.png)
Scattered Spider / UNC3944 Group Profile
Breach Summary
Scattered Spider — also known as UNC3944, Muddled Libra, and Octo Tempest — is a loosely organized threat group of primarily English-speaking young adults who executed some of the most financially damaging social engineering attacks in enterprise history during 2022–2023. The group's targets included MGM Resorts, Caesars Entertainment, Okta, Twilio, Cloudflare, and dozens of others. Their weapon of choice was not malware but the telephone.
What Happened
Scattered Spider's documented attacks span 2022–2023 and include Twilio, Cloudflare, DoorDash, Signal (via Twilio), Okta, MGM Resorts, Caesars Entertainment, and dozens of others identified in law enforcement and vendor investigations. Multiple group members were arrested in 2023–2024 through FBI and UK NCA investigations. The group's techniques — particularly help desk vishing and MFA fatigue — have been widely adopted by successor groups, meaning the threat methodology remains active even as the original Scattered Spider core has been partially disrupted by law enforcement.
Attack Vector Detail
Scattered Spider's core technique is vishing — calling IT help desks and impersonating employees, using personal information assembled from LinkedIn and breach databases to pass identity verification. Once they obtain MFA resets or credential assistance, they pivot through Okta or other SSO platforms to access connected enterprise applications. The group is notable for conducting attacks in English without the language barriers that typically characterize foreign threat actors, enabling highly convincing social engineering against US and UK corporate targets. Many group members are believed to be teenagers and young adults, making Scattered Spider the most consequential youth cybercrime organization in history.
Breach Pattern Timeline
Pre-2022
Scattered Spider (Mandiant: UNC3944; Microsoft: Octo Tempest; CrowdStrike: Scattered Spider) emerges as a loosely organized group of English-speaking threat actors — predominantly U.S., U.K., and Canadian young adults. Distinguished by social engineering sophistication rather than technical exploit capability.
2022
Scattered Spider conducts coordinated smishing campaigns against tech companies — '0ktapus' campaign affects Twilio, MailChimp, Cloudflare (defended successfully), DigitalOcean, Authy, Signal (downstream), and ~135+ organizations.
2023
Scattered Spider matures methodology: shifts to vishing (voice phishing) against IT help desks. Targets include Reddit (Feb 2023), Riot Games, multiple SaaS platforms.
September 7-12, 2023
Scattered Spider executes parallel attacks against MGM Resorts and Caesars Entertainment using vishing against IT help desks. MGM refuses to pay, suffers 10-day operational shutdown + $100M+ EBITDA impact. Caesars pays $15M ransom. Industry-defining incidents.
October-November 2023
Scattered Spider exploits Citrix Bleed (CVE-2023-4966) at scale. Multiple victims including Boeing breach. Group operates as ALPHV/BlackCat affiliate during this period.
June 14, 2024
FBI arrests Tyler Buchanan (Scotland) at U.S. request — alleged Scattered Spider operative. Subsequently extradited to U.S.
November 14, 2024
U.S. federal charges unsealed against five additional alleged Scattered Spider members in California Central District. Charges include wire fraud, computer fraud, and identity theft.
2024-2025
Scattered Spider continues operating despite arrests. Migrates from ALPHV affiliate model to RansomHub affiliate. Operations continue against insurance, retail, and other sectors.
2025-2026
Scattered Spider becomes foundational case study for: (1) social engineering as the dominant 2022-2024 enterprise breach vector, (2) help desk identity verification as critical control gap, (3) the limits of arrests in disrupting decentralized threat groups, (4) phishing-resistant MFA as the structural defense.
Total impact: Estimated 150+ confirmed enterprise victims 2022-2025 across MGM, Caesars, Twilio, MailChimp, Reddit, Boeing, Riot Games, and others; collective impact exceeding $500M+ in operational and ransom costs; foundational precedent for help-desk vishing attack pattern and phishing-resistant MFA mandate.
Executive Lessons
Scattered Spider established that English-speaking, socially skilled attackers can defeat every technical security control through the human authentication layer. MFA is not sufficient protection when help desks reset MFA on request. Three executive responses are required: redesign help desk identity verification; implement Conditional Access policies; and conduct regular vishing simulations against help desk staff.
Related Reading
Private Equity Implications
Scattered Spider's repeatable, systematic attack methodology represents a direct threat to PE portfolio companies of all sizes. The help desk identity verification gap they exploit is not specific to MGM or Caesars — it exists in the majority of mid-market organizations that have not specifically redesigned their verification procedures to exclude knowledge factors available in breach databases. PE operating partners should require help desk security assessments and vishing simulations as standard components of post-close security programs.
How Cloudskope Can Help
Frequently Asked Questions
Who is Scattered Spider?
Scattered Spider (also tracked as UNC3944, Octo Tempest, 0ktapus, Scatter Swine, and Star Fraud) is an English-speaking cybercriminal group specializing in social engineering attacks against enterprise help desks and identity providers. Members are predominantly young (teens to early twenties) and based in the U.S. and U.K. The group has compromised over 130 major organizations since 2022 and operates as both a standalone extortion group and an initial access broker for ransomware operations.
How does Scattered Spider attack organizations?
Scattered Spider's methodology centers on social engineering rather than technical exploitation. The group identifies an employee via LinkedIn, calls the target organization's IT help desk impersonating that employee, and convinces help desk staff to reset MFA enrollment or provide other access. From the initial authenticated access, the group moves laterally through Okta, Active Directory, or other identity systems to reach high-value resources. The technique requires no malware, no zero-days, and no significant technical sophistication.
What organizations has Scattered Spider compromised?
Confirmed victims include MGM Resorts ($100M+ losses), Caesars Entertainment ($15M ransom), Twilio (cascading to Signal, Authy, Cloudflare, and dozens of downstream organizations), Okta (October 2023 support system breach), Microsoft, Riot Games, DoorDash, and many others. The group has been particularly active against hospitality, retail, financial services, and technology sector targets.
Have Scattered Spider members been arrested?
Yes, multiple. In June 2024, the FBI arrested Tyler Buchanan in Spain at U.S. request. In November 2024, the U.S. Department of Justice charged five additional Scattered Spider members in U.S. federal court. The investigation continues and additional arrests are expected, but the group remains operationally active because new affiliates have replaced arrested members.
How can organizations defend against Scattered Spider?
Defense centers on help desk identity verification. Effective controls include phishing-resistant MFA (FIDO2 hardware keys, platform authenticators), video verification before sensitive account changes, manager callback requirements, time-delayed MFA resets for high-privilege accounts, and exclusion of knowledge factors from verification procedures (since dates of birth, SSNs, and employee IDs are widely available in breach databases). Vendor IT support providers must also implement these controls — Scattered Spider has used IT vendor compromise as an attack vector.