Scattered Spider is a loosely organised, financially motivated cybercriminal collective that first attracted major public attention in 2023 and has remained active through 2024 and 2025. The group is notable not for extremely sophisticated zero-day exploits but for a focused, repeatable playbook that combines targeted social engineering, identity compromise, and opportunistic use of legitimate administrative tools to gain and expand access inside large companies. Its campaigns typically begin with detailed reconnaissance of personnel and vendor relationships, followed by voice-based social engineering against IT help desks or targeted employees, abuse of account recovery and multi-factor authentication processes, and then use of valid credentials and living-off-the-land administration to steal data for extortion or to hand off access to ransomware operators. Government agencies and major incident responders have repeatedly warned that Scattered Spider adapts its techniques rapidly and often partners with or supplies access to other criminal groups that perform encryption and extortion.
Two broad tendencies separate Scattered Spider from some other cybercriminal actors. First, the group places heavy emphasis on human manipulation rather than on bulk exploitation of technical vulnerabilities; the string of incidents attributed to them shows repeated success against help desks, customer service providers, and identity systems. Second, Scattered Spider mixes opportunistic identity fraud operations, such as SIM swap crimes that steal cryptocurrency from individuals, with enterprise intrusions that scale to large data thefts and potential ransomware deployment. Public and private sector analyses characterise the group as an “identity-centric” threat that weaponises personally identifiable information, social engineering, and account recovery processes to obtain and persist with legitimate credentials inside target environments.
Attribution is inherently complex for loosely affiliated criminal groups, and reporting has used multiple labels and community identifiers, including SCATTERED SPIDER and UNC3944. Law enforcement investigations have resulted in arrests and at least one federal conviction and sentencing in the United States, but many individuals allegedly connected to specific intrusions remain under investigation and have not been convicted. When discussing named individuals or domestic prosecutions, it is important to distinguish between charged or alleged conduct and convictions that were entered in open court.
How Scattered Spider operates: an operational overview
Scattered Spider’s operations follow a recognisable lifecycle. First, reconnaissance gathers employee names, roles, phone numbers, and personal data from public sources, commercial business-to-business directories, and open social media. This information establishes believable personas and helps the operators craft plausible pretexts for contacting support personnel or targeted employees. Scattered Spider commonly uses voice calls and SMS messages—vishing and smishing—for early contact, including calls that impersonate employees, vendors, or internal IT staff. The group is especially adept at supplying precise pieces of personal information that pass help desk verification questions, such as dates of birth and partial social security information, which they use to request password resets or MFA resets from help desk agents.
Second, they exploit identity systems. After convincing a support representative to reset access or to register a new second factor, the actors log in with valid credentials and register their own MFA methods, or they use SIM swapping to intercept authentication messages. Once they control an account, they use legitimate administrative consoles and remote access tools to move laterally. These include cloud identity services such as Microsoft Entra ID and single-sign-on platforms, plus remote desktop infrastructure and virtual desktop solutions. The objective at this stage is to obtain privileged accounts, expand access to cloud storage and data repositories, and to create persistence mechanisms that look like regular administrative changes. CrowdStrikeMITRE ATT&CK
Third, the group exfiltrates data and monetises access. Historically, Scattered Spider often prioritised data theft and double extortion: stealing sensitive files and threatening release unless a ransom was paid. As of mid-2025, investigators and responders report an uptick in incidents where the group or their partners also deployed encryption ransomware (notably variants observed in partnership with or used by other ransomware operators). Exfiltrated data has been found on third-party file hosting services and accessible by TOR for extortion negotiations. The group’s operators are pragmatic; they adapt to opportunity and may subcontract encryption activity to specialised ransomware affiliates while retaining access and control of the initial intrusion. CISACyble
From a defender’s perspective, the distinguishing markers of Scattered Spider intrusions are (1) high fidelity social engineering against human processes, especially help desks and vendor support channels, (2) early and extensive use of valid accounts rather than noisy malware deployment, and (3) lateral movement that heavily leverages legitimate administration tooling and cloud consoles. Those behaviors map directly to several MITRE ATT&CK techniques such as Phishing and Spearphishing using voice (T1598.004), Valid Accounts (T1078), MFA compromise and manipulation of authentication mechanisms (T1556.006), and Data Encrypted for Impact (T1486) when ransomware is present. MITRE ATT&CK+2MITRE ATT&CK+2
Detailed case study 1: the MGM Resorts incident (September 2023) — tactics, impact, lessons
In September 2023 multiple sources reported a major incident at a large U.S. hospitality company that caused substantial operational disruption across hotel properties, reservations systems, and gaming operations. Public reporting and subsequent analysis linked the incident to Scattered Spider and to affiliated extortion actors, though attribution in multi-actor incidents can be nuanced. The intrusion reportedly began with targeted social engineering leading to credential misuse and escalated to extensive systems disruption. Operational impacts included shut down of key IT systems, loss of automated check-in and key-card functionality, and other widespread outages that took days to recover. Regulators later opened inquiries into the incident and the company disclosed material financial impacts in its filings. Reuters+1
From a technical perspective the incident demonstrates several elements of the Scattered Spider playbook. Reconnaissance and identity collection enabled convincing pretexts; help desk abuse and MFA fatigue or reset techniques provided initial account takeover; and once inside, the adversary used legitimate administrative and remote access tools to move through the environment and access data stores. Intelligence from responders and commercial analysts noted that the operation focused on identity abuse and living-off-the-land behaviors as opposed to immediate large-scale malware deployment. After initial access, other criminal actors—including ransomware affiliates—were reported to have been involved in encrypting data or exploiting exfiltrated material for extortion. CrowdStrikeCymulate
A few concrete defensive lessons emerge from the MGM incident. First, hardening identity recovery processes is essential. Organizations should treat help desks and vendor support channels as critical attack surfaces and reduce reliance on static, easily verifiable personal data for resets. Second, adopt phishing-resistant multi-factor authentication methods such as hardware tokens or platform FIDO/WebAuthn where possible. Third, monitor for anomalous enrollment of MFA methods and new authenticator registrations, because these actions are high-value indicators of an active account takeover attempt. Finally, assume that living-off-the-land activity may follow account compromise and instrument detection around legitimate administrative tooling, SSO consoles, cloud provider access, and data egress. These recommendations are consistent with joint advisories from U.S. and allied agencies and with vendor guidance. CISAMITRE ATT&CK
Detailed case study 2: the 2025 UK retail incidents and related arrests — sequence, attribution, and legal developments
In mid-2025 a series of high-profile retail incidents in the United Kingdom—including significant operational impacts to multiple national retailers—prompted an international law enforcement response. The U.K. National Crime Agency announced arrests of four individuals in July 2025 in connection with suspected attacks on several retailers. National investigators described a pattern of social engineering and targeted identity abuse that matched the tactics widely associated with Scattered Spider. At the same time the U.S. and allied cyber agencies updated advisories noting an increase in Scattered Spider activity against commercial sectors including retail, aviation, and insurance. Because criminal investigations were ongoing, most public statements about the arrested individuals describe their alleged involvement rather than proven convictions. National Crime AgencyCISA
Open-source reporting and technical analysis of the retail incidents show a layered operation. The actors reportedly used purchased or scraped personal data to impersonate employees and to contact vendor support or corporate help desks, successfully requesting password or MFA resets in multiple cases. After obtaining control over cloud or SaaS accounts, the intruders accessed customer and transactional data and either exfiltrated it for extortion or arranged for ransomware affiliates to encrypt systems. Observers reported that Scattered Spider’s operators sometimes mix remote in-person deception, such as arranging real-world pretence or hiring proxies, with online social engineering to strengthen credibility. This hybrid social engineering makes detection by purely technical controls more difficult. GuidePoint Securityic3.gov
The legal outcomes from these incidents are still in progress. In the United States there has been at least one high-profile prosecution that resulted in conviction and sentencing. A federal case in Florida resulted in the conviction and sentencing of an individual who pleaded guilty to a set of charges relating to identity fraud and SIM-swap crimes that were connected to cryptocurrency theft. The U.S. Department of Justice published a sentencing announcement describing asset forfeiture and restitution orders. Meanwhile, U.K. arrests have produced device seizures and charges or suspicions of computer misuse, blackmail, and money laundering, but public filings vary in the level of detail and many proceedings remain ongoing. When describing these developments, legal status should be stated precisely; arrests and charges are allegations until conviction, and sentencing actions reflect completed convictions. Department of JusticeNational Crime Agency
Mapping Scattered Spider to MITRE ATT&CK and a short comparison with other groups
The MITRE ATT&CK knowledge base provides a common language to compare adversary behaviors. Scattered Spider’s most consistent techniques map into a fairly compact set of ATT&CK techniques and sub-techniques. Key mappings include Phishing (T1566) and Spearphishing via voice or SMS (T1598.004) and mobile phishing (T1660), techniques that capture their vishing and smishing operations. The group routinely acquires and uses Valid Accounts (T1078) and manipulates authentication systems (sub-technique T1556.006 for MFA compromise and related account recovery abuse). When ransomware is observed, the Data Encrypted for Impact (T1486) technique is implicated. Scattered Spider’s heavy use of legitimate tools to persist and move laterally maps to detection challenges around Remote Services and Living-off-the-Land techniques that are well represented in the ATT&CK matrix.
It is useful to compare Scattered Spider with two other socially focused groups that have featured prominently in public reporting: LAPSUS$ (tracked in MITRE as DEV-0537) and FIN7 (G0046)). LAPSUS$ rose to prominence in 2021 and 2022 by using large-scale social engineering and extortion, frequently targeting support staff and third-party vendors to obtain access. In ATT&CK terms, LAPSUS$ and Scattered Spider share a number of techniques: heavy reliance on Phishing (T1566), social engineering (T1592 family), and abuse of Valid Accounts (T1078). Both groups have employed MFA fatigue or help desk manipulation to overcome authentication (ATT&CK sub-techniques around MFA and account recovery). The primary difference is that LAPSUS$ often emphasised public shaming and high-visibility data leaks and sometimes avoided encryption, while Scattered Spider exhibits a hybrid approach that combines identity theft, targeted enterprise extortion, and sometimes coordination with ransomware affiliates.
FIN7 is an older, more technically resourced criminal group traditionally focused on point-of-sale theft and long campaigns of compromise. FIN7’s operations historically made heavier use of malware and custom tooling, though it too has evolved toward ransomware and big-game hunting. The ATT&CK comparison shows overlap in objectives—credential theft, lateral movement, and financial gain—but FIN7 and Scattered Spider differ in starting vectors and emphasis. FIN7 typically relied on phishing that delivers malware and on custom tooling for persistence, whereas Scattered Spider more frequently uses identity manipulation to obtain legitimate access in the first place. From a defender’s viewpoint, the distinction matters because Scattered Spider’s signals are often embedded in apparently valid administrative events, while FIN7’s operations may produce more conventional malware artefacts that signature and endpoint detection can catch.
Indicators of compromise and detection considerations
Scattered Spider uses behaviours that can be difficult to detect if an organisation only monitors for classic malware signatures. Effective detection focuses on identity and process anomalies. Useful detection signals include unusual registration of MFA devices or new authentication methods, password resets initiated by support channels that coincide with external vishing attempts, anomalous logins from legitimate administrative consoles outside normal patterns, and unusual data egress to cloud storage or third-party file hosts. Because the attackers often use legitimate administrative tooling and cloud consoles, defenders must instrument cloud identity platforms and monitor changes to privileged groups, new role assignments, and uncharacteristic privileged access. Alerting on unusual remote sessions, especially those that originate in the identity system rather than via endpoint malware, will catch many of the behaviors seen in Scattered Spider incidents.
Defensive controls that agencies and vendors emphasize include the use of phishing-resistant multifactor authentication, strict limits and monitoring of help desk privileges, verification processes that go beyond static personal identifiers, enforced least privilege for administrative roles, segmentation and isolation of high-value cloud resources, and offline encrypted backups for recovery. Organizations that contract third-party help desks and BPO providers should impose controls on credential change procedures, require multi-party verification for critical account resets, and monitor for anomalous activity from vendor accounts. These mitigations are echoed in joint advisories from national cybersecurity agencies and private sector incident responders.
Individuals, legal actions, and international law enforcement
Public reporting indicates law enforcement attention across multiple countries. In the U.S., a prosecution concluded with conviction and sentencing of one defendant who admitted involvement in SIM swap and cryptocurrency thefts; the sentencing order and press materials published by the U.S. Attorney’s Office provide details on counts and restitution. In the United Kingdom, the National Crime Agency executed arrests that it connected to a series of retail incidents; the agency described electronic device seizures and charges under the Computer Misuse Act and related statutes. Many public accounts of arrests and device seizures frame the charges as allegations pending prosecution. Because these matters often involve multiple jurisdictions and ongoing investigations, public statements vary in what they confirm and what remains under inquiry. The result is a mix of definitive legal outcomes in some instances and still-open investigations in others.
From an intelligence or analyst perspective, a useful distinction is between operational attribution and legal attribution. Operationally, pattern-of-life, tooling, and TTP mappings can show that a given intrusion employed Scattered Spider-like tradecraft. Legally, courts require charged conduct and proof beyond reasonable doubt. Analysts and organizations therefore adopt a precautionary posture: treat activity consistent with Scattered Spider TTPs as high risk and respond accordingly, but report legal attributions with care when charges or convictions are not yet public.
Summary and practical recommendations
Scattered Spider represents a persistent, adaptable identity-centric criminal threat. The group’s strength lies in social engineering and in exploiting human and procedural weaknesses—primarily in help desks, vendor support, and account recovery flows. Rather than relying solely on novel technical exploits, Scattered Spider obtains initial access through impersonation, SIM swapping, and MFA manipulation, and then operates within environments using legitimate credentials and administrative tools. This approach reduces early technical signals and increases the need for identity-focused detection and process hardening.
For organisations with even a moderate exposure to enterprise identity services and third-party support contracts, practical steps include making identity recovery procedures more robust, migrating to phishing-resistant MFA where feasible, monitoring for unusual authenticator enrollments and privileged role changes, and instrumenting cloud identity consoles for suspicious activity. Vendor and support contracts should clearly restrict what data and actions support personnel can perform without secondary authorisation, and incident response plans should assume the initial compromise vector is identity abuse rather than endpoint malware. Finally, collaboration with industry information sharing groups and law enforcement remains important because Scattered Spider’s activity has a cross-border footprint and benefits from rapid intelligence exchange.
Closing note on sources and confidence
This report draws primarily on technical advisories and reporting from national cybersecurity agencies, major commercial incident responders, and public legal filings. Notable sources include the joint advisories published by CISA and allied partners, technical reporting and telemetry from CrowdStrike and other commercial responders, the MITRE ATT&CK group profile for Scattered Spider, and recent Department of Justice case materials describing a U.S. prosecution. Those sources were chosen to emphasise primary technical analysis and official statements rather than popular news commentary. Where arrests or charges are discussed, this report follows the convention of describing unproven allegations as alleged unless a conviction and sentencing are publicly recorded. The most consequential factual claims in this report—about the group’s use of help desk social engineering, its mapping to ATT&CK techniques, and the existence of legal actions in the U.S. and U.K.—are documented in the government advisories and public filings cited above.
Sources used to prepare this report include the Cybersecurity and Infrastructure Security Agency advisory and subsequent updates, the U.S. Department of Justice sentencing release, CrowdStrike disclosures and threat hunting reports, the MITRE ATT&CK group profile for Scattered Spider, the U.K. National Crime Agency announcement about arrests, and multiple technical writeups summarising observed intrusions and tradecraft. Readers seeking operational checklists or detection playbooks should consult those advisories and vendor response templates for concrete detection rules and emulation scripts.
Reading this…