Scattered Spider: A Social-Engineering Threat Profile

A breach by this group can begin with a phone call that lasts under ten minutes. An attacker dials a company's IT help desk, gives the name of a real employee, answers the identity questions with details pulled from public profiles and leaked records, and asks for help: a forgotten password, or a new phone that will not accept the authenticator app. The technician, doing their job, resets the credential and re-enrols multi-factor authentication on a device the attacker controls.

No malware ran. No software vulnerability was exploited. By the time anyone notices, the caller is inside the network and moving toward the systems that matter.

That is the signature of Scattered Spider, and it is why the group has been among the most damaging actors of the past three years while using almost none of the tooling the word "hacking" brings to mind. They do not break the locks. They talk someone into opening the door. This profile covers where the group came from, how it operates, the ransomware it borrows, the ecosystem it belongs to, the arrests that have not stopped it, and what an organisation can actually do about a threat that arrives as a convincing request rather than an exploit.

One group, eight names

Part of what makes Scattered Spider seem larger and more mysterious than it is comes down to naming. Almost every major vendor that encountered the group coined its own label. Mandiant called it UNC3944. Microsoft tracks it as Octo Tempest. Palo Alto's Unit 42 named it Muddled Libra.

Earlier reporting used Scatter Swine, and the group's first notable campaign gave it the handle 0ktapus, sometimes Roasted 0ktapus. Microsoft has also filed it under Storm-0875. MITRE consolidates the cluster as G1015. The threat is one loose set of people; the eight names are eight vantage points on it.

The group has been operational since at least May 2022, and it announced itself with the 0ktapus campaign that year: a phishing operation against more than a hundred organisations that compromised the communications firm Twilio and was turned away by Cloudflare, whose staff were protected by hardware security keys. From the start the membership fit a consistent description, native English speakers, mostly in the United States, the United Kingdom and Canada, many of them teenagers and young adults. They are part of the broader English-speaking cybercrime scene known as The Com, which we trace from its origins in our companion piece, what "The Com" actually is. Scattered Spider is best understood not as a company with a roster but as a reputation that a shifting set of people operate under.

Identity is the attack surface

Most intrusion groups target infrastructure: an unpatched server, an exposed service, a software flaw. Scattered Spider targets identity. Its toolkit is built around persuading the systems and people that manage who you are: help-desk vishing, SIM-swapping to intercept one-time codes, multi-factor "push bombing" that fatigues a user into approving a prompt, and adversary-in-the-middle phishing pages hosted on lookalike domains that capture both passwords and session tokens. By 2025 the group had begun automating the front end of this, using high-volume spear-phishing tooling that abuses ordinary services such as Google Voice to harvest identities at scale with little manual effort.

Once inside, the group rarely needs custom malware. It lives off the land, using the legitimate remote-management software already present in an environment and pivoting straight to the identity systems that control everything else: single-sign-on providers such as Okta, cloud directories such as Microsoft Entra and Azure AD, and the major cloud consoles. Control of an identity provider is control of the estate, which is why an actor that gets in through a help desk can so quickly reach data, email and infrastructure without ever touching a perimeter firewall. This is the same intrusion logic we walked through in from gamble to calculation: the account is the target, and the account is reached through a person.

The help desk is the front door

Scattered Spider's way in is the help desk. CISA's 2025 update to the joint advisory on the group emphasised "advanced impersonation to manipulate IT helpdesks for password resets and MFA transfers." That is the front door, and it is open for a structural reason: help desks are designed to be fast and helpful, and the identity checks they rely on are often built from information that is cheap for an attacker to obtain. An employee ID, a manager's name, a date of birth, the last four digits of a number: these are exactly the details that sit in data-broker records and old breach corpora, waiting to be assembled into a script that passes verification. We reconstructed how one such call unfolds, minute by minute, in the anatomy of a vishing attack.

This is the point at which an organisation's accumulated exposure stops being an abstract privacy concern and becomes the raw material of a breach. The caller sounds credible because the data to sound credible is available. Reducing that exposure, the broker listings and leaked records that let a stranger answer an employee's security questions, closes the path the attacker actually uses. It is also the part most organisations have never measured.

Living inside the response

Scattered Spider is a social-engineering group all the way down, including in how it stays hidden. According to CISA, once inside a network the actors search the victim's own Slack, Microsoft Teams and Exchange Online for emails and conversations about the intrusion, to learn whether they have been detected and how the security team is responding. They have been observed joining incident-response calls and remediation bridges, listening as defenders coordinate the hunt, and adjusting their approach in real time to stay ahead of it. For stealthy reconnaissance the group has used a remote-access tool reported as RattyRAT.

During an active Scattered Spider incident, then, you have to assume the adversary is in the room. Incident response has to move to out-of-band channels the attacker cannot read, and the working assumption has to be that anything discussed in the compromised environment is being watched. A group that reads your response plan as you write it is not a group you out-run on its own infrastructure.

The ransomware revolving door

Scattered Spider does not write or maintain its own ransomware. It rents, and the brand it rents changes with the market.

In the 2023 casino attacks the group deployed ALPHV/BlackCat. After ALPHV collapsed, affiliates moved to RansomHub. Through the 2025 wave the group was most associated with DragonForce, which is the partnership CISA's July 2025 update singles out, deploying the DragonForce encryptor against virtualised estates such as VMware ESXi servers, where encrypting a handful of hypervisors can take down hundreds of machines at once. We profile those partners separately, in our DragonForce and Qilin write-ups.

What persists across the casino attacks, the retail wave and everything since is the way in, not any particular strain of malware. The encryptor is a commodity the group picks up and puts down; the social engineering is what it actually brings to the job. Defending against "DragonForce" or "BlackCat" as if the malware were the threat misreads the operation: by the time an encryptor runs, the breach happened hours or days earlier, on a phone call.

A brand inside The Com

Scattered Spider is not a standalone syndicate. It is one reputation inside the larger English-speaking marketplace we describe in the silent market, drawing on an overlapping pool of people who also operate, and have operated, under other names. In 2025 that overlap became formal-looking: Scattered Spider, LAPSUS$ and ShinyHunters began presenting together under a "Scattered LAPSUS$ Hunters" banner, spinning up at least sixteen Telegram channels from August 2025 onward as each was removed and rebuilt. Some 2026 reporting now blurs Scattered Spider and ShinyHunters into a single label.

That blur reflects the federation, not a merger of personnel. These remain distinct brands that share infrastructure, tooling and contacts while keeping their own names, which is precisely the pattern we keep documenting across this ecosystem. We profiled the breach-and-resale side of it in our ShinyHunters profile. Keeping the names apart is what stops a marketing alliance from being mistaken for a command structure, and it is why the durable unit of analysis here is the market rather than any one crew.

Notable campaigns

A claim on a leak site is a claim until the victim confirms it or evidence is published; the incidents below are drawn from confirmed reporting, with that caveat applied where attribution is contested.

0ktapus (2022). The group's debut. A phishing campaign against more than a hundred organisations that breached Twilio and was repelled by Cloudflare's hardware keys, establishing both the method and the limits of password-based MFA.

MGM Resorts and Caesars Entertainment (September 2023). The watershed. Both casino operators were compromised through social engineering, with reporting describing impersonation of employees to internal IT. Caesars reportedly paid roughly $15 million; MGM declined to pay and absorbed more than $100 million in costs along with days of visible operational disruption. The pairing made the group a household name and demonstrated that the same phone-call method worked against very large, well-resourced targets.

UK retail (April–May 2025). A wave against British retailers including Marks & Spencer, Co-op and Harrods, using DragonForce ransomware. The disruption at Marks & Spencer ran for weeks and carried a material financial cost, and it reset corporate awareness of the group in the UK the way the casino attacks had in the US.

SaaS and supply chain (2025–2026). The group shifted toward large SaaS platforms, with a sustained focus on Salesforce-linked extortion and activity touching the Salesloft and Gainsight ecosystems, reaching many downstream organisations through a smaller number of trusted platforms.

Aviation (mid-2025). A sector sweep into air travel, with reported incidents at Hawaiian Airlines and WestJet, and a breach of a third-party contact-centre system affecting Qantas. The pattern, working through a sector or through a shared supplier, is characteristic of how the group scales a single proven method across many victims.

Attribution and the limits of arrests

Scattered Spider has drawn sustained, cross-border law enforcement, and the results make the case better than any analysis could.

In November 2024 the Central District of California indicted five alleged members, Ahmed Hossam Eldin Elbadawy, Noah Michael Urban, Evans Onyeaka Osiebo, Joel Martin Evans and the British national Tyler Robert Buchanan, on charges of wire fraud and aggravated identity theft tied to phishing campaigns run between September 2021 and April 2023. Urban, from Palm Coast, Florida, was subsequently sentenced to ten years in prison and ordered to pay $13 million in restitution. Buchanan, from Dundee, Scotland, arrested in Spain in June 2024, pleaded guilty in 2026 to a scheme involving more than $8 million in stolen cryptocurrency.

The enforcement continued through 2025 and into 2026. In September 2025 the United Kingdom and United States both charged Thalha Jubair and Owen Flowers; the US complaint tied Jubair to roughly 120 intrusions against 47 organisations and at least $115 million in ransom payments, while the UK charges related to the August 2024 attack on Transport for London. In April 2026, Peter Stokes, known by the alias "Bouquet," was arrested at Helsinki Airport. The adjacent Snowflake extortion case, in which Connor Moucka and John Binns were charged in the Western District of Washington, sits in the same social world.

After this run of arrests, researchers observed Scattered Spider's own activity decline, while other actors adopted the same help-desk playbook and carried on. The roster was disrupted; the method was not. The tactics proved more durable than the people who made them famous, which is the central argument of our companion piece on The Com: when the capability is a way of talking to a help desk rather than a piece of code, removing individuals does not remove the threat.

What this means for your organisation

There is no patch for a persuaded help-desk technician, which means the defences against Scattered Spider are mostly procedural and identity-centric rather than technical. The ones that matter most:

1. Harden help-desk verification. Require out-of-band confirmation for password resets and MFA re-enrolment, such as a callback to a known number or manager approval, and stop accepting knowledge-based answers, employee ID, date of birth, manager's name, as sufficient proof of identity. These are the exact facts an attacker buys.
2. Move to phishing-resistant MFA. Hardware security keys and FIDO2 defeat both push-bombing and adversary-in-the-middle phishing, the way they protected Cloudflare in 2022. Tightly control who is permitted to re-enrol a factor.
3. Watch the identity provider. Monitor Okta, Entra and equivalent for anomalous MFA enrolments, impossible-travel sign-ins and sudden privilege changes, because the identity layer is where this group operates.
4. Plan to respond out-of-band. Assume the adversary is reading Slack, Teams and email during an incident. Keep an incident-response channel they cannot see.
5. Reduce what an attacker can learn before they call. The impersonation only works because the verification data is exposed. Mapping and reducing that exposure across your staff, the broker records and leaked credentials that make a caller sound like an employee, is the upstream defence. That is what a Corporate Audit measures for an organisation, and what the Lockdown closes for an individual; the broker layer specifically is the work of the Eraser.

Why the next one will look the same

The names in this profile will keep changing. Scattered Spider has already federated with other brands, lost members to prison, and continued under new arrangements, and it will do so again. What will not change is the capability. You cannot signature-block a sales pitch delivered to a person, backed by data about that person's colleagues that is already in circulation.

The defensible response follows from that. Make your people and your processes harder to impersonate, move your most sensitive trust decisions off knowledge that can be bought, and find out what an attacker can already learn about your staff before they pick up the phone. The group on the next set of front pages may have a different name. The call will sound the same.

Sources

Government and standards

• CISA et al., joint advisory AA23-320a, "Scattered Spider" (originally Nov 2023, updated 29 Jul 2025). Source
• MITRE ATT&CK, Group G1015 "Scattered Spider". Source

Threat-intelligence research

• Microsoft Security, "Protecting customers from Octo Tempest attacks across multiple industries" (16 Jul 2025). Source
• CrowdStrike, Scattered Spider adversary profile. Source
• SecurityWeek, "Scattered Spider Activity Drops Following Arrests, but Others Adopting Group's Tactics". Source
• IT Pro, "Scattered Spider evolved massively in 2025 — here's what to expect in 2026". Source

Court record (named individuals)

• US DOJ, Central District of California, "5 Defendants Charged Federally with Running Scheme that Targeted Victim Companies via Phishing Text Messages" (20 Nov 2024). Source
• US DOJ, Central District of California, "British National Pleads Guilty to Hacking Companies and Stealing at Least $8 Million" (Buchanan, 2026). Source
• US DOJ, Middle District of Florida, "Palm Coast Hacker Sentenced to 10 Years in Prison" (Urban). Source
• US DOJ Office of Public Affairs, "United Kingdom National Charged in Connection with Multiple Cyber Attacks" (Jubair); BBC News, "Two teenagers charged over Transport for London cyber attack". DOJ · BBC
• US DOJ, Western District of Washington, "United States v. Connor Riley Moucka and John Erin Binns" (Snowflake). Source

Incidents

• Wikipedia, "Scattered Spider" (overview and victim list, for navigation to primary reporting). Source