Introduction

Scattered Spider has attracted a lot of attention in recent years, including the mass media, especially after being attributed as the responsible party for a number of high profile attacks.

Its initial days can be traced back to 2022, when notorious attacks started being attributed to Scattered Spider, such as the attack which compromised around 125 Twilio customers in August 2022  or the Caesars Palace and MGM Resort incidents in September 2023.

These high profile attacks have led to law enforcement agencies taking action against the so-called Scattered Spider members. However, attacks attributed to Scattered Spider never stopped, with CISA and other organizations releasing advisories warning about its attacks even in 2025.

Scattered Spider has so far been described as a “cybercriminal group”, “threat group”, “financially motivated hacker group” or a “group of young English-speaking cybercriminals”.

Although these descriptions are wide and leave space to interpretation, Group-IB’s current  research shows that Scattered Spider cannot be considered or analyzed as a single organized “group” with its own hierarchy or organigram.

Instead, it can be more accurately described as a decentralised cybercrime collective.

Key discoveries

  • Scattered Spider, as it is known today, it’s not a group but a cluster of subclusters, which can be considered part of a collective or a “hacking movement”.
  • Physical device theft activity from mobile carrier stores has been observed in at least one subcluster, for SIM swapping purposes.
  • Subclusters target all kinds of sectors, either as end-targets for direct exploitation or as stepping stones to gather intelligence or tools for future attacks.

Who may find this blog interesting:

  • Cybersecurity analysts and corporate security teams
  • Malware analysts
  • Threat intelligence specialists
  • Cyber investigators
  • Computer Emergency Response Teams (CERT)
  • Law enforcement investigators
  • Cyber police forces

Group-IB Threat Intelligence Portal: Scattered Spider

Group-IB customers can access our Threat Intelligence portal for more information about Scattered Spider.

What is Scattered Spider?

Based on latest Group-IB evidence, we view Scattered Spider not as a monolithic group, but as a cybercrime movement or culture characterized by shared tactics, techniques, and procedures (TTPs). This perspective does not preclude the possibility that some attacks previously attributed to the group were, in fact, executed by the same individuals. However, there is no evidence to suggest that the activity designated by Group-IB as 0ktapus is the same Scattered Spider cluster that attacked Marks & Spencer or Co-op last summer, for example. Indeed, evidence says it is highly probable that the individuals who executed both campaigns have no direct relation to each other.

Applying this concept in practice, we ask: is Scattered Spider the same as 0ktapus? Our answer is no, but we can consider 0ktapus as a subcluster of Scattered Spider.

This concept is similar to the structure of the “Anonymous” hacktivist collective. Anonymous is typically viewed not as a group, but as a movement that encompasses numerous internal, independent clusters with no necessary links between them.

For us, Scattered Spider is not a single cybercrime group. It’s formed by different subclusters connected by shared TTPs, tools, and in some cases, common forums or chats — but they act separately.

In addition, it can be argued that this cluster Group-IB referred to as Scattered Spider is in reality what is used to be known as “The Com”. It is also possible that what researchers were initially referring to as “The Com” is now being referred to as “Scattered Spider”.

Taking all this into account, this report will deep dive into these connections to better understand what Scattered Spider truly is.

The Beginning

Scattered Spider was the name Crowdstrike assigned to an adversary behind a campaign starting in June 2022 whose end objective was to perform SIM swapping by targeting mobile carriers and business process outsourcing (BPO) companies.

Since then, the cybersecurity community has attributed various vendor-specific names as Scattered Spider equivalents or highly overlapped groups: Group-IB’s 0ktapus, Palo Alto’s Muddled Libra, Microsoft’s Octo Tempest, and Mandiant’s UNC3944.

Palo Alto describes Muddled Libra as a “subset of a loosely affiliated threat collective known as Scattered Spider”. Intel471 defines Scattered Spider as a “catch-all term that informs patterns observed from multiple intrusions which are not always performed by the same individuals”, Sekoia monitors it as a “cluster of intrusion-sets that are highly likely subsets of a larger umbrella ”. Mandiant described UNC3944 as a “threat cluster” rather than a group.

These definitions are also compatible with Group-IB’s view of Scattered Spider.

Key Scattered Spider Attacks and Industry Focus

Defining Scattered Spider as a cluster of subclusters creates a dilemma: how do we attribute a set of attacks to an umbrella group composed of independent actors?

To address this problem, we should just look at what are the common features of these subclusters that make them part of this big cluster.

The following are notable key incidents attributed to Scattered Spider or its subclusters. This list is not exhaustive of  all incidents from Scattered Spider, but merely the most notorious ones.

Figure 1: Scattered Spider key incidents.

Figure 1: Scattered Spider key incidents.

Based on a combination of internal intelligence and external reports, these are the usual type of targets the Scattered Spider subclusters target. However, it has to be highlighted that Scattered Spider’s victimology is wide due to its opportunistic and decentralized nature.

Marketing and communication services

This includes targeting the employees of Twilio, Mailchimp, Telnyx, Klaviyo, Iterable, Sendgrid and similar companies. Further evidence has revealed the subclusters were not targeting these companies as an end-goal but as a bridge to use their internal tools. Subclusters we have observed planned to leverage this access to abuse SMS and email distribution tools, using them to deliver phishing links to targeted users. Notably, all identified subclusters were also observed to be simultaneously engaged in crypto fraud and SIM swapping activities, indicating a coordinated threat landscape.

Figure 2. Iterable Okta phishing page. Multiple subclusters have been observed targeting Iterable and similar companies through phishing attacks.

Figure 2. Iterable Okta phishing page. Multiple subclusters have been observed targeting Iterable and similar companies through phishing attacks.

We have also observed other organizations not related to marketing or organizations being targeted with the aim of accessing their internal communication tools to distribute malicious links. For example, delivery or transport company’s corporate SMS tools were used to distribute malicious links pointing to drainer sites. Following this example, there was a subcluster who claimed gaining access to “government mails” just to use them to send emails impersonating the IRS.

Mobile carriers

We have observed large campaigns attributed to Scattered Spider subclusters targeting mobile carrier employees in the USA and Canada, with the purpose of gaining access to internal tools and carrying out SIM swap activities. Not only were Verizon, AT&T and T-Mobile targets of the attacks, but also their authorized retailers.

Figure 3. Comcast phishing page targeting employees. Upon credential submission, victims automatically download an AnyDesk executable disguised as a

Figure 3. Comcast phishing page targeting employees. Upon credential submission, victims automatically download an AnyDesk executable disguised as a “runtime diagnostics” tool, granting remote access.

Additionally, we also have observed one specific subcluster stealing employee iPads from telco retail stores in order to gain access to the internal tools on these devices. If the iPads were locked, the subcluster used social engineering techniques, calling the store by impersonating an internal department and asking for the passcode of the iPad. This specific subcluster scope was not only physical theft, but also targeted employees to gain unauthorized access to internal tools remotely.

The subclusters Group-IB has observed targeting telcos were not only interested in targeting employees with access to internal tools for SIM swapping activity, but also other departments such as HR to gain access to internal organigrams and employee information in order to improve the effectiveness of social engineering methods.

We have also observed subclusters offering financial rewards for telco employees to act as “insiders” or “innys” as they referred  to. This behaviour was observed in more than one subcluster. In the example above (Figure 2), the same threat cluster was observed offering Comcast employees $3,000 USD to facilitate unauthorized access. Compounding the threat, this cluster was concurrently targeting Coinbase users (see Crypto section below) with a separate phishing campaign.

Banking

Traditional banking and financial services unrelated to cryptocurrency are not primary targets of Scattered Spider subclusters. This is evidenced by the absence of significant, documented attacks or large-scale campaigns directed at banking institutions. However, we have observed certain bank employees being targeted by subclusters that were simultaneously engaged in SIM swap or cryptocurrency theft activities.

This indicates that the classification of these entities as Scattered Spider subclusters is based not only on Scattered Spider-like domain name registration patterns but also on a shared subset of operational objectives. However, the intended post-compromise activities remain unknown.

Notably, the subclusters observed targeting banks did not possess the advanced technical capabilities required to directly compromise bank internal systems, such as payment gateways or core banking infrastructure, which would be necessary to conduct sophisticated financial theft operations. Therefore, we assume that their ultimate goal is to steal personal information regarding high-income bank clients for subsequent social engineering attacks.

Figure 4. Phishing page targeting Fidelity Investments. The subcluster orchestrating this attack was simultaneously targeting USA telecom TPRs and conducting SIM swap operations.

Figure 4. Phishing page targeting Fidelity Investments. The subcluster orchestrating this attack was simultaneously targeting USA telecom TPRs and conducting SIM swap operations.

Enterprise

Unlike previous targeting strategies where compromised companies served merely as intermediary resources, Scattered Spider has directly attacked prominent enterprises across multiple sectors for extortion purposes. Notable examples include the Oktapus subcluster’s January 2023 attack on Riot Games, which involved ransom demands to prevent source code leakage, and more recent operations affiliated with BlackCat and DragonForce ransomware groups, including attacks on MGM and Caesars (2023) and Co-op and Marks & Spencer (2025).

Crypto

Cryptocurrency users represent the primary target for the Scattered Spider subclusters we have observed. These individuals often serve as the ultimate objective, falling victim to SIM swapping, P1 bots, crypto drainers, or the various theft techniques detailed later in this report. The attacks against cryptocurrency holders are normally carried out by impersonating cryptocurrency related companies in social engineering attacks.

Figure 5. Phishing page targeting Coinbase customer deployed by the same subcluster targeting Comcast employees.


Figure 5. Phishing page targeting Coinbase customer deployed by the same subcluster targeting Comcast employees.

However, the scope of these operations extends beyond individual holders. Threat actors frequently target employees of cryptocurrency firms to gather intelligence and generate leads on high-net-worth targets. In these instances, compromising corporate entities serve as a resource-gathering phase, providing the data necessary to identify and exploit such high-value victims.

Others

Scattered Spider has also been observed targeting a wide range of industries across multiple sectors. From the insurance industry for data exfiltration and extortion purposes to compromising BPOs and helpdesk companies with the intent of exploiting their access to clients’ internal platforms and systems. This threat actor’s activity highlights the critical importance of auditing and validating trust relationships with external suppliers and service providers in today’s interconnected business environment.

Figure 6. Intercom phishing pages targeting employees. The same cluster was attacking, in parallel, Gemini employees. Attackers try to gain access to support companies or BPOs to obtain data for future social engineering attacks or gain access to internal tools.

Figure 6. Intercom phishing pages targeting employees. The same cluster was attacking, in parallel, Gemini employees. Attackers try to gain access to support companies or BPOs to obtain data for future social engineering attacks or gain access to internal tools.

Figure 7. U-Haul POS access offered for sale on Telegram within cryptocurrency fraud channels for doxxing purposes.

Figure 7. U-Haul POS access offered for sale on Telegram within cryptocurrency fraud channels for doxxing purposes.

Although the targeted sectors mentioned above can be attributed to certain cluster activity, over time there have been arrests and the emergence of different subclusters, resulting in an evolving scope of newly targeted sectors with new objectives on targets. Additionally, there are some reported attacks that we have not been able to cover in detail, such as swatting and doxxing.

However, shared TTPs across observed subclusters result in a common, overlapping toolset.

SSO & IAM impersonation

One of the main characteristics and most commonly used techniques by Scattered Spider subclusters for gaining initial access is the usage of Okta phishing pages. This impersonation has also been observed in the domain names used by the groups, where the usage of sso and okta keywords is common through all the collected campaigns, although not limited to them.

Figure 8. Verizon-targeting Okta panel operated by one of Group-IB's tracked subclusters.

Figure 8. Verizon-targeting Okta panel operated by one of Group-IB’s tracked subclusters.

However, the phishing kits used by Scattered Spider subclusters do not exclusively mimic Okta login pages. Impersonated login pages from Microsoft, Citrix, Google and other identity providers such as OneLogin have also been observed to be used.

Figure 9. Microsoft login phishing page targeting Audemars Piguet.

Figure 9. Microsoft login phishing page targeting Audemars Piguet.

Figure 10. Google phishing page targeting Intercom.

Figure 10. Google phishing page targeting Intercom.

It’s worth mentioning that in some of the cases we have observed, the phishing sites only lasted a few minutes online. They were set online one minute before a social engineering phone call to corporate employees, and were set offline immediately after getting a successful login.

Figure 11. Citrix phishing page targeting Asurion. The same subcluster behind these attacks was targeting marketing companies too.

Figure 11. Citrix phishing page targeting Asurion. The same subcluster behind these attacks was targeting marketing companies too.

Figure 12. Phishing page mimicking Trulioo’s OneLogin login page. Trulioo is a KYC and AML company.

Figure 12. Phishing page mimicking Trulioo’s OneLogin login page. Trulioo is a KYC and AML company.

Tactics, Techniques, and Procedures

Social engineering, smishing and vishing

Social engineering represents one of the most distinctive tactics employed by Scattered Spider subclusters. The phishing campaigns analyzed demonstrate highly targeted approaches that consistently combine vishing and smishing techniques.

The subclusters do not rely on a single script; rather, they rapidly adapt their tactics based on operational circumstances. Observed techniques range from attackers impersonating IT or HR personnel and directing employees to specific domains via phone calls, to simultaneously sending SMS messages while maintaining voice contact with targets.

Figure 13. Telegram advertisements solicited experienced callers for crypto fraud schemes, explicitly leveraging compromised Intercom data as a resource.

Figure 13. Telegram advertisements solicited experienced callers for crypto fraud schemes, explicitly leveraging compromised Intercom data as a resource.

Notably, the attackers demonstrate sophisticated contextual awareness in their social engineering scripts. They gather intelligence through OSINT and by exploiting previously compromised access to internal ticketing systems and email platforms. In some instances, subclusters obtain operational intelligence directly from employees during initial reconnaissance calls. For example, after learning about an internal platform outage from one employee, attackers subsequently impersonated IT staff to contact other employees, referencing the legitimate outage to enhance their credibility and increase attack success rates.

By far, the most used VoIP service over the analyzed subclusters has been Google Voice, with accounts obtained from dedicated Telegram channels. However, we have also observed usage of SIP services with spoofing capabilities and other VoIP services such as Telnyx or DIGITS.

Figure 14. Ad of a Telegram bot offering Google Voice accounts in addition to other lookup services.

Figure 14. Ad of a Telegram bot offering Google Voice accounts in addition to other lookup services.

P1 Bots, Drainers and Crypto Theft

Cryptocurrency theft represents a primary objective for the observed Scattered Spider subclusters. To achieve this, threat actors deploy P1 bots, crypto drainers, and various other exfiltration techniques targeting individual holdings.

It is essential to clarify that the attribution of cryptocurrency theft to Scattered Spider is not speculative but evidence-based. Our analysis directly links these activities because the same threat actors conducting signature Scattered Spider attacks—such as Okta phishing campaigns — are demonstrably engaged in concurrent cryptocurrency theft operations.

Critically, this is not a case of operational segregation where separate subclusters specialize in different activities. Evidence demonstrates that individual subclusters simultaneously conduct both enterprise compromise (including Okta-based attacks) and cryptocurrency theft, establishing clear operational linkages between these seemingly disparate activities.

However, some subclusters operate using a hybrid model. Upon successfully obtaining SIM swaps or Okta credentials, they may monetize these compromised assets by selling access to other threat actors or affiliated subclusters rather than directly exploiting them.

Although P1 bots have normally been used for stealing crypto directly, we have also observed clusters using it for getting port-out pins for committing SIM related fraud.

Ransomware

Ransomware deployment for monetization has been extensively documented by U.S. government agencies, including the Department of Justice, CISA, and FBI. Initial access vectors consistently align with techniques described in this report, predominantly featuring social engineering tactics where attackers impersonate internal departments.

Criminal complaints against alleged Scattered Spider members and public reports reveal collaboration of the subclusters with ALPHV/Blackcat and Dragonforce.

Lookup services

Social engineering requires gathering intelligence around the targeted victim. In addition, subclusters need a list of “leads” to target. As we have detailed above, subclusters have been observed using a large variety of techniques for gathering this intelligence. From compromised internal directories through phishing pages, to a variety of social engineering attacks which includes small talk with employees where no credentials were asked but contextual information gathered.

However, we have also observed threat actors gaining intelligence using leaked database search engines like Snusbase, stealer logs and B2B sales tools such as Apollo or Rocketreach.

Figure 15. Accesses to these platforms or solutions are often advertised on SIM swapping related chats and forums.

Figure 15. Accesses to these platforms or solutions are often advertised on SIM swapping related chats and forums.

Remote Access Tools – RATs

Several subclusters we tracked have been using commercial remote access tools such as AnyDesk or RATs to gain and persist initial access.

In cases we have observed, starting from the Oktapus subcluster to more recent ones, the RAT delivery is combined with Okta phishing pages, starting the download of the RAT once the logins were submitted, adding more credibility to the social engineering around the attacks. Normally, the script in these cases was around IT or help desk departments running some diagnostics on the targeted employee’s device.

Attribution

Taking into account the decentralized nature of Scattered Spider, it might be challenging to define what are considered Scattered Spider subclusters. Indeed, we have observed cases where some subclusters were speaking about “Scattered Spider” in third person, as something external to them.

However, the observed subclusters still share common characteristics among all of them. The first and foremost is the usage of English as a primary language by subcluster members. This corresponds with the US and UK being the main locations members operate from.. This conclusion is not only evidenced by the fact that the fraudsters need to have fluency and native accent when impersonating internal departments, but also on SingleFile artifacts Group-IB investigators have found on the phishing sites deployed by the subclusters which reveal their timezone, plus internal intelligence where subcluster members were revealing their locations.

Figure 16. SingleFile artifact revealing attackers PST timezone.

Figure 16. SingleFile artifact revealing attackers PST timezone.

Figure 17. SingleFile artifact revealing attackers EDT timezone.

Figure 17. SingleFile artifact revealing attackers EDT timezone.

Additionally, we have also observed common usage of similar tools, services and Telegram chats among different subcluster members, in addition to similar social engineering scripts. However, these shared characteristics are not because they belong to the same group — the subclusters we have observed are not much bigger than 5 individuals — but because of learning from the same resources or online communities

Conclusion

This article has tried to explain the different activities Scattered Spider subclusters are involved in, based on a combination of public data, our own investigation from internal intelligence, and what is the Group-IB concept around the Scattered Spider subcluster model.

We considered it important to make our subcluster model publicly available in order to make it easier to understand what threats companies are facing when it comes to Scattered Spider.

Organizations are not facing a traditional cybercrime centralized group, they are not even facing a group with a shared goal. All the subclusters act independently and as revealed, might not even be aware of the existence of others.

This subcluster model also reveals that, as evident from past events, the arrests of some subclusters will not stop the threat itself.

And that is probably the most important takeaway from this research. While there are shared TTPs among subclusters, Scattered Spider’s strength lies in the resilience of its decentralized nature and small subcluster sizes. They have shown to act differently from each other, yet maintain high levels of operational adaptability with flexible workflows and social engineering tactics to achieve their goals, making Scattered Spider a constantly evolving threat.

Recommendations

  • Security measures such as MFA can appear secure, but it is clear that attackers can overcome them with relatively simple tools. Implementing a Threat Intelligence platform helps maintain a strong security posture by equipping security teams and tools with the latest insight into attackers.
  • End users should always check, carefully, the URL of the site where you are entering your credentials. This is especially important for users with privileged accounts.
  • Treat all URLs that were received from unknown sources as suspicious. If in doubt, forward them to your security team for analysis.
  • Implement a FIDO2-compliant security key from a vendor like YubiKey for multi-factor authentication.
  • If you think your credentials might have been compromised, immediately change your password, sign off from all active sessions, and report the incident to your manager and security team.

In line with Group-IB’s mission of fighting cybercrime, we will continue to explore the methods, tools, and tactics used by these phishing actors. We will also continue to inform and warn targeted organizations worldwide. We always strive to ensure that organizations under attack are notified as quickly as possible to help reduce potential damage. We also consider it our responsibility to share our findings with the cybersecurity community and encourage researchers to study advanced threats, share data, and use our technologies to combat cybercrime — together.

Frequently Asked Questions (FAQ)

What is a P1 bot?

arrow_drop_down

A P1 (“Press 1”) bot is an automated tool used by fraudsters to scale telemarketing scams and phishing campaigns.

How it works:

  • Loads a large list of potential victim’s phone numbers delivered by the attackers.
  • Phone calls or sends SMS messages to the listed phone numbers in regards to an urgent problem such as account takeover or suspicious activity
  • The recording instructs the victim to “Press 1” to speak to a representative or resolve the issue.
  • If a target presses 1, the attacker calls the target impersonating help desk or fraud department of the impersonated company

Scammers face a major bottleneck: filtering out people who will immediately hang up is time-consuming. A P1 bot acts as an automated qualification funnel. By the time a live fraudster joins the line, the victim has already proven they are reactive, anxious, and compliant, significantly increasing the scam’s success rate.

What is SIM swapping?

arrow_drop_down

A SIM swap attack (also known as SIM hijacking, port-out scam, or SIM splitting) is an account takeover technique in which fraudsters request a SIM replacement (or initiate an MSISDN porting order) from a mobile carrier. This enables them to intercept SMS or calls on their own device, including password reset links and one-time passcodes (OTPs).

What is a crypto drainer?

arrow_drop_down

Crypto drainers are phishing tools in the Web3 space that impersonate legitimate crypto businesses to trick users into authorizing fraudulent transactions. These malicious tools deceive users, leading them to authorize transactions that drain their crypto wallets without their knowledge. Typically, this happens when users click on malicious links embedded in phishing scams that appear to be legitimate advertisements. Once authorized, the drainer operators gain complete control over the funds in the victim’s wallet.

What is a RAT?

arrow_drop_down

A remote access trojan (RAT) is malware that grants unauthorized remote access to a target’s device. This sophisticated threat allows attackers to control compromised systems undetected. Upon installation, RATs enable various malicious activities, such as monitoring user behavior, extracting sensitive information, and deploying additional malware.

What is social engineering, vishing and smishing?

arrow_drop_down

The social engineering definition boils down to various psychology-based techniques used to persuade people to disclose certain information or perform a specific action for malicious purposes. These techniques also may go under the name “social engineering fraud” or “social engineering scams.”

Vishing, short for voice phishing, is a social engineering attack in which cybercriminals use phone calls or voice messages to trick individuals into sharing sensitive personal information, such as bank account information, credit card numbers, social security numbers, or login credentials.

Smishing is a type of attack that uses SMS text messages to deceive victims into giving up sensitive information or installing malware on their devices. The goal of a smishing attack is to lure out confidential information, such as bank accounts or card credentials.

What is a port-out pin?

arrow_drop_down

A port-out PIN (also called a transfer PIN or number transfer PIN) is a security code set with your mobile carrier that is required before your phone number can be transferred (ported) to another carrier. It acts as an additional layer of protection against unauthorized SIM swaps and port-out fraud. Without the correct PIN, an attacker cannot move your number to a different carrier or SIM card — even if they have other personal information about you.

DISCLAIMER: All technical information, including malware analysis, indicators of compromise and infrastructure details provided in this publication, is shared solely for defensive cybersecurity and research purposes. Group-IB does not endorse or permit any unauthorized or offensive use of the information contained herein. The data and conclusions represent Group-IB’s analytical assessment based on available evidence and are intended to help organizations detect, prevent, and respond to cyber threats.

Group-IB expressly disclaims liability for any misuse of the information provided. Organizations and readers are encouraged to apply this intelligence responsibly and in compliance with all applicable laws and regulations.

This blog may reference legitimate third-party services such as Telegram and others, solely to illustrate cases where threat actors have abused or misused these platforms.

This material is provided for informational purposes, prepared by Group-IB as part of its own analytical investigation, and reflects recently identified threat activity.

All trademarks referenced herein are the property of their respective owners and are used solely for informational purposes, without any implication of affiliation or sponsorship