environment prepared by us did not contain any sensitive informationppThe screenshots shared by the threat actors relate to honeytrapbidpresecuritycom a system emulated with compromised data from the Dark Web and not associated with any actual Resecurity customers and the Mattermost application which was provisioned for the honeytrap account Mark Kelly around November 2025 for this purposeppThe group admitted that Resecuritys efforts disrupted their operations Our team used social engineering to acquire data from the group and tracked their activityppUpdate from January 4 2026ppThe actors removed the posting from their Telegram channelppWhat threat actors did not realizeppWhy are honeytrap accounts effective They enable defenders to simulate a realistic environment for advanced attackers and collect valuable information about their activitiesppAs a result of this exercise we were able to identify the actor and link one of his active Gmail accounts to a USbased phone number and a Yahoo account This account was registered by the actor during the observed honeytrap activity and was logged by Resecuritypp jwhy433gmailcomppThe same could be validated via Password RecoveryppAll the information acquired through the use of honeytrap has been provided to the relevant law enforcement organization investigating these actorsppCyber Threat IntelligenceppCyber Threat IntelligenceppKeep up to date with the latest cybersecurity news and developmentspp
By subscribing I understand and agree that my personal data will be collected and processed according to the Privacy and Cookies Policy ppResecuritypp
contactresecuritycom
pp
1 888 273 82 76
ppCopyright 2026 Resecurity Inc All rights reservedp