Authorities have recently charged five individuals linked to the Scattered Spider cybercriminal group, marking a significant development in combating financially motivated cybercrime. Interested in ransomware? Read on...

The suspects - four Americans and one Scottish man - are accused of orchestrating phishing schemes that targeted corporations and individuals, resulting in the theft of approximately $11 million in cryptocurrency and compromising the personal data of thousands.

Scattered Spider is a loosely organised threat actor known for its sophisticated social engineering tactics. Active since at least 2022, the group primarily targets large enterprises, exploiting their outsourced IT and telecommunications providers.

The group is believed to be made up of mostly Western English-speaking individuals and its members are made up of several individuals from a broader community of threat actors dubbed The Com or Community.

According to research conducted by the Federal Bureau of Investigation (FBI), the Com has approximately 1000 individual members. The Com is a network of cybercriminals comprised of mostly teenagers and adults in their early 20s who share a common interest in cybercrime and black hat hacking. Unlike in traditional hierarchical organisations, the community operates as a decentralised network of individuals and small groups.

The group gained notoriety for its high-profile breach of MGM Resorts in September 2023, which caused widespread disruptions, including at major hotels and casinos such as the Bellagio and Mandalay Bay.

Scattered Spider’s approach often involves methods like SIM swapping, phishing, and multi-factor authentication fatigue attacks, where employees are bombarded with prompts until they unintentionally grant system access.

Additionally, this group has connections with major Russian ransomware as a service (RaaS) providers such as Quilin (infamous for attacks against UK healthcare entities), RansomHub (currently second only to Lockbit for the number of victims in 2024), and the now defunct BlackCat/AlphV.

Scattered Spider's success lies in their meticulous research, using platforms like LinkedIn to personalise phishing attacks. Their schemes often involve sending convincing messages posing as employers or IT representatives to steal credentials, enabling further breaches.

Beyond corporate hacks, the group has targeted individual cryptocurrency wallets, stealing millions in Bitcoin and other digital assets. Scattered Spider has often favoured techniques such as bring your own vulnerability driver (BYOVD) to leverage security vulnerabilities to deploy other tools/malware to allow for lateral movement, discovery and exfiltration.

Authorities view the arrests as a significant step in disrupting their operations, with defendants facing up to 24 years in prison if convicted.

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).