Scattered Spider is the kind of adversary that makes traditional threat modeling feel quaint. When I first worked a case tied to the group — tracked variously as UNC3944, Octo Tempest, 0ktapus, Scatter Swine, Muddled Libra, and Roasted 0ktapus — I expected the usual indicators of nation-state or ransomware-affiliate activity: rented infrastructure, staged payloads, familiar tradecraft. What I got instead was a teenager on a phone call convincingly impersonating a senior developer, on hold with the help desk, reading back personally identifiable information that had been scraped from LinkedIn and a leaked data broker dump. Forty minutes later, the attackers had an MFA reset, a VPN token, and source-code access.
This post is about how that keeps happening.
A Different Kind of Crew
Scattered Spider is mostly young, English-speaking, financially motivated, and loosely organized through forums and Telegram channels known collectively as "The Com." Members operate under monikers, sometimes freelancing, sometimes coordinating with Russian-speaking ransomware crews like ALPHV/BlackCat and, more recently, RansomHub and Qilin. The September 2023 intrusions into MGM Resorts and Caesars Entertainment were attributed to Scattered Spider operating as an affiliate of ALPHV. Caesars paid a roughly $15 million ransom; MGM refused and ate an estimated $100 million impact.
What makes the group dangerous is not their malware — they rely heavily on legitimate administrative tools — but their willingness to spend hours on the phone. CISA and the FBI published joint advisory AA23-320A in November 2023 and updated it in July 2024 with additional IOCs, including AnyDesk, TeamViewer, Splashtop, Level, and Ngrok usage patterns consistent with the group.
The Developer-Centric Kill Chain
From roughly 2022 onward, Scattered Spider has increasingly targeted developers and engineers rather than finance or HR staff. The reason is practical. Developers hold the keys to everything: production credentials, source repositories, signing certificates, cloud administrative roles, and documentation with enough context to escalate anywhere. Here is the pattern I have seen across at least a half-dozen cases.
Step 1: OSINT and persona reconstruction. Operators pull names, titles, phone numbers, and manager relationships from LinkedIn, GitHub, Stack Overflow, conference attendee lists, and commercial data brokers. They cross-reference with leaked credential databases to find which targets have reused passwords that might still work.
Step 2: SMS and voice phishing. Targets receive text messages impersonating their own IT or identity provider, often from a lookalike domain like victim-okta.com or victim-sso.net. The Reddit breach of February 9, 2023 and the Twilio breach of August 4, 2022 — the latter being the original "0ktapus" campaign that first put the group on the map — both started this way. The phishing kits were refined enough to proxy live Okta MFA prompts and harvest both the password and the session cookie.
Step 3: Help desk impersonation. When phishing fails, operators pivot to calling the company help desk. They impersonate a legitimate employee, read back personal data to defeat knowledge-based authentication, and request an MFA reset or a new token delivered to an attacker-controlled number. CISA's advisory notes this is the group's highest-success initial access vector, with some help desks taking only three to seven minutes to authorize the reset.
Step 4: SSO takeover and code access. Once inside, operators authenticate to Okta, Microsoft Entra ID, or Ping Identity, and pivot directly to GitHub, GitLab, Bitbucket, Azure DevOps, and CI/CD consoles. They enumerate repositories, pull source code for reconnaissance, and search for cloud credentials, terraform state files, and .env contents. In the MGM case, they created federated identity trust from a rogue IdP to maintain access even after passwords were reset.
Step 5: Cloud persistence. Operators enroll attacker-controlled devices into MDM, create new federated domains in Azure AD, provision new service principals, and frequently spin up EC2 or Azure VMs inside the victim tenant for egress. This is the point at which most EDR telemetry stops helping — the activity looks like legitimate administration.
Step 6: Monetization. Some intrusions end with ransomware deployment. Others end with pure extortion — data theft, demand, leak site. Recent cases have added cryptocurrency wallet theft, SIM-swap fraud against executives, and, in at least one 2024 case I observed, the use of stolen source code as leverage against a SaaS vendor's downstream customers.
Why Developer Targeting Works
When I debrief teams after these incidents, the same root causes surface.
Help desks still verify identity using public information. Badge numbers, last four of SSN, date of hire, and manager name are trivially available. Meanwhile, most help desk workflows are measured on ticket throughput, which subtly incentivizes saying yes.
Developer MFA is often weaker than it looks. Push notifications get approved reflexively. SMS-based MFA is still present in surprising places. FIDO2 hardware keys, which genuinely stop these attacks, were enforced for only a handful of the engineers at companies I have reviewed.
Source control and CI/CD are over-trusted. Once the attacker has a valid developer session, nothing flags the anomaly of downloading 40 repositories in four minutes or creating a new GitHub Actions workflow that dumps secrets to an external webhook.
Identity provider configurations drift. Organizations create federated trusts, SCIM providers, and legacy authentication methods over the years. Scattered Spider exploits that complexity — they know where the dusty corners are.
Recent Campaign Notes
Through the first half of 2024, Scattered Spider-linked operators shifted some activity toward financial services, insurance, and food and beverage verticals. The Transform Insurance breach in March 2024, the Snowflake-related intrusions in April and May 2024 (targeting Ticketmaster, Santander, Advance Auto Parts, and others via stolen Snowflake credentials from infostealer logs), and the April 2024 intrusion into a major cloud-hosted HR platform all showed overlapping TTPs with known Scattered Spider tooling, particularly the use of Ngrok tunnels and AnyDesk installers named to mimic internal tools.
The Snowflake cases are particularly instructive: the root cause was stolen credentials from developer laptops infected with Vidar, Redline, or Raccoon stealers, many of them originating from pirated software downloads. This is the infostealer-to-supply-chain pipeline, and it is running at a volume most defenders have not yet internalized.
How Safeguard Helps
Safeguard closes the developer-targeting gap that Scattered Spider repeatedly exploits by giving security teams visibility into the code and cloud surfaces that typically fall through the cracks. The platform monitors GitHub, GitLab, Bitbucket, and Azure DevOps for anomalous clone patterns, sudden workflow changes, and newly added collaborators — the exact signals that indicate a compromised developer session. Integrated identity and SBOM telemetry flags when production secrets, signing keys, or deployment tokens appear in newly modified code, and surfaces risky OAuth grants tied to source-control tenants. By correlating infostealer IOCs, exposed credentials, and supply chain changes in a single view, Safeguard gives teams a realistic chance of catching a Scattered Spider-style intrusion while it is still an account compromise rather than a full extortion event.