Scattered Spider — also tracked as UNC3944, Octo Tempest, 0ktapus, and Starfraud — entered 2025 as arguably the most effective social engineering threat group in the world. After their high-profile attacks on MGM Resorts and Caesars Entertainment in 2023, law enforcement arrested several members in 2024. But the group's decentralized structure meant the arrests barely slowed operations. By early 2025, the collective had adapted its tactics, expanded its target sectors, and strengthened its affiliations with ransomware-as-a-service providers.
Understanding Scattered Spider matters because they represent a fundamental shift in how cyber attacks succeed. This isn't about sophisticated malware or zero-day exploits. It's about understanding human systems better than the defenders do.
The Group's Structure
Scattered Spider isn't a traditional organized cybercrime group with a hierarchy and centralized leadership. It's a loosely affiliated collective of individuals, primarily English-speaking and predominantly young (several arrested members were teenagers or in their early twenties). They coordinate through Telegram channels, Discord servers, and encrypted messaging platforms.
This structure provides resilience. When individual members are arrested — as happened with several US and UK-based members in 2024 — the broader collective continues operating. New members join. Techniques are shared. And the operational tempo barely changes.
The group overlaps significantly with the broader "Com" or "Community" — an online subculture involved in SIM swapping, cryptocurrency theft, and social engineering. This ecosystem provides a continuous pipeline of technically capable individuals motivated by financial gain and peer recognition.
2025 Tactical Evolution
Refined helpdesk social engineering
Scattered Spider's signature technique is calling IT helpdesks while impersonating employees. In 2025, they refined this approach:
- Deeper reconnaissance: Using LinkedIn, corporate directories, and previously breached data to build detailed employee profiles before calling
- Voice cloning: Reports emerged of AI-generated voice deepfakes being used to match the target employee's voice patterns, making impersonation more convincing
- Multi-stage calls: Rather than requesting immediate access, some attacks involved multiple calls building rapport with helpdesk staff before making the critical request
- Targeting specific helpdesk staff: Identifying and repeatedly calling newer or less experienced helpdesk agents who are more likely to deviate from verification procedures
Expanded sector targeting
After the casino attacks brought intense law enforcement attention, Scattered Spider affiliates diversified their targets in 2025:
- UK retail: The Marks & Spencer DragonForce ransomware attack was attributed to Scattered Spider affiliates
- Healthcare: Several US healthcare organizations were reportedly targeted
- Manufacturing: European manufacturing companies faced attacks using Scattered Spider techniques
- Financial services: Banks and fintech companies reported social engineering attempts matching the group's playbook
Ransomware-as-a-Service partnerships
Scattered Spider affiliates increasingly operate as access brokers or affiliates for established ransomware operations. In 2025, observed partnerships included:
- DragonForce: Used in the M&S attack
- ALPHV/BlackCat: Previous partnership before ALPHV's apparent shutdown
- RansomHub: Some affiliates reportedly shifted to this newer RaaS platform
This model plays to Scattered Spider's strengths. They specialize in initial access through social engineering, then hand off to ransomware deployment specialists for the final stages of the attack.
MFA bypass techniques
Multi-factor authentication (MFA) is supposed to prevent unauthorized access even when credentials are compromised. Scattered Spider has consistently found ways around it:
- MFA fatigue/push bombing: Sending repeated MFA push notifications until the user approves one out of frustration
- SIM swapping: Taking over the victim's phone number to receive SMS-based MFA codes
- Social engineering MFA enrollment: Convincing helpdesks to enroll new MFA devices for "employees" who are actually attackers
- Adversary-in-the-middle (AiTM): Using phishing toolkits like EvilGinx to intercept session tokens, bypassing MFA entirely
- Targeting MFA reset processes: Exploiting password and MFA reset procedures that have weaker verification than initial enrollment
Why Traditional Defenses Fail
Scattered Spider succeeds because they attack the human layer — the part of security that technology alone cannot fully address.
Security awareness training has limits. Training teaches employees to recognize phishing emails and suspicious links. Scattered Spider doesn't target end users with phishing. They target helpdesk staff with phone calls that sound completely legitimate.
Identity verification is the weak link. Most organizations' identity verification for helpdesk interactions is based on information that attackers can easily obtain: employee IDs, manager names, recent projects, last four of SSN. These "security questions" provide a false sense of security.
Technology controls assume honest users. Access management systems grant access based on successful authentication. Once Scattered Spider bypasses authentication through social engineering, they have legitimate-appearing access that security tools won't flag.
Defensive Strategies That Work
Process-based verification
Replace information-based verification ("What's your employee ID?") with process-based verification:
- Callback verification: Hang up and call back on the number listed in the corporate directory
- Manager confirmation: Require manager approval through a separate channel for sensitive access requests
- In-person verification: For high-risk actions (MFA reset, password reset for privileged accounts), require in-person verification or live video with identity document
- Automated self-service: Reduce helpdesk involvement in password/MFA resets through secure self-service portals with hardware token requirements
Phishing-resistant MFA
Move away from push notifications and SMS codes to phishing-resistant MFA methods:
- FIDO2/WebAuthn hardware keys: Cannot be phished, SIM swapped, or push-bombed
- Certificate-based authentication: Bound to specific devices
- Passkeys: The consumer-friendly version of FIDO2
Behavioral monitoring
Even with social engineering bypass, attacker behavior differs from legitimate user behavior:
- Impossible travel: Logins from geographically impossible locations
- Device fingerprinting: Logins from unrecognized devices or operating systems
- Access pattern analysis: Accessing systems or data outside the user's normal pattern
- Session analysis: Unusual session durations, data access volumes, or lateral movement
Helpdesk hardening
- Specialized training for helpdesk staff on social engineering resistance
- Strict escalation procedures for any unusual requests
- Call recording and monitoring for quality assurance and incident investigation
- Reduced helpdesk access: Limit what helpdesk staff can do without additional approval
The Law Enforcement Challenge
Despite arrests in 2024, Scattered Spider continues operating in 2025. The challenge for law enforcement:
- Decentralized structure means no single point of takedown
- International membership complicates jurisdiction
- Young defendants (sometimes minors) create prosecution complexities
- Rapid membership turnover as new individuals join the ecosystem
- Cryptocurrency laundering makes financial tracking difficult
Law enforcement has had success with targeted arrests and disruptive actions, but eliminating the group entirely is likely impossible given its structure. The online community that feeds Scattered Spider will continue producing new threat actors.
How Safeguard.sh Helps
Safeguard.sh helps organizations defend against Scattered Spider's evolving tactics by providing comprehensive visibility into the software and identity infrastructure that these attackers target. The platform's continuous monitoring detects unauthorized changes to identity configurations, MFA settings, and access policies — the exact modifications that Scattered Spider makes after gaining initial access.
By maintaining a detailed inventory of all software components and their configurations, Safeguard.sh enables rapid incident response when social engineering is suspected. Security teams can quickly identify what systems were accessed, what changes were made, and what data may have been exposed. This visibility is critical for containing Scattered Spider intrusions, which typically move from initial access to data exfiltration within hours.
The platform's policy engine can enforce configuration baselines for identity systems, alerting when MFA policies are weakened, when new devices are enrolled, or when administrative access patterns change — providing the early detection that makes the difference between a contained incident and a full breach.