Cybercrime Group

Scattered Spider

United States/United Kingdom • Active since 2022

Scattered Spider is a group of young American and British hackers who are masters at tricking people. They call help desks pretending to be employees, convince them to reset passwords, and take over accounts. They're behind the MGM casino hack that shut down slot machines for days. Some members are teenagers.

Overview

Scattered Spider is a loosely organized group of young, English-speaking hackers known for sophisticated social engineering attacks. They specialize in help desk manipulation and SIM swapping to bypass MFA. The group has partnered with ALPHV/BlackCat for ransomware operations, notably attacking MGM Resorts and Caesars Entertainment.

Also Known As

UNC3944, Muddled Libra, Scatter Swine, 0ktapus, Star Fraud

Target Industries

Hospitality, Gaming, Technology, Telecommunications, Financial Services, BPO (Business Process Outsourcing)

Target Regions

United States, Global

Is your business exposed?

Tactics, Techniques & Procedures

  • Help desk social engineering
  • SIM swapping for MFA bypass
  • SMS phishing (smishing)
  • MFA fatigue attacks
  • Exploitation of identity providers

Known Tools & Malware

Social engineering (phone-based), SIM swapping, Phishing kits (0ktapus), AnyDesk/Splashtop for remote access, ALPHV/BlackCat ransomware

Notable Campaigns

MGM Resorts Attack (2023)

Disrupted MGM casino operations for 10 days, causing $100 million in damages.

Caesars Entertainment Breach (2023)

Breached Caesars, which reportedly paid $15 million ransom.

0ktapus Campaign (2022)

Phished 130+ organizations including Twilio, Cloudflare, and DoorDash.

MITRE ATT&CK Techniques

T1566.002, T1598, T1078, T1219, T1621

Defense Recommendations

  1. 1.

    Implement strict help desk identity verification procedures

  2. 2.

    Use phishing-resistant MFA (hardware keys, not SMS)

  3. 3.

    Add SIM swap protection with your mobile carrier

  4. 4.

    Monitor for unauthorized remote access tool installations

  5. 5.

    Implement out-of-band verification for sensitive requests

Related Threat Actors

Lapsus$, Fin7, Blackcat

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices