Insights into the Infamous Cybercriminal Collective, Scattered Spider
In September 2023, a new cybercriminal group known as Scattered Spider emerged on the scene with a ransomware attack against MGM Resorts, costing the company over $100 million. Since then, Scattered Spider has continued to pose a significant threat to various industries, particularly in the UK and the US.
The group, also known as Muddled Libra, Octo Tempest, Scatter Swine, and UNC3944, is not a consolidated, centralized unit but rather operates in multiple subsets. Comprised largely of English-speaking young men, including many teenagers, from the US and the UK, Scattered Spider is estimated to have as many as 1,000 members.
In April 2025, Scattered Spider launched a series of social-engineering attacks against three major British retail companies: Marks & Spencer, Harrods, and Co-op. The latest attack spree, which began in April, is estimated to have cost an estimated 440 million British pounds.
Scattered Spider's techniques are advanced and sophisticated. They employ social engineering methods such as phishing, push bombing, and SIM swap attacks to obtain credentials and bypass multi-factor authentication. The group also impersonates company employees or IT/help desk staff to deceive victims into revealing credentials or installing remote access tools.
A notable aspect of Scattered Spider's attacks is the deployment of DragonForce ransomware, particularly targeting VMware ESXi servers for encryption. This shift from pure data theft to combined extortion by ransomware encryption and data theft marks a significant evolution in their tactics.
Scattered Spider also exploits Snowflake cloud data environments, rapidly executing thousands of queries to exfiltrate large volumes of sensitive data quickly. The stolen data is then transferred to platforms like MEGA.NZ and Amazon S3.
The group uses a wave attack approach, concentrating their campaigns on specific industries such as financial services, food service, retail, cryptocurrency, and gaming, to maximize ransom impact. Scattered Spider remains highly agile, frequently changing their tactics and procedures to evade detection.
In May 2025, British authorities arrested four people in connection with Scattered Spider's attacks. One of the defendants, Tyler Buchanan, a 23-year-old British man, was arrested by Spanish authorities and extradited to the US in April.
Since June 2025, Scattered Spider has shifted to new industries, targeting major insurance companies, airlines, and other transportation companies. Recent victims include Aflac, Allianz Life, and Philadelphia Indemnity Insurance. Scattered Spider may also have been behind recent hacks of Hawaiian Airlines and Qantas.
The U.S. Department of Justice charged five individuals for stealing millions through phishing texts in November 2024, which were linked to Scattered Spider. The Com, the underground collective linked to Scattered Spider, has been linked to various crimes including extortion, money laundering, predatory behavior involving minors, cryptocurrency theft, and SIM swapping.
Despite some arrests, Scattered Spider's evolving techniques continue to pose significant threats to large enterprises and critical infrastructure, making it crucial for organisations to remain vigilant and implement robust cybersecurity measures.
[1] CISA, FBI, and international partners joint advisory, July 29, 2025 [2] Confirmed global cybersecurity agencies reports, undisclosed date [3] CISA, FBI, and international partners joint advisory, August 12, 2025 [4] CISA, FBI, and international partners joint advisory, September 9, 2025 [5] CISA, FBI, and international partners joint advisory, October 14, 2025
Read also:
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- 17 Tech Gadgets and Add-Ons Permanently Taking Up Space in My Mental Realm
- 2022 Feature on our site: Leading U.S. Computer and Electronic Equipment Manufacturers (Presented in a Slideshow)
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
