Intruvent Technologies
Contact us
Critical Threat Threat Actor Profile Financially Motivated Active TLP:CLEAR

Scattered Spider

Financially Motivated Social Engineering Collective Targeting Enterprise Identity Systems

UNC3944 Octo Tempest Storm-0875 Roasted 0ktapus Scatter Swine Muddled Libra Star Fraud
US/UK
Origin
2022
Active Since
19-22
Age Range
5+
Arrests
HIGH
Confidence
G1015
MITRE ID

Scattered Spider is one of the most successful financially motivated threat actors of the 2020s, distinguished by sophisticated social engineering enabled by native English fluency. The group has caused hundreds of millions of dollars in damages through data theft, extortion, and ransomware deployment, including the devastating MGM Resorts attack.

Download Full Threat Actor Profile

Complete intelligence report including detailed TTPs, MITRE ATT&CK mapping, IOCs, detection rules, and defensive recommendations.

Download PDF — Free

Report ID: INT-TAP-2025-SCATTERED-SPIDER • TLP:CLEAR

1

Attribution & Identity

HIGH Confidence

Attribution Assessment

Scattered Spider is a loosely organized, financially motivated threat collective composed primarily of native English-speaking individuals aged 19-22 from the United States and United Kingdom. Multiple members have been arrested and indicted since 2024, confirming law enforcement attribution.

Background

Scattered Spider is one of the most successful financially motivated threat actors of the 2020s, distinguished by their sophisticated social engineering capabilities enabled by native English fluency. The group has caused hundreds of millions of dollars in damages through data theft, extortion, and ransomware deployment.

The group targets enterprise identity providers (Okta, Entra ID) and help desks using phone calls, SMS phishing, and MFA fatigue attacks. Once inside, they rapidly escalate privileges, exfiltrate data, and deploy ransomware through partnerships with various RaaS operations.

2025 Cartelization

In 2025, Scattered Spider partnered with the DragonForce ransomware cartel, leading to high-profile attacks against Marks & Spencer, Co-op, and Harrods. Reports indicate an emerging "cartelization" of cybercrime, with Scattered Spider, LAPSUS$, and ShinyHunters forming collaborative channels.

Law Enforcement Action

Despite multiple arrests, Scattered Spider activity continues. The loose collective structure allows remaining members to continue attacks and recruit new operators.

Date Individual Location Details
Jan 2024 Noah Urban ("Sosa") Florida, USA Cryptocurrency theft charges
Jun 2024 Tyler Buchanan ("TylerB") Spain $27M Bitcoin seized
Jul 2024 17-year-old UK West Midlands Undisclosed charges
Nov 2024 5 individuals Various Federal indictments
Dec 2024 Remington Ogletree Texas, USA Fraud charges
2

Targeting Profile

Scattered Spider has evolved from targeting telecommunications and BPO firms to high-value enterprises across multiple sectors, with a focus on organizations with valuable data and cyber insurance.

Target Sectors

Gaming & Hospitality
Retail
Financial Services
Telecommunications
Technology / SaaS
Healthcare
Manufacturing
Aviation

Target Technologies

Category Specific Targets
Identity Providers Okta, Microsoft Entra ID (Azure AD)
Help Desk Systems ServiceNow, Zendesk, internal IT support
Remote Access VPN, Citrix, RDP
Virtualization VMware vCenter, ESXi
Cloud Platforms AWS, Azure, GCP, Snowflake
Collaboration Slack, Microsoft Teams
Counter-IR Tactics

Scattered Spider operators actively monitor Slack and Microsoft Teams channels for detection. They have been observed joining incident response calls to gather intelligence on defender activities.

3

Tactics, Techniques & Procedures

Scattered Spider employs a sophisticated attack methodology that combines social engineering with technical exploitation. Their MITRE ATT&CK mapping (G1015) includes the following key techniques:

Initial Access
T1566 Phishing (Evilginx AiTM)
T1078 Valid Accounts
T1199 Trusted Relationship
Social Engineering
T1598 Phishing for Info
T1656 Impersonation
T1111 MFA Interception
Persistence
T1136 Create Account
T1098 Account Manipulation
T1219 Remote Access Tools
Credential Access
T1539 Session Hijacking
T1003.003 NTDS Extraction
T1621 MFA Fatigue
Collection
T1530 Cloud Storage
T1213 Data from Repos
T1114 Email Collection
Impact
T1486 Data Encrypted
T1657 Financial Theft
T1491 Defacement
4

Signature Tradecraft: Social Engineering

Scattered Spider's primary differentiator is their exceptional social engineering capability, enabled by native English fluency and deep knowledge of enterprise IT processes.

Help Desk Vishing
Calls IT support impersonating employees requesting password or MFA resets. Uses employee information from LinkedIn and data breaches.
⚠️ Native English fluency highly convincing
SIM Swapping
Ports victim phone numbers to attacker-controlled devices through carrier social engineering or insider access.
⚠️ Enables SMS-based MFA bypass
MFA Fatigue
Bombards users with push notifications until approved out of frustration or confusion, often combined with vishing.
⚠️ User exhaustion leads to approval
Evilginx AiTM
Adversary-in-the-middle phishing to capture session tokens in real-time, bypassing even phishing-resistant MFA.
⚠️ Bypasses phishing-resistant MFA
RMM Tool Abuse
TeamViewer, AnyDesk, ScreenConnect, ngrok, and Cloudflare tunnels for persistence and remote access.
⚠️ Legitimate software, hard to block
Counter-IR Monitoring
Joins Slack/Teams channels to monitor incident response activities and adjust tactics based on defender actions.
⚠️ Real-time intelligence on defenders
5

Ransomware Affiliations

Scattered Spider operates as an affiliate for multiple Ransomware-as-a-Service (RaaS) operations, receiving approximately 80% of ransom payments while the RaaS provider handles infrastructure.

2023
BlackCat (ALPHV)
MGM, Caesars
~80% affiliate cut
2024
RansomHub
Various enterprises
~80% affiliate cut
2024
Qilin
Various enterprises
~80% affiliate cut
2025
DragonForce
M&S, Co-op, Harrods
80% affiliate cut
DragonForce "Cartel" Model

DragonForce offers a white-label "RansomBay" service allowing affiliates to rebrand ransomware. Affiliates keep 80% of ransoms while DragonForce handles infrastructure, leak sites, and technical support.

6

Notable Incidents

MGM Resorts
September 2023
$100M
Q3 Impact
$45M
Settlement
36hr
Outage

A 10-minute phone call to the IT help desk led to full domain compromise. Slot machines, hotel check-in, and booking systems were disabled for 36 hours. BlackCat ransomware was deployed.

Caesars Entertainment
September 2023
$15M
Ransom Paid
Loyalty Data
Stolen

Social engineering attack compromised loyalty program member data. Caesars paid approximately $15 million ransom to prevent data leak.

Marks & Spencer
April 2025
£300M
Lost Profits
£1B
Stock Drop

DragonForce ransomware deployment via Scattered Spider initial access. Major UK retailer suffered significant operational disruption and stock price decline.

Co-op & Harrods
May 2025
UK Retail
Sector
Operations
Impacted

Part of the coordinated UK retail targeting campaign using DragonForce ransomware. Both organizations confirmed cyberattacks affecting operations.

7

Detection & Response

Detection Opportunities

Help Desk Indicators
Password reset requests with callback numbers
MFA enrollment from new devices
Requests to bypass verification procedures
Unusual urgency or pressure tactics
Identity Provider Alerts
New MFA device enrollments
Admin role assignments
SSO configuration changes
Impossible travel detections
RMM Tool Usage
TeamViewer/AnyDesk installations
ScreenConnect/Splashtop presence
ngrok/Cloudflare tunnels
Chisel/Teleport connections
Cloud Activity
Bulk data downloads from S3/Azure
New service principal creation
Snowflake query anomalies
Email forwarding rule creation

Defensive Recommendations

Priority Defenses
  • Deploy Phishing-Resistant MFA — FIDO2/WebAuthn keys resist AiTM attacks
  • Harden Help Desk Verification — Implement callback verification to registered numbers
  • Monitor IdP Admin Activity — Alert on MFA changes, role assignments, and SSO modifications
  • Block Unauthorized RMM Tools — Allowlist approved remote access software
  • Implement Number Porting Protections — Work with carriers to prevent SIM swaps
  • Train Staff on Vishing — Social engineering awareness for IT support
  • Monitor Collaboration Platforms — Watch for attacker reconnaissance in Slack/Teams
  • Segment Cloud Access — Limit blast radius from compromised credentials

Track Scattered Spider with BRACE

BRACE delivers monthly sector-specific threat intelligence covering Scattered Spider activity, including:

  • Scattered Spider campaign analysis and victim tracking
  • Detection rules for social engineering and MFA bypass
  • MITRE ATT&CK mappings for identity-based attacks
  • Sector-specific threat hunting playbooks
  • IOCs and behavioral indicators
Learn More About BRACE Request Demo

Get the Complete Intelligence Report

Download the full Scattered Spider profile including detailed IOCs, MITRE ATT&CK mapping, detection queries, and comprehensive defensive playbooks.

Download Full Report (PDF)

Related Reports

Critical Threat Actor

Qilin Ransomware

RaaS operation affiliated with Scattered Spider in 2024.

View Profile →
High Threat Actor

SafePay Ransomware

Emerging ransomware operation with LOLBins-heavy methodology.

View Profile →
Critical Threat Actor

Volt Typhoon

China-nexus APT with stealthy living-off-the-land techniques.

View Profile →

Stay Ahead of Scattered Spider

BRACE delivers monthly threat intelligence on Scattered Spider and 175+ other threat groups with detection rules and hunting playbooks for your sector.

Get BRACE Talk to an Expert