Background
Scattered Spider is a financially motivated cybercriminal group composed primarily of young, English-speaking individuals based in the United States and the United Kingdom. Active since at least mid-2022, the group has distinguished itself through exceptionally sophisticated social engineering techniques that consistently bypass even mature security programs at major corporations. Microsoft tracks this group as Octo Tempest and has described them as "one of the most dangerous financial criminal groups" currently operating, a notably strong assessment given the typically reserved language used in enterprise threat intelligence reporting.
The group's members operate within a broader community known as "the Com" (short for community), an interconnected network of cybercriminals active on Telegram and Discord who share techniques, tools, and access. Scattered Spider's organizational structure is fluid and decentralized, with members specializing in social engineering, SIM swapping, network penetration, or ransomware deployment. This specialization model allows the group to execute operations with a sophistication that belies the youth of its members.
The group's evolution has been rapid and deeply concerning to the security community. Initially focused on SIM swapping and cryptocurrency theft in 2022, Scattered Spider escalated to large-scale enterprise intrusions by mid-2023, culminating in the devastating attacks on MGM Resorts and Caesars Entertainment that made international headlines. By late 2023, they had established an affiliate relationship with the ALPHV/BlackCat ransomware operation, adding encryption capabilities to their already potent data theft and extortion operations. Multiple arrests of alleged members occurred in 2024 and 2025, including Tyler Buchanan (arrested in Spain), Noah Urban (Florida), Ahmed Elbadawy (Texas), Joel Evans (North Carolina), and Evans Osiebo, though the group's decentralized nature has allowed operations to continue even as individual members are apprehended.
Notable Campaigns
0ktapus Phishing Campaign (Mid-2022)
Scattered Spider's earliest major campaign targeted over 130 organizations through a massive phishing operation impersonating Okta login pages. The campaign, documented by Group-IB under the name "0ktapus," compromised approximately 10,000 credentials across companies including Twilio, Cloudflare, Mailchimp, and DigitalOcean. The attackers registered domains that closely mimicked each target organization's SSO login page and sent bulk SMS messages directing employees to these fake portals.
The stolen Twilio access proved particularly consequential, as attackers used it to intercept SMS-based MFA codes for downstream targets, including Signal users. Despite targeting major technology companies with sophisticated security teams, the simple but well-executed phishing pages proved remarkably effective. The campaign demonstrated that even organizations with strong security cultures are vulnerable to well-crafted social engineering at scale.
Caesars Entertainment Breach (August-September 2023)
Scattered Spider compromised Caesars Entertainment through social engineering of an outsourced IT help desk provider. The attackers conducted OSINT to identify employees and their roles, then convinced help desk staff to reset credentials for a privileged account by providing enough personal information to pass identity verification procedures. With the initial foothold established, the group moved laterally through the network and exfiltrated the Caesars loyalty program database containing personally identifiable information of an estimated 65 million members.
Caesars reportedly paid approximately $15 million of a $30 million ransom demand to prevent the data from being published, making it one of the largest known ransomware payments at the time. The breach was disclosed in an SEC filing on September 14, 2023. The speed of the payment suggested that Caesars made a rapid business decision to minimize exposure, in stark contrast to MGM's approach.
MGM Resorts Attack (September 2023)
In their most publicly visible and disruptive operation, Scattered Spider breached MGM Resorts International through a social engineering call to the company's IT help desk. After identifying an MGM employee via LinkedIn, the attackers called the help desk, impersonated the employee with convincing detail, and obtained a credential reset. The entire initial access phone call reportedly lasted approximately 10 minutes.
The resulting intrusion led to the deployment of ALPHV/BlackCat ransomware across MGM's systems, shutting down slot machines, hotel key card systems, reservation platforms, digital payment processing, and ATMs across MGM properties in Las Vegas and beyond. Guests were unable to check in electronically, elevators malfunctioned, and the MGM website went offline. The disruption lasted approximately 10 days. MGM estimated the attack cost approximately $100 million in lost revenue and remediation costs in their Q3 2023 earnings report. Notably, MGM refused to pay the ransom, choosing instead to rebuild systems from backups.
Telecommunications Provider Intrusions (2022-2024)
Scattered Spider has repeatedly targeted telecommunications companies to facilitate SIM swapping attacks at scale. By compromising internal tools and customer service portals at major carriers including T-Mobile, the group gained the ability to swap phone numbers to attacker-controlled SIM cards without needing to socially engineer individual store employees. These intrusions served a dual purpose: they were direct revenue generators (enabling cryptocurrency theft from individuals whose phone numbers were swapped) and force multipliers for subsequent corporate intrusions where SMS-based authentication was in use.
The telecom intrusions also provided access to customer records and law enforcement request portals, creating additional intelligence gathering opportunities.
Financial Sector and Cryptocurrency Theft (2023-2025)
Beyond high-profile enterprise breaches, Scattered Spider has been linked to the theft of tens of millions of dollars in cryptocurrency from individuals and organizations. Members used SIM swapping, credential theft, and social engineering of customer support representatives at cryptocurrency exchanges to drain accounts. The January 2024 indictment alleged that the group stole at least $11 million in cryptocurrency from individual victims, though the total across all operations is believed to be significantly higher.
Tactics, Techniques & Procedures
Scattered Spider's operational hallmark is the weaponization of social engineering against enterprise help desks and IT support staff, combined with deep knowledge of enterprise identity infrastructure. Their attack lifecycle is methodical despite their chaotic public image.
Initial Access relies heavily on social engineering and phishing (T1566 Phishing, T1598 Phishing for Information). The group conducts thorough OSINT on target employees using LinkedIn, corporate directories, data broker sites, and social media to build convincing pretexts. They then call IT help desks, impersonating employees with enough personal information to pass identity verification. Key details they gather include employee names, managers, employee IDs, date of hire, and recent IT tickets.
They also deploy convincing phishing pages mimicking Okta, Azure AD, and other SSO portals, registering domains that closely resemble the target's legitimate SSO domain. SMS phishing (smishing) campaigns direct employees to these fake login pages where credentials and MFA tokens are captured in real time through adversary-in-the-middle proxy tools.
MFA Bypass is a core competency (T1111 Multi-Factor Authentication Interception, T1539 Steal Web Session Cookie). The group employs multiple techniques in parallel: SIM swapping to intercept SMS codes, MFA fatigue attacks (bombarding users with push notifications until they approve), real-time phishing proxies that capture session cookies, and social engineering help desk staff to add attacker-controlled MFA devices. They have also registered new MFA tokens through compromised identity provider administrative access.
Persistence and Lateral Movement leverage legitimate remote access tools and identity infrastructure modifications (T1078 Valid Accounts, T1199 Trusted Relationship, T1484 Domain Policy Modification, T1556 Modify Authentication Process). Rather than deploying custom backdoors that would trigger EDR alerts, Scattered Spider installs commercial remote monitoring and management (RMM) tools such as AnyDesk, Splashtop, FleetDeck, Level.io, and ScreenConnect on compromised systems. These tools blend in with legitimate IT administration software and are often allowlisted by security products.
The group also modifies conditional access policies in Azure AD/Entra ID to weaken authentication requirements and exploits cross-tenant synchronization features to maintain persistent access that survives password resets.
Data Theft and Extortion follows a methodical double-extortion pattern (T1486 Data Encrypted for Impact). Scattered Spider exfiltrates sensitive data to legitimate cloud storage services (MEGA, Google Drive, Azure Blob storage) before deploying ransomware. They target SharePoint, code repositories, password managers, internal wikis, and financial databases. When operating as an ALPHV/BlackCat affiliate, they deploy ransomware as a secondary pressure mechanism after data has already been stolen, ensuring leverage even if the victim restores from backups.
Tools & Malware
Scattered Spider's toolkit reflects their identity-centric attack methodology and preference for living off the land:
- Evilginx / Custom Phishing Proxies: Real-time adversary-in-the-middle phishing frameworks that intercept credentials and session tokens as they are entered, transparently proxying the real login page and capturing authenticated session cookies that bypass TOTP-based MFA.
- RMM Tools: AnyDesk, Splashtop, FleetDeck, Level.io, ScreenConnect, and TeamViewer deployed for persistent remote access that blends with legitimate IT management tooling and is often allowlisted by endpoint protection.
- Mimikatz: Credential harvesting from memory, including Kerberos tickets, NTLM hashes, and cleartext passwords on compromised Windows systems.
- Impacket: Python library for lateral movement via SMB, WMI, and DCOM, as well as Kerberoasting and secretsdump operations.
- ADRecon: Active Directory reconnaissance tool for enumerating domain structure, trust relationships, and privileged accounts.
- ALPHV/BlackCat Ransomware: Rust-based ransomware-as-a-service platform used in later campaigns as an affiliate, providing cross-platform encryption capabilities and a Tor-based leak site for double extortion.
- Raccoon Stealer / Vidar: Information-stealing malware deployed selectively to harvest browser credentials, cookies, cryptocurrency wallet data, and session tokens from compromised endpoints.
- Azure AD / Entra ID Native Tools: Legitimate Microsoft identity platform features abused for persistence, including federation modifications, conditional access policy changes, cross-tenant synchronization exploitation, and OAuth application consent grants.
- MEGA / Cloud Storage: Legitimate cloud storage used for staging and exfiltrating stolen data, chosen because this traffic passes through firewalls.
Indicators & Detection
Detecting Scattered Spider requires a strong focus on identity infrastructure monitoring and help desk process integrity, as their attacks often generate minimal traditional endpoint or network indicators.
Help Desk and Identity Alerts: Implement mandatory callback verification for all password resets and MFA changes, calling the employee at their number on file. Monitor for failed authentication sequences followed by help desk tickets and subsequent successful logins. Alert on MFA device enrollment from new locations and changes to conditional access policies or federation configurations in Azure AD/Entra ID.
RMM Tool Detection: Maintain a strict inventory of authorized remote access tools and alert on the installation or execution of any unauthorized RMM software. Monitor for RMM tools being installed on servers or workstations where they are not expected. Create detection rules for the network signatures, process names, and file paths associated with AnyDesk, Splashtop, FleetDeck, Level.io, and ScreenConnect. Block unauthorized RMM tools at the application control level where possible.
Phishing Infrastructure Detection: Monitor for newly registered domains resembling your SSO or VPN login pages using dnstwist, URLScan, or commercial brand protection platforms. Implement FIDO2/WebAuthn hardware security keys for phishing-resistant MFA -- the single most effective control against Scattered Spider's credential theft. SMS and TOTP-based MFA should be considered insufficient against this actor.
Anomalous Identity Behavior: Alert on impossible travel, authentication from known VPN/proxy/hosting provider IP ranges, and off-hours access to sensitive resources. Monitor Azure AD sign-in logs for unusual application consent grants and OAuth token activity. Implement risk-based conditional access policies that require step-up authentication for high-risk sign-in events.
Lateral Movement Indicators: Monitor for Impacket-style lateral movement, including anomalous SMB and WMI activity between workstations. Alert on Kerberoasting attempts (high volume TGS requests), DCSync operations from non-domain-controllers, and AD enumeration tools (nltest, net, dsquery) run from non-administrative workstations.