Scattered Spider
Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. Scattered Spider relies heavily on social engineering, including impersonating IT and help-desk staff, to gain initial access, bypass multi-factor authentication (MFA), and compromise enterprise networks. The group has adapted its tooling to evade endpoint detection and response (EDR) defenses and used ransomware for financial gain. Scattered Spider had expanded into hybrid cloud and identity environments, using help-desk impersonation and MFA bypass to obtain administrator access in Okta, AWS, and Office 365.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
20 mentions · 7 sources"The breach was attributed to Scattered Spider, a group known for its social engineering expertise."
"tracking how groups like UNC3944 target IT help desks to bypass multifactor authentication (MFA)"
"Scottish threat actor Tyler Robert Buchanan was arrested in Spain and formally charged by the United States in November 2024. In 2025, the U.S. Department of Justice formally announced that this member pleaded guilty to charges related to participation in the Scattered Spider cybercriminal organization."
"Scattered Lapsus$ Hunters has been responsible for some of the most significant, costly cyberattacks across the US economy lately."
"An analysis this week from Flashpoint of the disturbing cybercriminal group known as The Com confirms that as major Russian groups have splintered and withered away in recent years, the new class of predominantly North American cybercriminal groups that has emerged all trace back in one way or another to the same source."
"They've separated from the pack by effectively targeting the cloud and SaaS platforms organizations across the Western world rely on most, like Okta, Salesforce, and Microsoft365."
"cybercrime groups like Scattered Spider, which were behind both JLR and Marks & Spencer breaches"
"The loose grouping of English-speaking criminals known as Scattered Spider, who were behind the Marks and Spencer (M&S) breach in the UK"
"A 24-year-old British national and senior member of the cybercrime group "Scattered Spider" has pleaded guilty to wire fraud conspiracy and aggravated identity theft."
"admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors."
"Buchanan admitted conspiring with other Scattered Spider members to launch tens of thousands of SMS-based phishing attacks in 2022 that led to intrusions at a number of technology companies, including Twilio, LastPass, DoorDash, and Mailchimp."
"0ktapus used spoofed SSO portals to harvest credentials."
Hedge terms observed