By Travis DeForge, Director of Offensive Cybersecurity, and McKaila Posey, Cybersecurity Manager, Abacus Group
In the ever-evolving landscape of cyber threats, few groups have captured the attention of cybersecurity professionals like Scattered Spider. First surfacing in 2022, Scattered Spider was notable for operating less like an organized business as many ransomware gangs do, instead functioning as a loose coalition of skilled English-speaking threat actors. Known for their audacious tactics, youthful membership, and high-profile breaches, this group has emerged as a noteworthy, decentralized cybercrime collective, quickly becoming one of the most disruptive forces in the world of cybercrime.
Who Is Scattered Spider?
As with many Advanced Persistent Threats (APTs), Scattered Spider is also tracked under numerous aliases, including UNC3944, Octo Tempest, Muddled Libra, and Starfraud. Composed primarily of teenagers and young adults in the US and UK, they conduct their operations through platforms like Telegram and Discord, allowing them to collaborate in real-time and share tools, tactics, and stolen data.
Scattered Spider has been linked to a string of notorious cyberattacks since 2023. Some of the most prominent include:
- Twilio, Mailchimp, and DoorDash: Early campaigns focused on credential theft and data exfiltration.
- MGM Resorts and Caesars Entertainment (2023): These attacks disrupted operations, leading to multimillion-dollar ransom payments.
- Marks & Spencer (2025): A recent breach attributed to Scattered Spider that targeted sensitive customer and employee data.
While these examples may be among the most well-known, there have been many organizations targeted across the Telecommunications, Financial Services, Retail, Insurance, and Critical Services sectors. The preferred targets of Scatted Spider seem to be less fixated on a particular industry and more targets of opportunity, which often share three elements:
- The presence of high-value data
- Complex IT infrastructure
- Outsourced or vulnerable help desk operations
Despite several arrests, the group’s decentralized structure has made it remarkably resilient to law enforcement efforts. Perhaps the most prominent of these arrests was that of Noah Michael Urban who pleaded guilty in April of 2025 to Wire Fraud, Aggravated Identity Theft, and Conspiracy to Commit Wire Fraud with total losses to victims estimated between $9.5-25 million dollars. In July of 2025, four alleged Scattered Spider members were arrested, including one minor under the age of 18, in connection with the Marks & Spencer, Co-op, and other recent cyber incidents targeting major retailers.
Tactic: Social Engineering at Its Most Sophisticated
Scattered Spider is best known for its highly targeted social engineering attacks, which often serve as the entry point for more destructive campaigns. Their tactics include:
- Phishing and Smishing: Sending deceptive emails, SMS messages, or chats over collaboration platforms such as Teams to trick users into revealing credentials.
- Helpdesk Impersonation: Impersonating employees to manipulate IT staff into resetting passwords or bypassing MFA protections or posing as Helpdesk staff to deceive employees into sharing confidential information or installing malicious software.
- SIM Swapping: Hijacking phone numbers to intercept MFA codes.
- Deep-fake Voice Calls: Using AI-generated audio, or even live voice cloning, to impersonate executives or IT personnel.
While none of these tactics are particularly new as even deep-fake voice calls have been prevalent for a couple of years at this point, the sophistication and quality of the Scattered Spider social engineering campaigns are proving to be highly effective in bypassing organizational defenses.
Scattered Spider has also been observed taking advantage of previous data breaches to gain more information about their targets, mainly executive level employees, relying on the priority and urgency traditionally placed around requests from leadership team members. With many organizations over-provisioning access for executive users, this can allow the attacker to quickly perform reconnaissance on the organization’s infrastructure and escalate privileges further in many cases.
Unlike many other APTs, Scattered Spider does not target specific industries or systems, instead focusing on high-value targets, such as those in retail, telecommunications, entertainment and, most recently in 2025, airlines. They tend to focus on specific industries for months at a time before shifting their attention to another field.
Another unique aspect of Scattered Spider’s strategy is their arsenal. Instead of custom malware, Scattered Spider relies on legitimate features and tools on devices to execute attacks, known as Living-Off-The-Land techniques, as well as utilizing Off-the-shelf ransomware and other tools commercially available. This includes using known remote connection software like AnyDesk and TeamViewer to establish persistence that can often go undetected by EDR tools. On top of this, Scattered Spider targets BYOD workstations, such as contractors or other employees utilizing personal devices for work, which often do not have any corporate security protections but have access to the same corporate data.
Scattered Spider represents a new decentralized paradigm in cybercrime, young, agile, and dangerously effective. Their success underscores the urgent need for organizations to harden their defenses, particularly around identity verification, MFA, and employee training.
As the group continues to evolve and collaborate with global ransomware syndicates, staying ahead of their tactics will require not just better technology, but a deeper understanding of the human vulnerabilities they so expertly exploit. While conducting end user security awareness training is a fundamental element that should be incorporated in all security programs; conducting a full-scale social engineering engagement using the same advanced tactics techniques and procedures (TTPs) leveraged by Scatted Spider is a way to take your organizational preparedness to the next level.
.png)
