Summary
Scattered Spider is a loosely organized, transatlantic collective of primarily young hackers based in the United Kingdom and the United States, specializing in sophisticated and targeted cyber operations against large organizations. Emerging around mid-2022, the group is notable for its heavy reliance on advanced social engineering techniques—including phishing, SIM swapping, and multi-factor authentication (MFA) fatigue attacks—to gain unauthorized access to corporate networks, often by manipulating IT help desk personnel. Rather than a centralized organization, Scattered Spider operates as a dynamic affiliate network embedded within a broader cybercriminal community known as “the Com,” encompassing approximately 1,000 members across multiple countries.
The collective has targeted sectors such as telecommunications, technology, retail, finance, and aviation, with notable attacks including ransomware deployments against UK retailers like Marks & Spencer and breaches affecting American airlines. Their modus operandi involves exploiting human trust and leveraging legitimate tools to evade detection, which complicates attribution and mitigation efforts. Scattered Spider is also linked to high-profile ransomware groups such as ALPHV (BlackCat), forming strategic alliances to amplify their impact through data theft and extortion campaigns.
Law enforcement agencies, including the FBI and the UK’s National Crime Agency, have coordinated international efforts resulting in multiple arrests and indictments charging members with offenses such as conspiracy to commit wire fraud and aggravated identity theft. Despite ongoing legal actions, the group’s decentralized structure enables continued operations and rapid adaptation to countermeasures. The group’s cybercriminal activities have prompted significant public scrutiny and legal consequences, including a $45 million settlement by MGM Resorts following a data breach attributed to Scattered Spider affiliates.
Cybersecurity experts emphasize the group’s unique combination of technical expertise and social engineering sophistication as a key factor in its persistence and success. In response, government agencies and organizations have issued advisories recommending enhanced security awareness training, robust MFA implementation, and continuous network monitoring to mitigate risks posed by Scattered Spider’s evolving tactics. The group’s emergence underscores the growing complexity and globalization of cyber threats, highlighting challenges faced by defenders in protecting critical infrastructure and corporate environments from adaptive, human-centric attack methods.
Origins and Formation
Scattered Spider is not a single, unified hacking group but rather a distributed collective of cybercriminals sharing similar techniques and objectives. The name “Scattered Spider” was coined by cybersecurity firm CrowdStrike; however, other vendors have labeled overlapping threat activities under different aliases such as UNC3944 (Mandiant), Octo Tempest (Microsoft), 0ktapus (Group-IB), Muddled Libra (Unit 42), and Scatter Swine (Okta). These labels all refer to components of a broader community rather than a centralized organization.
The collective known as Scattered Spider is believed to have formed around May 2022, initially focusing its operations on telecommunications firms through tactics such as SIM swap scams, multi-factor authentication fatigue attacks, and phishing conducted via SMS and Telegram. This group is part of a larger global hacking network often referred to as “the Community” or “the Com,” which comprises approximately 1,000 individuals, mostly young and English-speaking, likely based in the United Kingdom and the United States. Members of this community have been implicated in hacking major American technology companies and conducting high-profile breaches.
The Community, from which Scattered Spider emerged, is known for its loosely organized structure. It operates across multiple online platforms such as Discord, Telegram, and cybercrime forums, facilitating collaboration among members who share resources and techniques. This decentralized nature makes attribution challenging and complicates law enforcement efforts.
Legal actions against individuals associated with the group reveal that members primarily target large companies as well as their telecommunications, information technology, and business process outsourcing suppliers. Several arrests linked to Scattered Spider have been made in the United States, Spain, and the United Kingdom, with indictments charging members with conspiracy to commit wire fraud and aggravated identity theft among other offenses. Despite the absence of the Scattered Spider name in some court documents, the group is consistently described as a financially motivated cybercriminal network leveraging coordinated intrusion techniques derived from the broader Community.
Organizational Structure
Scattered Spider operates as a loosely organized and highly distributed network of cybercriminals rather than a rigid, hierarchical group. Its members are primarily young, English-speaking individuals based in the UK, US, Canada, Australia, and various parts of Europe and Asia. This decentralized and international composition contributes to the group’s persistence and adaptability, as members can quickly fill operational gaps left by arrests or departures, continuously evolving their tactics and tools.
The group functions as an affiliate network with overlapping memberships and collaborations, sometimes referred to by aliases such as UNC3944, Muddled Libra, Octo Tempest, Scatter Swine, and Starfraud. This fluid affiliation model allows for flexible coordination among actors who specialize in different targets and techniques. Some members focus on high-profile corporate intrusions, while others concentrate on niche operations like compromising cryptocurrency accounts, exemplifying the varied focus within the network.
Scattered Spider leverages social engineering heavily, with a particular emphasis on targeting IT helpdesk personnel at organizations to gain rapid account resets and unauthorized access. Mid-level IT staff and network engineers are frequent targets, often deceived through impersonation based on publicly available information. The group uses tools like ngrok and Tailscale to facilitate their intrusions, alongside American-accented social engineering tactics, underscoring the sophistication and coordination present within the collective.
Operations and Techniques
Scattered Spider is a cybercriminal collective known for its dynamic and multifaceted approach to cyber operations, primarily targeting large organizations across industries such as technology, telecommunications, retail, and finance. The group heavily relies on advanced social engineering tactics to gain initial access, often leveraging human trust and exploiting weaknesses in authentication systems to bypass security controls.
A cornerstone of Scattered Spider’s operations is the use of social engineering techniques, including phishing, smishing, and SIM swapping. Smishing involves sending fraudulent text messages that deceive victims into installing malware or disclosing sensitive information, while SIM swapping enables attackers to take control of a target’s phone number by convincing mobile carriers to transfer it to devices they control. This allows the group to intercept multi-factor authentication (MFA) prompts, facilitating unauthorized access to accounts and critical systems.
The group frequently employs MFA bypass methods such as MFA prompt bombing and fatigue attacks. These tactics involve overwhelming targets with repeated authentication requests, eventually coercing them into approving fraudulent login attempts. Such methods have been highlighted in notable incidents, including those involving the threat group LAPSUS$, whose techniques closely mirror those used by Scattered Spider.
In addition to social engineering, Scattered Spider exploits legitimate tools and “living off the land” techniques to evade detection and navigate victim networks. They repurpose allowlisted applications and frequently adjust their tactics, techniques, and procedures (TTPs) to stay ahead of defensive measures. This operational agility makes their campaigns particularly difficult to detect and mitigate.
Phishing campaigns conducted by Scattered Spider often utilize typosquatted domains and sophisticated phishing kits designed to bypass MFA protections. By registering domains with specific keywords and hosting them on infrastructure linked to their known operations, the group creates convincing attack vectors that enhance their success rate. Moreover, Scattered Spider targets managed service providers (MSPs) and IT vendors as a force multiplier, leveraging access to one compromised entity to infiltrate multiple organizations simultaneously.
The collective also exploits help-desk systems through social engineering, impersonating employees or IT personnel to reset credentials and escalate privileges. This approach is compounded by organizational cultures that prioritize speed over scrutiny, leaving help desks vulnerable to manipulation and unauthorized access.
Scattered Spider’s operational model is closely linked with major ransomware groups such as ALPHV, RansomHub, and DragonForce, with which it forms strategic alliances to deploy ransomware tools and conduct ransom negotiations. Their fluency in English and understanding of Western organizational structures aid in these sophisticated social engineering efforts.
Given their reliance on social engineering and impersonation across the attack lifecycle, cybersecurity experts emphasize the importance of comprehensive security awareness training, particularly focusing on vishing, impersonation, and help-desk hardening. Additionally, the adoption of modern MFA solutions and continuous monitoring are critical in mitigating the risks posed by Scattered Spider’s evolving tactics.
Geographic Scope and Areas of Influence
Scattered Spider is a dispersed, international network of cybercriminals primarily composed of native English speakers operating from the UK, the US, Canada, Australia, and parts of Europe and Asia. This broad geographic distribution allows the group to maintain persistence and adaptability, as new members quickly replace those who are arrested or otherwise leave, continuously evolving their tools and tactics.
The group initially gained prominence for targeting UK-based retailers, including Marks & Spencer (M&S), where they deployed ransomware—a malicious software that locks victims’ files—an attack method more commonly associated with Russian-speaking cyber gangs rather than English-speaking actors. The focus on specific industries and geographies, such as UK retail, exemplifies their strategic precision and specialization. This regional targeting has led the UK’s National Cyber Security Centre to issue advisories urging businesses to be vigilant, particularly in areas like IT help desk password reset protocols, which Scattered Spider exploits.
Beyond retail, Scattered Spider has expanded its influence into other sectors and countries. Google-owned cybersecurity firm Mandiant has linked the group to multiple incidents in the US insurance sector and identified similar attack patterns in the airline and transportation industries. This expansion is further evidenced by recent cyber incidents reported by Alaska Air Group’s Hawaiian Airlines and Canada’s WestJet, with the FBI acknowledging Scattered Spider’s growing focus on the aviation sector. The FBI is actively collaborating with industry partners to mitigate these threats and assist victims.
Scattered Spider’s operational infrastructure spans multiple continents, leveraging platforms such as Discord and Telegram to coordinate attacks and share information. Their distributed and fluid network structure makes them a particularly challenging adversary to counter, as traditional defenses like firewalls and antivirus software are insufficient against their evolving tactics and social engineering methods.
Impact and Significance
Scattered Spider has emerged as a highly disruptive cybercrime group known for its sophisticated and targeted operations, significantly impacting a wide range of sectors including critical infrastructure and the airline industry. Their activities have been characterized by precise social engineering tactics, such as impersonating employees or contractors to deceive IT help desks, enabling unauthorized access to sensitive systems. This exploitation of human trust not only facilitates initial breaches but also allows the group to infiltrate supply chains by compromising managed service providers (MSPs) and leveraging remote monitoring and management (RMM) software, thereby scaling their ransomware deployments and data theft operations.
The group’s operations frequently involve data theft followed by extortion, often utilizing BlackCat/ALPHV ransomware to amplify their demands. Their adoption of double extortion techniques—where stolen data is used as leverage to pressure victims into paying ransoms—marks a significant evolution in ransomware tactics, posing a serious threat to businesses highly dependent on IT providers. Additionally, Scattered Spider’s methods include sophisticated credential theft via phishing and SIM swapping, allowing persistent and unauthorized network access over extended periods.
The broader significance of Scattered Spider lies in their contribution to a troubling trend of collaboration between Russia-aligned cyber actors and English-speaking groups, overcoming previous cultural and operational security barriers to conduct cross-regional attacks on Western organizations. This trend underscores the increasing complexity and globalization of cyber threats.
In response to their impact, federal agencies like the FBI and CISA emphasize the critical need for organizations to enhance cybersecurity postures by adopting multifaceted mitigation strategies. These include prioritizing employee awareness and training to recognize social engineering, strengthening multi-factor authentication (MFA) and least-privilege access policies, restricting unsanctioned applications, and deploying robust monitoring to detect anomalous activities such as unusual authentication or lateral movement within networks. Such measures are vital to counter the group’s sophisticated social engineering tactics and reduce the likelihood and severity of attacks perpetrated by Scattered Spider.
Distinctive Operational Characteristics
Scattered Spider, also tracked under aliases such as UNC3944, Muddled Libra, Octo Tempest, Scatter Swine, and Starfraud, exhibits a unique blend of technical prowess and social engineering sophistication that sets it apart in the cyber threat landscape. The group’s operational methods are distinguished by their strategic focus on exploiting human trust, particularly through social engineering tactics that manipulate help desk personnel to reset victim account passwords and bypass multi-factor authentication (MFA).
A hallmark of Scattered Spider’s approach is its heavy reliance on social engineering techniques such as vishing, impersonation, and phishing campaigns leveraging typosquatted domains and advanced phishing kits like Evilginx. These tools enable the group to circumvent MFA protections effectively and gain initial access to high-value targets. Notably, members of the group are often fluent in English with American accents, enhancing their ability to convincingly impersonate employees or contractors and deceive IT support teams.
Technically, Scattered Spider employs modular, stealthy payloads tailored precisely to their target environments, enabling them to operate covertly and maintain persistence without raising suspicion. The group abuses misconfigured Microsoft Certificate Services templates to issue their own domain certificates, facilitating stealth privilege elevation and lateral movement across trust boundaries. They also deploy signed yet vulnerable kernel drivers to disable system protections and escalate privileges to SYSTEM level, granting deep host access while evading detection.
Scattered Spider’s operational scope includes targeting managed service providers (MSPs) and IT vendors to leverage “one-to-many” access, allowing them to compromise multiple organizations from a single breach. This tactic expands their impact across sectors such as retail, technology, finance, and aviation. Through strategic alliances with major ransomware operators like ALPHV, RansomHub, and DragonForce, the group gains access to ransomware deployment platforms and negotiation channels, enhancing their threat capabilities.
Moreover, the group’s ability to conduct SIM-swapping and intercept cell phone communications enables them to intercept MFA prompts and conduct unauthorized account takeovers, complementing their help desk social engineering techniques. Their lateral movement within networks mimics legitimate administrative workflows by leveraging harvested credentials and system insights, further complicating detection and response efforts.
Responses from Governments and Organizations
Governments and cybersecurity organizations have responded to the threats posed by Scattered Spider with coordinated efforts aimed at mitigation, investigation, and public awareness. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories encouraging critical infrastructure entities to implement specific recommendations designed to reduce both the likelihood and impact of cyberattacks attributed to Scattered Spider actors. These recommendations are aligned with the MITRE ATT&CK for Enterprise framework, version 14, providing a structured approach to identifying and countering the group’s tactics and techniques.
In addition to mitigation guidance, the FBI and CISA actively seek information from the public and affected organizations to aid in investigations. They have requested samples such as ransom notes, communications with the group, Bitcoin wallet information, decryptor files, and encrypted file samples. However, both agencies strongly discourage paying ransoms, noting that such payments do not guarantee data recovery and may further incentivize criminal activity.
Law enforcement actions have led to several arrests connected to Scattered Spider operations. Notably, an individual named Evans was arrested by the FBI in November 2024, while Buchanan was apprehended in Spain earlier that year. A 17-year-old from the UK and another suspect arrested in January also face charges related to activities including SIM swapping attacks in Florida.
The impact of Scattered Spider’s cyber activities has also prompted significant legal responses. After breaches involving major casino operators such as MGM and Caesars, these companies faced class-action lawsuits citing failures to adequately secure customer data and breaches of contract. MGM notably agreed to a $45 million settlement in January 2025 to compensate breach victims.
These responses underscore the multifaceted approach taken by governments and organizations to confront Scattered Spider’s evolving cyber threats, combining proactive mitigation strategies, legal actions, and international law enforcement cooperation to disrupt the group’s operations and limit their impact.
Countermeasures and Defense Strategies
To mitigate the risks posed by Scattered Spider threat actors, organizations are strongly encouraged to adopt a comprehensive set of cybersecurity measures that address both technical vulnerabilities and human factors. The
Controversies and Legal Issues
Scattered Spider, a loosely organized cybercriminal group primarily composed of young hackers from the UK and the US, has been involved in numerous high-profile cyberattacks and associated legal battles. The group has been linked to breaches targeting major corporations, including casino operators MGM and Caesars, resulting in extensive data theft and subsequent litigation.
The group employed sophisticated fraudulent techniques such as text phishing and SIM swapping to obtain legitimate employee credentials, granting them unauthorized access to corporate networks between late 2021 and spring 2023. Their operations have caused significant financial and reputational damage to targeted companies, with MGM agreeing to a $45 million settlement to compensate victims of one such breach in January 2025.
Several members of Scattered Spider have faced federal criminal charges, including conspiracy to commit wire fraud, conspiracy, and aggravated identity theft. Notable defendants include Ahmed Hossam Eldin Elbadawy (aka AD), Noah Michael Urban (aka Sosa and Elijah), and Tyler Robert Buchanan, among others. Arrests have been made internationally, with Buchanan apprehended in Spain in June 2024 and other members arrested in the US and UK.
The group’s notoriety has led law enforcement agencies, such as the FBI and CISA, to intensify efforts to track and disrupt their activities. In addition to arrests, authorities have issued calls for public assistance in gathering intelligence, including ransom notes, Bitcoin wallet information, and decryptor files related to Scattered Spider’s attacks. Despite these efforts, agencies caution against paying ransoms, as doing so does not guarantee data recovery.
Moreover, Scattered Spider has exploited technical vulnerabilities, such as abusing misconfigured Microsoft Certificate Services templates, to stealthily elevate privileges and move laterally within compromised networks without detection. This tactic underscores the group’s evolving sophistication and the ongoing challenges faced by cybersecurity defenders.
Public Perception and Media Coverage
Scattered Spider has attracted significant attention from cybersecurity experts and the media due to its unique profile and the scale of its operations. The group is recognized as one of the most dangerous and active hacking collectives currently being monitored, with over 100 targeted attacks reported across multiple industries including telecommunications, finance, retail, and gaming since their emergence in 2022. This notoriety has been amplified by statements from prominent cybersecurity figures, such as Graeme Stewart, head of public sector at Check Point, who highlighted the group’s sophisticated and ongoing threat.
Media coverage has also focused on the distinctive characteristics of Scattered Spider, particularly their targeting patterns and operational methods. Unlike many ransomware gangs which are often linked to Russian-speaking actors, Scattered Spider comprises young, English-speaking hackers primarily from the UK and US, specializing in precise cyber operations. Their focus on specific industries and geographies, along with the use of platforms like Discord and Telegram for communication, marks a deviation from typical cybercriminal profiles. High-profile incidents, such as the breach of Marks & Spencer where personal data of thousands of customers was compromised, have further elevated public and media scrutiny.
The group’s connection to a broader cybercriminal network known as “The Com” has also been a focal point in media narratives, emphasizing the loosely organized yet financially motivated nature of their activities. Law enforcement efforts, including arrests coordinated between the U.K. National Crime Agency and the U.S. FBI, have been widely reported, underscoring the international response to their operations. This coverage has contributed to increased awareness and warnings issued by cybersecurity agencies, urging businesses to recognize and defend against Scattered Spider’s specific tactics.
