.png)
Scattered Spider / UNC3944 Group Profile
Breach Summary
Scattered Spider — also known as UNC3944, Muddled Libra, and Octo Tempest — is a loosely organized threat group of primarily English-speaking young adults who executed some of the most financially damaging social engineering attacks in enterprise history during 2022–2023. The group's targets included MGM Resorts, Caesars Entertainment, Okta, Twilio, Cloudflare, and dozens of others. Their weapon of choice was not malware but the telephone.
What Happened
Scattered Spider's documented attacks span 2022–2023 and include Twilio, Cloudflare, DoorDash, Signal (via Twilio), Okta, MGM Resorts, Caesars Entertainment, and dozens of others identified in law enforcement and vendor investigations. Multiple group members were arrested in 2023–2024 through FBI and UK NCA investigations. The group's techniques — particularly help desk vishing and MFA fatigue — have been widely adopted by successor groups, meaning the threat methodology remains active even as the original Scattered Spider core has been partially disrupted by law enforcement.
Attack Vector Detail
Scattered Spider's core technique is vishing — calling IT help desks and impersonating employees, using personal information assembled from LinkedIn and breach databases to pass identity verification. Once they obtain MFA resets or credential assistance, they pivot through Okta or other SSO platforms to access connected enterprise applications. The group is notable for conducting attacks in English without the language barriers that typically characterize foreign threat actors, enabling highly convincing social engineering against US and UK corporate targets. Many group members are believed to be teenagers and young adults, making Scattered Spider the most consequential youth cybercrime organization in history.
Breach Pattern Timeline
Pre-2022
Scattered Spider (Mandiant: UNC3944; Microsoft: Octo Tempest; CrowdStrike: Scattered Spider) emerges as a loosely organized group of English-speaking threat actors — predominantly U.S., U.K., and Canadian young adults. Distinguished by social engineering sophistication rather than technical exploit capability.
2022
Scattered Spider conducts coordinated smishing campaigns against tech companies — '0ktapus' campaign affects Twilio, MailChimp, Cloudflare (defended successfully), DigitalOcean, Authy, Signal (downstream), and ~135+ organizations.
2023
Scattered Spider matures methodology: shifts to vishing (voice phishing) against IT help desks. Targets include Reddit (Feb 2023), Riot Games, multiple SaaS platforms.
September 7-12, 2023
Scattered Spider executes parallel attacks against MGM Resorts and Caesars Entertainment using vishing against IT help desks. MGM refuses to pay, suffers 10-day operational shutdown + $100M+ EBITDA impact. Caesars pays $15M ransom. Industry-defining incidents.
October-November 2023
Scattered Spider exploits Citrix Bleed (CVE-2023-4966) at scale. Multiple victims including Boeing breach. Group operates as ALPHV/BlackCat affiliate during this period.
June 14, 2024
FBI arrests Tyler Buchanan (Scotland) at U.S. request — alleged Scattered Spider operative. Subsequently extradited to U.S.
November 14, 2024
U.S. federal charges unsealed against five additional alleged Scattered Spider members in California Central District. Charges include wire fraud, computer fraud, and identity theft.
2024-2025
Scattered Spider continues operating despite arrests. Migrates from ALPHV affiliate model to RansomHub affiliate. Operations continue against insurance, retail, and other sectors.
2025-2026
Scattered Spider becomes foundational case study for: (1) social engineering as the dominant 2022-2024 enterprise breach vector, (2) help desk identity verification as critical control gap, (3) the limits of arrests in disrupting decentralized threat groups, (4) phishing-resistant MFA as the structural defense.
Total impact: Estimated 150+ confirmed enterprise victims 2022-2025 across MGM, Caesars, Twilio, MailChimp, Reddit, Boeing, Riot Games, and others; collective impact exceeding $500M+ in operational and ransom costs; foundational precedent for help-desk vishing attack pattern and phishing-resistant MFA mandate.
Executive Lessons
Scattered Spider established that English-speaking, socially skilled attackers can defeat every technical security control through the human authentication layer. MFA is not sufficient protection when help desks reset MFA on request. Three executive responses are required: redesign help desk identity verification; implement Conditional Access policies; and conduct regular vishing simulations against help desk staff.
Related Reading
Private Equity Implications
Scattered Spider's repeatable, systematic attack methodology represents a direct threat to PE portfolio companies of all sizes. The help desk identity verification gap they exploit is not specific to MGM or Caesars — it exists in the majority of mid-market organizations that have not specifically redesigned their verification procedures to exclude knowledge factors available in breach databases. PE operating partners should require help desk security assessments and vishing simulations as standard components of post-close security programs.