We all know honeypots can reveal interesting details about threat actors and there tactics, but it’s not every day that a threat actors sends you their own credentials. Operational security is hard. In this session, I’ll share how my team and I developed a simple Flask application to emulate an exposed Docker endpoint, and how an everyday log review led to discovery the X-Registry-Auth header. The header turned out to be a DockerHub token. I’ll take you down the rabbit-hole on how my team and I pivoted for additional research and derived some level of attribution.