Menu
Browse

Cyber Threat Actor: Scattered Spider

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Criminal
8 incidents
Profile

Scattered Spider, operating under aliases UNC3944 and 0ktapus, is a cybercriminal group linked to financially motivated attacks across multiple sectors, including hospitality, retail, insurance, and telecommunications. Public reporting indicates the group comprises hackers based in the United States and United Kingdom, with demonstrated collaboration with ransomware operators such as ALPHV during the 2023 MGM Resorts intrusion. Their operations consistently target organizations with broad attack surfaces and sensitive customer data, leveraging compromised credentials and social engineering to achieve initial access. The group has inflicted substantial financial losses through ransomware deployment and data theft, exemplified by the £300 million damages reported by UK retailers and the unauthorized acquisition of health records and Social Security numbers from Aflac. Regulatory filings and incident analyses confirm their focus on extortion and monetization of stolen data, with ransom payments confirmed in cases like Caesars Entertainment.

The group employs voice and SMS phishing (vishing/SMShing) to harvest employee credentials, as demonstrated in attacks against a cloud communications provider and Aflac’s help desks. Third-party credential compromise facilitates prolonged network reconnaissance, enabling subsequent ransomware deployment—notably DragonForce in coordinated 2025 attacks against UK retailers including Marks & Spencer, Co-op, and Harrods. Their operations blend opportunistic credential theft with targeted ransomware execution, as seen in the paralysation of MGM’s systems and the deliberate reconnaissance preceding insurance sector breaches. Post-incident responses across victim organizations highlight Scattered Spider’s consistent exploitation of legacy infrastructure gaps, countered by defensive measures such as cloud migration at Co-op and hardware security key deployment by the cloud communications provider. The FBI’s investigation into their casino intrusions and sector-wide retail security reforms underscore the group’s persistent threat to critical industries.

Incidents
Attributed incidents available to members
8 incidents
Sources
Sources available to members
1 source