Scattered Spider: What You Need to Know

Founded around 2022, Scattered Spider is a well-known group of young, English-speaking threat actors believed to be from the US and UK. The group—which has some members as young as 16—first gained global recognition in September 2023 when they successfully hacked the internal systems of both Caesars Entertainment and MGM Resorts, obtaining sensitive data they used to extort the casinos. 

In November 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), Royal Canadian Mounted Police (RCMP), Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC), Australian Federal Police (AFP), Canadian Centre for Cyber Security (CCCS), and United Kingdom’s National Cyber Security Centre (NCSC-UK) issued a joint cybersecurity advisory (CSA) about the group, noting their use of sophisticated social engineering techniques. Known by a number of other names—including Starfraud, UNC3944, Scatter Swine, and Muddled Libra—the group has been observed targeting the IT help desks of large enterprises to steal login credentials, bypass multi-factor authentication technologies, and gain privileged access to the networks of their victims. This security advisory was updated in July 2025.

So, what can organizations do to protect themselves against this elusive and agile threat group? Below, we’ll break down how Scattered Spider operates, identify their favorite attack methods, and explore what organizations can do to avoid becoming their next victim.

How It Started

While Scattered Spider has origins back to early 2022, they’ve rapidly evolved since then. They started with basic SIM swapping and phishing attacks, often targeting telecommunications companies as a stepping stone to other targets. They would use these initial compromises to then pivot to high-value targets. Their reputation really exploded with the high profile attacks on major corporations in 2023, and they’ve pretty much been relentless ever since.

Scattered Spider’s motive appears to be purely financial. They don’t seem to have aspirations of making political statements or gaining significant notoriety outside of the cybercrime community. Their goal is to steal data and demand massive ransoms, or simply extort money by threatening to leak sensitive information. The only incongruity here is their skill level in tradecraft. Attribution in all things cyber is a subtle and delicate art, and it’s easy to get wrong. Exactly who is behind Scattered Spider—who is training and equipping them—remains very unclear.

How They Operate

While we don’t have a good understanding of the group’s internal makeup, we do have quite a lot of insight into how they operate—the attack code they use and their tactics, techniques, and procedures (TTPs) across the cyber kill chain. 

In a nutshell, they are masters of deception. Their entire methodology is built on a human-first approach. They don’t so much break in, as simply login. Why would you go to all that cleverness across the kill chain when you can just log in? And their TTPs are a mix of technical know-how and psychological manipulation. 

It all starts with reconnaissance. They’ll scour LinkedIn, social media, and business websites to build a profile of a target employee. They’re looking for someone with a level of access—maybe an individual in IT or with a more senior role—and then they strike. It’s not just phishing—it’s spearphishing and possibly at a completely different level than most.

Common TTPs

The TTPs Scattered Spider uses to gain initial access can be organized into three broad areas: 

• Phishing and helpdesk impersonation. This is Scattered Spider’s signature move. They’ll use the information they’ve gathered to call an organization’s IT helpdesk and impersonate a legitimate employee who is locked out. They’ll use just enough personal details to pass security questions and convince a help desk agent to reset a password. Or even worse, they may be convincing enough to have an agent re-enroll a new multi-factor authentication device. 
• Multi-factor authentication push bombing. This is a less well-known tactic, but it entails obtaining a user’s password and then flooding their phone with repeated MFA push notifications. The hope is that the employee, out of frustration or confusion, will accept to make notifications stop. Once they do, the attackers are in. We may all think we may never fall for that, but people do. The key thing to remember here is if you didn’t generate multifactor authentication verification, contact your IT security and help desk instantly. 
• SIM swapping. They’ll trick a mobile carrier into porting the target phone numbers to a SIM card they control. This allows them to intercept SMS-based multi-factor authentication codes and take over accounts.

Lateral Movement & Privilege Escalation 

Once Scattered Spider has initial access, their attacks are fast and furious. They quickly pivot to lateral movement and privilege escalation. To avoid detection, they will use legitimate native tools already on the network, a technique called living off the land (LOTL). They will also install remote access tools, like AnyDesk, to maintain persistence. Their goal is to find critical data or gain access to systems that are ripe for extortion, like virtualized environments. They will also evade security controls whenever possible.

At the technical level, Scattered Spider demonstrates very sharp expertise and efficiency in breaking in, encrypting data, issuing demands, and, of course, creating major disruption in the Western world over the last two years. They are responsible for hundreds of millions in losses for the businesses that have been their victims. Amongst the most high profile of these were MGM Resorts and Caesars Entertainment in 2023, which served as a huge wake up call for the cybersecurity community. 

For MGM Resorts, the attack shut down their slot machines, reservation systems, and hotel operations for days, costing them over $100 million. MGM reportedly did not pay the ransom, which is always a good idea. Caesars Entertainment, on the other hand, had a massive amount of customer data exfiltrated and they did, allegedly, pay a ransom of $15 million. 

More recently, Scattered Spider has been linked to attacks on major retailers like Marks & Spencer and Harrods and airlines like Qantas. These attacks demonstrate their adaptability—they are able to shift industries and targets with ease.

Why They Are So Dangerous 

Despite the arrest of a number of the group’s members, including their suspected leader, who was taken into custody in June of 202,4 and two individuals being held and charged in the UK in September 2025,  Scattered Spider’s operations appear to have remained largely unhindered. Their recent and highly publicized attacks have wreaked havoc on industry giants in the US and UK. This ability to persist—despite the combined efforts of law enforcement agencies around the world—makes the group particularly dangerous and can be attributed to three key characteristics. 

• First, the group’s less-than-traditional organizational structure consists of a disparate group of individuals who organize and coordinate attacks on underground forums and chat apps like Discord and Telegram. Rather than a well-defined hierarchy that is dependent on any one individual for leadership, this fluid structure has allowed Scattered Spider to carry on with their activities even when specific members are taken out of commission. 
• Second, their reliance on social engineering means traditional endpoint security tools often miss their initial entry point. They are logging on, not breaking in, so their malicious activity is often carried out using legitimate credentials and tools. They are also known to monitor instant response calls of victim organizations to learn what the response plan is and then adapt their tactics in real time. Organizations can mitigate this by carefully validating every individual on group calls by requiring cameras to be on, at least while attendees are authenticated. 
• Finally, their increasing use of ransomware-as-a-service (RaaS) and malware-as-a-service (MaaS) platforms has enabled them to quickly and easily execute sophisticated attacks against global enterprises with mature security teams. Recent reports suggest they have utilized DragonForce ransomware and the LummaC2 malware variant identified in a joint CSA in May 2025.

Scattered Spider is not untouchable, however. They are not strong in the art of operating discreetly and effectively in a clandestine environment. Scattered Spider—and groups associated with them—have committed major operational security faux pas. Many of their members have also done a poor job of keeping their personal lives and hacking lives separate. As disruptive as they have been, they are not as skilled as those investigating them. As a result, many members of the group have been arrested and are on trial or are awaiting extradition. Needless to say, we will be hearing a lot more about these members and their activities as their court cases progress. 

What You Can Do

For organizations looking to protect themselves against the likes of Scattered Spider, the key is to focus on identity and access management. Simply put, a resilient human firewall is the best defense. This includes phishing-resistant, multi-factor authentication that features: 

• A move away from SMS to simple push notifications. 
• Stronger implementation of phishing-resistant methods like number matching. 
• Multi-factor authentication of physical security keys. 
• Help desk hardening.
• Strict verification protocols that go beyond basic, personally identifiable information. Specifically, use a multi-approver verification process for high-risk changes like password MFA resets and give particular scrutiny to outsourced IT help desks.
• Continuous education that includes regular training of employees on social engineering tactics. Help them understand that it is okay—and even preferable—to question requests, even if they seem to be from an internal source. 

Of course, it’s also critical to constantly simulate attacks against your internal network infrastructure. Use a proven platform, like the SafeBreach Exposure Validation Platform,  to continuously validate your security controls against the TTPs of threat actors like Scattered Spider. We know a huge amount about how Scattered Spider operates across the kill chain, from infiltration and host level to LOTL lateral movement and exfiltration. Organizations can use this to their advantage to identify and fix gaps before an attacker can exploit them. 

With a threat actor like Scattered Spider, it’s not just about technology; it’s also about the people and the processes. They have proven that human and procedural vulnerabilities are often the biggest security holes. And that’s why it’s impossible to rely on CVE-based tools alone. Platforms like SafeBreach zero in on the identity and access-management issues in your systems as well. By focusing on these areas, organizations can significantly increase their cyber resilience.

Interested to see how the SafeBreach Exposure Validation Platform can help you test like real attackers—and prove you’re ready for Scattered Spider threats and more? See the platform solution brief, then schedule a personalized demo to see it in action.