Resecurity Went on the Cyber Offensive – When ‘Shiny Objects’ trick ‘Shiny Hunters’
January 06, 2026
Resecurity released 105 pages with 1,000+ messages tied to hacker John Erin Binns, detailing contacts with an unnamed woman in Turkey and an associate called “S.M.”
Resecurity released 105 pages containing over 1,000 messages related to John Erin Binns, a hacker who is currently not in U.S. custody, and sent a “warm hello” to an unnamed female individual residing in Turkey with another individual whom they called “S. M.”
Recently, members of the so-called “Scattered LAPSUS$ Hunters” (SLH), which researchers attribute to a broader “The Com” collective, were caught in a honeypot deployed by Resecurity. Following that, the company exposed communications of one of the key actors collected from a foreign email server.
Resecurity stated that it will not disclose how it obtained this data, but can confirm its authenticity, which can be independently verified by examining the contacts and titles in the acquired messages. The communications include attempts to harass U.S. government personnel, State Department officials, and FBI staff. Notably, “Scattered LAPSUS$ Hunters” continued this trend by posting phone numbers and addresses of hundreds of government officials, including nearly 700 from DHS, in October last year.
Resecurity links Binns to two other actors – Cameron John Wagenius and Connor Riley Moucka – who were previously associated with the Snowflake data breach. This breach affected numerous high-profile companies and has been regarded as one of the most significant data security incidents of the decade. At least 160 organizations were reportedly targeted through vulnerabilities in the configuration and access to their Snowflake environments. Affected companies included AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health. The stolen data was allegedly used for extortion by the “ShinyHunters” group, with hackers demanding ransoms from affected organizations in exchange for not leaking or selling the information. The group later rebranded and continued operating under a new name.
The “trio” reportedly met online and engaged in related cybercrimes, a typical scenario for members of “The Com.” Notably, Wagenius, a 20-year-old U.S. Army soldier who used the online alias “Kiberphant0m,” also attempted to connect with foreign intelligence organizations. According to Resecurity, their activity relates not only to traditional cybercrime, but could also threaten national security and have significant implications. The actors were obsessed with the idea of “mass surveillance,” made possible by compromising telecommunications providers and accessing subscriber records. In one case, an actor sought records tied to a law enforcement officer’s phone number and his network of contacts; in another, the target was an informant involved in an investigation. Wagenius was arrested after infiltrating 15 telecommunications providers while on active military duty. He reportedly published stolen AT&T call logs of high-ranking officials, including President Donald Trump and former Vice President Kamala Harris, on dark web forums.
Their accomplice, Binns, was arrested in May 2024 in Turkey based on a U.S. indictment charging him with hacking T-Mobile in 2021. According to Resecurity, he continues malicious activity and could operate under a new alias. Notably, Wagenius and Binns both attempted to leverage foreign infrastructure and online services to avoid prosecution, with the latter residing in Turkey while conducting malicious cyber activity. Based on available intelligence from Resecurity, a female individual previously linked to Moucka is currently in Turkey and is also involved in malicious activity.
The Snowflake breach had grave implications for AT&T, whose call and text message metadata involving nearly all U.S. customers was compromised. The breach prompted an unprecedented request from the U.S. Department of Justice, which asked AT&T to delay public disclosure due to national security and public safety concerns. Reports later confirmed that AT&T paid a $370,000 ransom to have the stolen data deleted.
Connor Moucka is scheduled for trial on October 19, 2026. John Binns is not currently in U.S. custody, as stated on the Department of Justice (DOJ) website.
According to Resecurity, these efforts demonstrate a strong commitment to protecting U.S. law enforcement interests and individuals working for the benefit of the nation (USA), regardless of where threat actors are, who they are, or what “hat” they wear.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, Scattered LAPSUS$ Hunters)