SCATTERED
SPIDER

Scattered Spider is not a hacker group in the traditional sense. It doesn’t develop malware, doesn’t look for code vulnerabilities, doesn’t operate from hidden servers in hostile jurisdictions. It is a collective of English-speaking teenagers and twenty-somethings — Americans, British, Irish, Canadians — who discovered something the cybersecurity industry knew in theory but had never seen applied at this scale: the most vulnerable point of any computer system is not the software. It’s the person who answers the phone.

Between 2022 and 2025 this collective breached approximately fifty major organizations, extorted over $115 million in documented ransoms, paralyzed the operations of two of the largest resorts in Las Vegas, shut down a casino’s slot machines, and blocked the payment systems of a British chain worth billions of pounds. It did so primarily with phone calls. With flawless native English. With the ability to sound exactly like a colleague in distress who lost their phone before an important meeting.

To understand how this came to be, you have to go back twenty years. To a forum of stolen usernames. To a digital culture that turned online prestige into criminal currency. And to a series of investigative errors by authorities who for months looked for Russian hackers where there were teenagers in their bedrooms.

// Visualization of The Com’s network structure — each node is a distinct role, each connection an encrypted Telegram channel

The Com is the English-speaking criminal ecosystem from which Scattered Spider emerged. It didn’t appear overnight: it has a twenty-year history, built through successive forums, law enforcement takedowns, and migrations that each time made the community more capable.

The Com — short for “The Community” — is the collective name cybersecurity researchers use to identify the English-language criminal digital ecosystem that forms the breeding ground for Scattered Spider. It has no headquarters, no leadership, no formal hierarchy. It is an archipelago of Discord servers and Telegram channels where hackers, fraudsters, extortionists, and aspiring criminals mingle, united by a subculture based on digital prestige and intimidation as a form of status.

This ecosystem has documented roots going back to 2007, with Dark0de: an invite-only forum, accessible only by referral, where stolen credentials, malware, exploits, and attack tools were sold. Europol described it as the most prolific English-speaking cybercriminal forum of its era. In July 2015, the FBI coordinated Operation Shrouded Horizon — eighteen months of investigation, twelve countries involved — which dismantled Dark0de and arrested dozens of operators. The survivors scattered. And it was that dispersion that generated what would come next.

The mechanism running through this entire genealogy is always the same: every time authorities dismantle a hub, its members migrate to other spaces carrying the techniques they learned. Dispersion doesn’t reset criminal capacity — it distributes it and makes it more resilient. This is why the arrests of 2024 and 2025 didn’t close the problem. They removed some nodes from a system that keeps regenerating.

The Com doesn’t function like a gang with a boss. It functions like a specialized labor market, with distinct roles, verifiable reputation, and on-demand transactions. This structure is what makes it resilient to individual arrests.

Inside The Com there are precise roles, with distinct competencies and a reputation market that rewards verifiable performance. A “caller” specialized in corporate vishing is not the same person who manages Monero laundering. A SIM swapper is not necessarily a phishing kit developer. This division of labor — borrowed directly from the outsourcing logic of the legal economy — is exactly what makes the system resistant: arresting one caller doesn’t stop the cycle, just as arresting a single driver doesn’t stop Uber.

The internal cohesion of this market is not based on authority but on mutual fear. Thalha Jubair and other senior members had operational control of Doxbin: a publicly accessible site where home addresses, identity documents, and information about victims’ family members are published. The threat of being doxxed — followed by swatting, physical assaults, or other acts commissionable via Telegram, what the internal jargon calls Violence-as-a-Service — kept rival members in line and prevented defections.

Scattered Spider doesn’t use malware to enter corporate networks. It uses the phone. This section explains in detail every phase of the attack, from months of preparation to the escalation toward cloud systems.

A Scattered Spider attack begins weeks, sometimes months, before the phone call. The group uses LinkedIn to map the target company’s org chart: it looks for system administrators with elevated privileges — Global Admin on Azure, Super Admin on Okta — and studies the helpdesk staff. The former are the final target. The latter are the entry point.

Once the target’s profile is built, the group searches for their personal information in databases leaked from previous breaches — date of birth, employee ID, name of the direct manager — to have credible material for the phone call. Then they call. They impersonate that administrator. They claim to have lost their phone, to be locked out of the system, to have a critical meeting in fifteen minutes. The helpdesk operator hears a colleague in distress who knows exactly who they are, where they work, and how the company operates. And resets the credentials.

When MFA was more robust and didn’t yield to a simple reset, the group used the MFA fatigue technique: sending dozens or hundreds of push authentication notifications to the target employee’s smartphone, often at night or on weekends, until the victim — out of exhaustion, confusion, or thinking it was an app bug — pressed “Accept”. In cases where even this didn’t work, Scattered Spider built fake portals visually identical to corporate login systems and used reverse proxy frameworks to intercept session cookies in real time.

Only one category of companies demonstrated structural resistance to all these vectors: those using physical hardware keys conforming to the FIDO2/WebAuthn protocol. These devices cryptographically verify that the authentication request comes from a legitimate URL. A fake portal, however visually perfect, receives a mathematically different response. No human persuasion can bypass a cryptographic verification of origin.

Once inside the network, the group didn’t install malware. They used legitimate commercial tools — remote management software like AnyDesk, FleetDeck, Atera — to maintain access invisibly to detection systems. The final target was always the corporate identity management system: Azure AD or Okta. With control of that layer, Scattered Spider self-assigned maximum privileges, added fraudulent identity providers to guarantee permanent access, and then with a single command disabled all security and logging systems across the entire network. At that point they contacted Russian partners for the ransomware.

The major ransomware syndicates of Eastern Europe had the technical infrastructure but couldn’t operate in the West due to the language barrier. Scattered Spider had the cultural fluency they needed.

The Russian ransomware cartels — ALPHV/BlackCat, LockBit, DragonForce, RansomHub — had built sophisticated technical infrastructures over the years: cryptographic malware written in Rust, dark web negotiation platforms, consolidated laundering networks. They had, however, an operational problem they couldn’t solve: every time a Russian affiliate tried to conduct a social engineering operation against an American or British company, the attempt collapsed almost immediately. The accent, the unnatural cadence, the lack of familiarity with Western corporate jargon triggered alarm bells.

Scattered Spider resolved exactly this gap. Having grown up in the same corporate culture as their victims — the same TV shows, the same memes, the same English with the same regional inflections — made them indistinguishable from a real colleague on the phone. Researchers at Unit 221B describe this skill as “cultural fluency”: knowing not just what to say but how to say it, with what rhythm, what level of urgency, what type of frustration sounds authentic to a helpdesk operator at three in the afternoon.

In the Ransomware-as-a-Service model, the deal was purely transactional: Scattered Spider entered the network using the human factor, Russian partners provided the ransomware payload and the dark web negotiation platform. The English-speaking group retained between 70% and 80% of the ransom. With demands regularly reaching tens of millions per single operation, this transformed troubled teenagers into millionaires within a few months.

This section documents the most significant attacks: the Las Vegas casinos in September 2023, the corruption of telecom carriers, the Snowflake infiltration, and British retail in 2024–2025.

Las Vegas, September 2023: MGM and Caesars

// Las Vegas, September 2023 — the casino lights go out. MGM loses $100 million. Caesars pays $15 million. The same Strip, two different responses.

Scattered spider: The corruption of telecom carriers

Alongside vishing operations, Scattered Spider built an alternative access channel by bribing internal employees of major telecom carriers — T-Mobile, Twilio, and other American operators. Paying them in untraceable crypto, the group gained direct access to account management portals, enabling SIM-swapping at industrial scale. The Twilio case is particularly relevant: compromising it meant having indirect access to the authentication systems of all its customers simultaneously.

Snowflake: the cascading vulnerability

Elements linked to Scattered Spider obtained access to the systems of cloud platform Snowflake — used by thousands of large organizations to centralize their corporate data. Instead of targeting a single company, compromising a cloud provider with privileged access to hundreds of customers’ data produces a cascade effect. A single intrusion, dozens of companies exposed who weren’t even the direct targets.

British retail, 2024–2025

Between late 2024 and the first half of 2025, using the DragonForce infrastructure, Scattered Spider struck Marks & Spencer, Harrods, and the Co-op Group in rapid succession. The three attacks generated combined economic damages estimated between £270 million and £440 million.

Over $115 million in ransoms. This section explains how the group tried to hide them and why a food delivery order helped bring the operation down.

The laundering cycle followed a three-phase logic. Bitcoin ransoms were immediately fragmented through mixers like Tornado Cash to break the link to the originating wallet. Funds were then converted to Monero — a cryptocurrency designed to obscure by default the sender, recipient, and amount of every transaction — through decentralized exchanges. Finally, OTC brokers operating on the dark web purchased the crypto and transferred equivalent funds to offshore bank accounts opened with stolen identities. Technically solid. Operationally, it collapsed the moment the money touched the real lives of the boys who had earned it.

The gap between the sophistication of the attack infrastructure and the carelessness with which the proceeds were spent is the most relevant psychological variable in this story. Boys capable of building hundred-million-dollar operations ordered pizza with dirty money at home, in their own name. The same flexing culture that drove them to document and share intrusions as trophies made impossible the operational discipline needed to stay invisible in real life.

For months the FBI looked for Russian hackers. This section explains how the investigation changed direction, what investigative techniques led to the arrests, and who was stopped.

In the early phases of the investigation, the FBI assumed that attacks of that magnitude could be the work of state military units or Eastern European APT groups. It took months of forensic analysis and cross-agency pressure before the reality emerged: the perpetrators were teenagers in their bedrooms in the UK and USA. This initial investigative bias gave the group months of operational advantage.

The joint task force of the FBI Cyber Division and the British National Crime Agency, supported by CrowdStrike, Mandiant, and Unit 221B researchers, worked on three parallel vectors. The cheap VPNs used by the group experienced occasional micro-disconnections that for fractions of a second exposed real residential IP addresses. Undercover agents had infiltrated The Com’s key channels, collecting months of boasts, rate lists, and evidence. Audio recordings of vishing calls were cross-referenced with voice biometrics software against interviews some members had anonymously given to the press.

Owen Flowers, an eighteen-year-old Briton, had spoken to various industry journalists boasting about the Las Vegas attacks. The biometric match with MGM helpdesk recordings was incontrovertible. The internal document “The Com Cast” had provided investigators with a pre-compiled map of the group leaders’ real identities, complete with photos and audio files.

The arrests don’t close the problem. This section identifies three structural consequences for corporate security, law enforcement, and the insurance industry.

Traditional MFA is no longer sufficient

The analysis of Scattered Spider’s attacks produces a verifiable technical conclusion: two-factor authentication based on SMS, automated voice calls, and push notification apps is formally obsolete for any enterprise environment. Not because it was surpassed by new code vulnerabilities, but because the human factor bypasses it with a phone call. The only companies that demonstrated structural resistance are those that had adopted physical hardware keys based on the FIDO2/WebAuthn protocol. These devices cryptographically verify the origin of the authentication request, making impossible any attack based on fake portals or telephone persuasion of the helpdesk.

Scattered spider: Crime as a brand is harder to dismantle than crime as an organization

When a criminal group becomes visible enough to become a recognizable brand — with public communications, a recognizable style, a reputation in the sector — other actors begin falsely claiming membership to exploit the fame. The result is a criminal organization that replicates autonomously even without its original founders. Investigators find themselves chasing a logo, not a network.

The ransom dilemma has no correct answer

Caesars paid $15 million and remained operational. MGM refused and lost $100 million. From the individual shareholders’ perspective, Caesars made the better choice. From the global criminal ecosystem’s perspective, Caesars’ payment directly funded the business model that over the next eighteen months struck Marks & Spencer, Harrods, and dozens of others. Cyber insurance policies covering ransom payments lower the economic cost of capitulation for individual companies, while simultaneously raising the volume of liquidity available to criminal groups choosing their next targets.