Scattered Spider is the informal name applied to a loose network of primarily English-speaking threat actors tracked by CrowdStrike as SCATTERED SPIDER, Mandiant as UNC3944, and Microsoft as Octo Tempest. They are also referred to as 0ktapus (from their early phishing campaigns targeting Okta), Starfraud, and in some research as “the Com” — a reference to loosely organised English-speaking cybercriminal communities.
What distinguishes Scattered Spider from most threat actor groups profiled in this tracker is the near-total absence of novel technical capabilities. They do not develop their own malware, do not exploit zero-day vulnerabilities, and do not rely on sophisticated post-exploitation toolkits. Their intrusions succeed through social engineering that bypasses every technical control in a target environment while leaving those controls functionally intact.
Threat Actor Profile
Origin: English-speaking, primarily US and UK based, including members as young as 17 at time of arrest. This is unusual among persistent threat actors — nation-state groups are professional intelligence operations; most RaaS affiliates are experienced criminal actors. Scattered Spider’s membership skews young and community-organised.
Motivation: Financial — the group has shifted between data theft for resale, extortion without ransomware, and full ransomware deployment. Their 2023 high-profile campaign saw ransomware deployed via ALPHV/BlackCat affiliate access.
First observed: 2022, with the 0ktapus SMS phishing campaign targeting Okta customers.
Notable victims: MGM Resorts International, Caesars Entertainment, Twilio, LastPass, DoorDash, Riot Games, Coinbase, Cloudflare (repelled), Reddit, multiple telcos.
Attack Methodology
Stage 1: Initial Access via Social Engineering
Scattered Spider’s initial access does not involve exploitation. It involves phone calls.
The most documented pattern: the attacker calls an organisation’s IT helpdesk or service desk impersonating an employee. The attacker has pre-gathered information about the target employee — name, employee ID, manager’s name, office location — from LinkedIn, corporate directories, data broker sites, and prior breaches. They use this information to pass the helpdesk’s identity verification questions.
Once authenticated to the helpdesk’s satisfaction, the attacker requests one of several high-value actions:
- MFA reset or re-enrollment to a new device
- Password reset without MFA
- Adding a new authenticator to an existing account
These are standard helpdesk functions. In most organisations, the helpdesk is authorised to perform them, and the verification process is the only control. When that process relies on questions answerable from publicly available information, the technical security stack behind it — conditional access policies, EDR, SIEM, threat intelligence feeds — is irrelevant.
Stage 2: Account Takeover and Privilege Escalation
With access to an initial employee account, Scattered Spider moves systematically through identity infrastructure:
Okta and Azure AD enumeration: They query the identity provider’s admin portal for other accounts, group memberships, and admin roles. They look for service accounts, shared accounts, and accounts that haven’t been used recently — these have a higher probability of weak MFA enrollment.
MFA fatigue: For accounts where they have credentials but can’t bypass MFA through helpdesk social engineering, they use push notification flooding — repeatedly triggering authentication requests until the user approves one, or until a follow-up phone call convinces them to approve.
SIM swapping: For accounts secured with SMS-based MFA, Scattered Spider contacts the victim’s mobile carrier, impersonating the victim, to port the phone number to an attacker-controlled SIM. This gives them control over SMS-based MFA directly.
Telecom insider relationships: Multiple members of the group have been documented as having relationships with insiders at telecom companies who perform SIM swaps in exchange for payment — removing the need to social-engineer the carrier.
Stage 3: Lateral Movement and Data Access
Once Scattered Spider has a foothold in the identity provider, they move through the environment using legitimate credentials — the victim organisation’s own SSO infrastructure carries them to every connected application. Common targets:
- SharePoint and Confluence — for internal documentation, network diagrams, system architecture, and — critically — credentials stored in notes and wikis
- vCenter and VMware — virtualisation management, used in later MGM-style attacks for ESXi ransomware deployment
- Backup systems — to assess recovery capability and destroy backups pre-encryption if ransomware is the goal
- Code repositories — GitHub, GitLab — for source code, API keys, and internal tooling secrets
Stage 4: Ransom or Data Extortion
Scattered Spider’s end-game has varied:
- Pure data extortion (pre-2023): Stealing sensitive data and threatening publication. No encryption, no ransomware.
- ALPHV/BlackCat affiliate (2023): In the MGM and Caesars attacks, they deployed ALPHV ransomware. Caesars reportedly paid approximately $15 million. MGM declined to pay, sustained approximately $100 million in operational disruption and recovery costs.
- Current (2025–2026): Operating as a data extortion operation without consistent ransomware affiliation following the ALPHV/BlackCat disruption. Some members have been arrested; the group continues operating with what appears to be a rotating membership.
Notable Incident: MGM Resorts (September 2023)
The MGM Resorts incident is the canonical Scattered Spider case study. Entry was gained through a ten-minute LinkedIn research session followed by a phone call to MGM’s IT helpdesk impersonating a named employee. The attacker obtained an MFA reset and gained access to MGM’s Okta admin console.
From that initial access point, Scattered Spider spent days moving through MGM’s environment before deploying ALPHV ransomware against ESXi infrastructure across MGM properties in Las Vegas and internationally. Hotel key card systems, casino floors, digital signage, reservations, and mobile apps were disrupted for approximately nine days. Estimated total disruption and recovery cost: $100 million or more.
The attack succeeded entirely through social engineering and legitimate credential use. MGM’s technical security controls — detection tooling, EDR, network segmentation — were not defeated; they were bypassed because the attack never looked like an attack until the ransomware detonated.
Arrests and Law Enforcement Action
Several individuals associated with Scattered Spider have been arrested in the US and UK:
- Tyler Buchanan (UK citizen, arrested in Spain, June 2024) — extradited to the US, charged with wire fraud and aggravated identity theft.
- Noah Michael Urban (Florida, arrested January 2024) — charged with wire fraud, identity fraud, and conspiracy.
- Four additional individuals (charged in 2024) connected to the MGM and Caesars attacks.
Arrests have not ended the group’s activity. The loosely organised, community-based structure means the removal of individual members does not degrade capability in the way it would for a hierarchical criminal organisation.
Detection and Defence
Scattered Spider’s approach is largely detection-resistant at the technical layer. The intrusion looks like legitimate activity because it uses legitimate credentials obtained through non-technical means. Effective defences target the attack chain’s social engineering dependencies:
Harden your helpdesk: Implement callback verification — when a user requests an MFA reset, call them back on a number registered in your HR system, not one provided on the call. Require manager co-authorisation for MFA resets on privileged accounts. Implement phishing-resistant MFA (FIDO2/passkeys) to make account recovery more complex and auditable.
Eliminate SMS-based MFA: SIM swapping is only possible when SMS is an authentication factor. Replace SMS MFA with authenticator app or hardware key for all privileged accounts.
Monitor for push notification flooding: High-volume failed MFA events from a single user account in a short window are a detection signal for either push bombing or a compromised account under active attack.
Limit helpdesk authority: Scope what helpdesk can do without escalation. MFA resets on accounts with privileged roles (IT admin, finance, executives) should require a formal change process with documented verification, not a real-time phone call decision.
UEBA on identity provider logs: Unusual Okta or Entra ID admin activity — new MFA device enrollments, password resets on multiple accounts, access to the admin console from an unfamiliar device — should generate alerts, not just be logged. The dwell time between initial access and ransomware deployment in the MGM case was measured in days. Detection and alert response in that window prevents the worst-case outcome.