Scattered Spider is one of the most media-scrutinized cybercriminal collectives in the world — and for good reason. Responsible for the MGM Resorts breach (estimated $100M+ in losses), the Caesars Entertainment attack (a reported $15M ransom), and the 0ktapus campaign that compromised over 130 technology companies and stole several millions worth cryptocurrency, this group has become the defining face of social engineering in the modern enterprise. Their signature: they don’t hack in through the firewall — they call the help desk.
The group operates as a loosely affiliated network, predominantly composed of young English-speaking individuals from the US and UK, with connections to a broader cybercriminal community known as “the Com.” Despite multiple arrests and law enforcement indictments in 2024 and 2025, the playbook they popularized continues to be replicated across the criminal ecosystem — meaning the threat extends far beyond the original group named as Scattered Spider.
In 2025 and 2026, Scattered Spider was linked to major attacks against UK retailers M&S, Harrods, and Co-Op, as well as Jaguar Land Rover, Qantas, and Asahi. According to Group-IB’s HTCT 2025/2026 report, supply chain attacks have become the dominant force reshaping the global cyber threat landscape, with threat actors increasingly exploiting “trust, identity, and inherited access.” Scattered Spider’s identity-provider compromise model is the defining expression of this trend.
Key Numbers:
— 9,931+ credentials harvested in the 0ktapus campaign alone
— 130+ organizations compromised across the technology sector in a single operation
— $100M+ estimated losses from the MGM Resorts breach
— $15M reported ransom paid by Caesars Entertainment
— 14+ distinct subclusters identified by Group-IB
North America (US primary), United Kingdom, expanding to EU, Australia, and Asia
Massive SMS-phishing operation harvesting 9,931+ credentials across 130+ tech companies. First documented by Group-IB.
A single help-desk phone call led to Okta environment compromise, lateral movement, and BlackCat/ALPHV ransomware deployment — resulting in $100M+ in losses and 10 days of casino floor downtime.
Social engineering attack resulting in a reported $15M ransom payment.
Coordinated attacks against M&S, Harrods, and Co-Op causing significant operational disruption and sustained media attention.
Scattered Spider’s primary initial access vector abuses psychological manipulation of help-desk staff and IT administrators. The kill chain begins with a phone call.
Initial Access: The group gains entry through targeted social engineering — not software exploitation. Operators use publicly available employee information from LinkedIn and corporate directories to construct convincing pretexts before contacting IT help desks to request credential resets or MFA deactivation. Primary techniques include SMS phishing (smishing) targeting Okta and other identity providers, voice phishing (vishing) of IT staff, although the social engineering used by each cluster varies for each subcluster and target, depending on the context, SIM swapping to intercept SMS-based MFA codes, and MFA fatigue attacks — flooding push notifications until the target approves a fraudulent authentication request.
Persistence and Privilege Escalation: Once inside the identity environment, the group creates new privileged accounts within Okta or Azure AD, accesses internal tools, modifies existing MFA configurations to add attacker-controlled authentication methods, registers rogue identity-provider applications to maintain SSO access, and installs legitimate remote monitoring and management (RMM) tools — including AnyDesk, Splashtop, and TeamViewer — on compromised endpoints. RMM tools are specifically chosen because they are common in enterprise environments and typically do not trigger endpoint detection alerts.
Lateral Movement: Compromised identity infrastructure enables lateral movement across every application connected via SSO. The group exploits single sign-on federation to authenticate into connected cloud applications, accesses code repositories (GitHub, GitLab) to harvest credentials from configuration files, and exfiltrates sensitive data from SharePoint, Confluence, and knowledge-management platforms.
Impact: Operations from some clusters culminate in ransomware deployment (BlackCat/ALPHV confirmed; RansomHub and Qilin reported in later campaigns), data exfiltration and extortion, or both. The MGM Resorts breach resulted in casino floors, hotel systems, and digital key cards rendered inoperable for ten days. Other clusters are not involved in ransomware deployment; instead, they focus on gathering data from companies’ internal systems. This information is used for future social engineering campaigns, SIM swaps, or exfiltrating data to demand a ransom etc.
Scattered Spider's playbook relies on social engineering that bypasses traditional technical controls, which means defenders need threat intelligence that tracks not just malware signatures but the human tactics behind them. The only way to stay ahead is correlating compromised credentials, phishing infrastructure, threat intelligence and identity-based attack patterns in near real time.
Hardware security keys eliminate SIM swapping, push-notification fatigue, and OTP code theft in one control. Standard SMS and app-based MFA does not protect against this group's primary techniques.
Require out-of-band identity verification for all credential resets and MFA changes — including video callback to a known manager, verification against a pre-registered secondary channel, and mandatory cooling-off periods for privileged account changes.
Alert on new privileged account creation, MFA configuration changes, bulk SSO authentication from new locations, and identity-provider admin API access from unusual IP ranges.
Create allowlists for approved remote access software; alert on any installation of AnyDesk, Splashtop, or TeamViewer on endpoints not designated for remote support use.
for associated phishing domains, newly registered domains matching your brand patterns, and credential dumps containing your organization's email domains.
Scattered Spider is a financially motivated cybercriminal collective, also tracked as UNC3944, Muddled Libra, Octo Tempest, and 0ktapus. Composed primarily of young, English-speaking individuals based in the US and UK, the group is known for sophisticated social engineering attacks targeting identity infrastructure at major enterprises.
Unlike traditional ransomware groups that exploit technical vulnerabilities for initial access, Scattered Spider’s primary weapon is social engineering. Attackers call help desks, impersonate employees, and manipulate IT staff into resetting credentials or disabling MFA. While they have deployed ransomware (notably BlackCat/ALPHV), their initial access methodology is entirely human-centric — making them uniquely difficult to defend against with purely technical controls.
Key techniques include T1566.002 and T1566.004 (smishing and vishing for initial access), T1621 (MFA fatigue), T1078 (valid accounts via compromised identity-provider credentials), T1219 (RMM tools for persistence), T1199 (SSO abuse for lateral movement), and T1486 (ransomware deployment). Detection should focus on anomalous identity-provider events and unauthorized RMM tool installations.
First, immediately isolate the compromised identity-provider tenant — revoke all active sessions, disable recently created privileged accounts, and roll back any MFA configuration changes made in the past 72 hours. Second, initiate out-of-band credential rotation for all accounts that authenticated through the compromised identity provider; do not use the compromised IdP to distribute new credentials. Third, engage your threat intelligence provider to check for leaked credentials, associated phishing domains, and dark web chatter referencing your organization.
The consequences have been severe: MGM Resorts disclosed an estimated $100M+ impact from its September 2023 breach, encompassing operational disruption (casino floors offline for approximately 10 days), incident response costs, and reputational damage. Caesars Entertainment reportedly paid approximately $15M in ransom. Beyond direct costs, organizations face regulatory penalties, litigation, customer churn, and insurance premium increases. Identity-based attacks like those executed by Scattered Spider carry high ROI for attackers because a single compromised identity-provider account can cascade across an organization’s entire cloud application portfolio.
Group-IB analysts assess that identity-provider-focused social engineering will diversify into AI-assisted vishing using deepfake voice and video, expanded targeting of cloud-native infrastructure beyond Okta or Citrix, and data extortion campaigns without ransomware deployment. Law enforcement pressure may fragment some clusters but will not eliminate the underlying playbook, which is already being adopted by other actors observed across the criminal ecosystem.
