Scattered Spider (also tracked as UNC3944, Octo Tempest, Muddled Libra, Roasted 0ktapus, Storm-0875, Star Fraud, DEV-0537, and MITRE ATT&CK G1015) is a financially-motivated organized cyber-criminal cluster active since at least 2022, composed predominantly of English-speaking-native operators from Western jurisdictions including the United Kingdom, United States, Canada, and adjacent English-speaking countries. The English-speaking- native composition is operationally distinctive among publicly- tracked cyber-criminal clusters (which are predominantly Russian- speaking, FIN7, Conti, REvil, BlackCat operators, Eastern European, or Asian) and enables the cluster's signature voice- phishing (vishing) social-engineering tradecraft against English- language IT helpdesks, a capability not readily available to non-English-speaking-native competitors. Members of the cluster are sometimes described in vendor reporting as associated with the broader online subculture sometimes referred to as "The Com" , an English-speaking-native online community originally focused on gaming, SIM-swapping, and social-engineering activity that has produced multiple financially-motivated cyber-criminal clusters. The cluster has the strongest formal-attribution profile of any contemporary publicly-tracked cyber-criminal cluster: November 2024 US DOJ Northern District of California indictment charging five individuals (Ahmed Hossam Eldin Elbadawy, Noah Michael Urban / "King Bob", Evans Onyeaka Osiebo, Joel Martin Evans, and Tyler Robert Buchanan) with multiple counts of conspiracy and wire fraud for Scattered Spider membership.
July 2024 UK National Crime Agency arrest of a seventeen-year-old in Walsall England.
June 2024 arrest of Tyler Buchanan in Spain followed by November 2024 extradition to US.
AA23-320A FBI+CISA cybersecurity advisory (November 16, 2023) representing the highest-tier US-government formal public attribution. The cluster's most operationally consequential and publicly- visible operations were the September 2023 near-concurrent attacks on MGM Resorts International and Caesars Entertainment. The MGM Resorts attack disrupted operations across MGM properties for approximately ten days (slot machines, hotel check-in systems, digital room keys, restaurant POS systems, customer-facing IT services) with MGM disclosing approximately one hundred million US dollars in operational impact. The Caesars Entertainment attack was reportedly resolved via approximately fifteen million US dollar ransom payment per SEC filings. Both attacks involved BlackCat / ALPHV ransomware deployment with Scattered Spider as the affiliate operating the initial-access-through-deployment chain. The September 2023 operations were operationally consequential not only for the affected companies but for broader corporate-security understanding of social-engineering tradecraft sophistication, the MGM attack reportedly began with a ten- minute vishing call to an MGM IT helpdesk to reset credentials for an employee Scattered Spider had identified via LinkedIn. The simplicity of the initial-access contrasted dramatically with the operational impact. The cluster's defining initial-access tradecraft is the smishing- to-vishing combination documented in Mandiant's January 2023 UNC3944 disclosure: SMS phishing (smishing) of target-organization employees with credentials-and-MFA-harvesting phishing pages, followed by voice-phishing (vishing) calls to IT helpdesks impersonating those employees to request password resets, MFA resets, or remote-access tool installation. The smishing-to- vishing pattern combines automated phishing with manual social- engineering execution and represents an operationally sophisticated tradecraft that distinguishes the cluster from predominantly-automated phishing-kit-only competitors. Additional initial-access tradecraft includes MFA-bombing (MFA-fatigue attack, repeatedly issuing MFA push notifications until victim approves out of frustration or confusion), SIM-swapping (signature secondary monetization tradecraft for cryptocurrency and high-value-account theft via compromised mobile-network- operator employee accounts), and 0ktapus-style SSO-impersonating phishing kits. Post-initial-access tradecraft relies predominantly on legitimate remote-access tools (AnyDesk, ScreenConnect, TeamViewer, Splashtop, RustDesk) for hands-on-keyboard operations rather than on custom implants. The "living-off-the-land" tradecraft using legitimate remote-access tools and legitimate cloud services (ngrok tunneling, Cloudflare tunneling, residential- proxy services for source-address obfuscation) reduces detection-surface on traditional endpoint-implant-detection controls and is consistent with broader contemporary cyber- criminal tradecraft trends. The cluster makes substantial use of legitimate Microsoft Azure / AWS / Okta / Salesforce / Slack administrative access following initial-access compromise of cloud-administrative credentials. Ransomware-partnership relationships have evolved across 2023- 2025: BlackCat / ALPHV affiliate during September 2023 MGM and Caesars operations.
transition to RansomHub affiliate in 2024 (following BlackCat's March 2024 exit-scam in which BlackCat operators kept the Change Healthcare ransom payment without sharing affiliate cut)
Qilin partnership in late 2024; additional Akira and DragonForce partnerships across 2024-2025. A handful of operational notes: First, the cluster represents a meaningful operational-pattern shift in the publicly-tracked cyber-criminal cluster ecosystem. Most predecessor cyber-criminal clusters (FIN7, Conti, REvil, LockBit operators) are Eastern European with limited English- speaking-native social-engineering capability. Scattered Spider's English-speaking-native composition enables fundamentally different tradecraft (sophisticated vishing against English- language helpdesks) that traditional cyber-criminal-cluster defender threat-modeling underweighted prior to 2022-2023. Second, the cluster's analytical profile differs from FIN7 (already covered as fin7.yaml) in several ways despite both being financially-motivated organized cyber-criminal clusters: operator composition (English-speaking-native vs Russian- speaking-native), operational tradecraft (smishing-to-vishing and social engineering vs spear-phishing-and-malware-implant deployment), monetization (ransomware-affiliate and SIM-swapping vs POS-data-theft and ransomware-affiliate), and operational personnel structure (fluid "The Com" subculture-based with rolling membership vs corporate-style hierarchical management via front companies). The differences should inform analytical framing. Third, the cluster has demonstrated operational continuity through membership turnover. Younger English-speaking-native operators continue to be recruited into "The Com" online subculture from which Scattered Spider draws personnel, with operations continuing under apparent rolling-membership rather than fixed core operator group. The pattern complicates straightforward law-enforcement disruption, arresting individual operators removes specific personnel but does not necessarily disrupt the broader subculture from which replacement personnel are recruited. Fourth, the cluster represents one of the most operationally consequential financially-motivated clusters of the 2022-2025 period and a critical reference for understanding modern cyber-criminal operations against English-speaking-organization victims. The MGM Resorts and Caesars Entertainment operations collectively contributed to substantially elevated corporate security attention to social-engineering tradecraft and represent a foundational data point in contemporary cyber- criminal-cluster threat modeling.