Scattered Spider Weaves Its Web Through Human Weakness

On June 31, Qantas Airways disclosed in a press release that one of its call centers had been the target of a cyberattack. The breach is believed to have resulted in a massive leak of customer data, the full scope of which remains unknown. The attack has been widely attributed to the group known as Scattered Spider—also tracked under aliases such as UNC3944, Storm-0875, LUCR-3, and Oktapus.

Through its composition, loose organization, and reliance on social engineering, Scattered Spider stands apart in today’s cyber threat landscape. Reportedly made up of teenagers and young adults, mostly native English speakers based in the U.S. and the U.K., the group operates without clear hierarchy. Despite several arrests in 2024, Scattered Spider remains active.

With its rapid rise, global reach, and ability to exploit the human factor, Scattered Spider embodies a new kind of cyber threat: opportunistic, highly adaptable, and decentralized.

A Band of Teenagers Giving the FBI Headaches

“I don’t know if I can say it’s even possible to dismantle them,” admitted Brett Leatherman, deputy assistant director of the FBI’s cyber division, in an interview with The Record in May 2024. The collective is believed to have formed in May 2022. Initially focused on telecom companies, its targets have since expanded to a wide array of industries—retail, gambling, aviation—and geographies, from the U.S., Canada, and the U.K. to Switzerland, Southeast Asia, and Brazil. Scattered Spider shot to notoriety following two high-profile attacks in 2023 against Caesars Entertainment and MGM Resorts International, two U.S. gambling giants. Both companies had customer data stolen; Caesars eventually paid a $15 million ransom (down from the $30 million demanded). Since then, the group has targeted household names such as Marks & Spencer, Harrods, Co-op Group, New York Life Insurance, Visa, Financial Services Group Inc., and Twilio.

A Loose, Atypical Structure

Unlike traditional cybercriminal groups, Scattered Spider has no clear chain of command. Instead, individuals or small subgroups team up opportunistically. This amorphous structure makes attribution particularly difficult while affording the group significant agility. Most members are young, native English speakers adept at corporate lingo and social dynamics—skills that make their social engineering attacks especially effective. Financial gain remains the primary motive. Their operations typically involve extortion through ransomware or stolen data, which can be sold on dark web markets or used for blackmail. Targeting large companies maximizes their returns. At the same time, members’ youth and psychology add secondary drivers: the thrill of the challenge and the desire for recognition. Scattered Spider has worked both independently and in collaboration with other cybercriminal organizations. Notably, it partnered with ALPHV/BlackCat on data-encryption attacks. The group is believed to be part of a wider underground ecosystem known as “The Community” or “The Comm”, active on Discord and Telegram, where hackers exchange tips amid a toxic culture of racism and misogyny. Internally, the group appears to split into two profiles: some members handle basic operations such as phishing emails or SMS campaigns, while others possess advanced technical skills capable of manipulating or compromising IT systems.

Attacks Built on Social Engineering

Scattered Spider’s operations rely less on technical sophistication than on exploiting human vulnerabilities. The group excels at deceiving employees into granting access to internal systems, often without needing advanced hacking techniques. They study the internal processes of their targets and imitate them convincingly. To gain entry, they deploy tactics such as: Vishing (phone calls impersonating IT support staff to extract credentials), MFA fatigue attacks(bombarding users with authentication requests until one is accepted out of exhaustion), and highly personalized phishing crafted using details scraped from social media. Once inside, they move discreetly, using built-in remote administration tools and creating persistent administrator accounts to maintain access and exfiltrate data. Two scenarios are then observed: either collaborating with Ransomware-as-a-Service affiliates to encrypt data and conduct double extortion, or—more often—relying on blackmail by threatening to publish stolen information.

A New Face of Cybercrime

Scattered Spider breaks the mold of conventional cybercriminal groups—both in its membership profile and its lack of hierarchy. Its notoriety stems from headline-grabbing attacks on Western corporations and its mastery of social engineering techniques. The lesson for organizations is stark: the weakest link is often human, not technical. The Scattered Spider case highlights the urgent need for companies to train employees in cyber hygiene, reinforcing the idea that cybersecurity depends as much on human resilience as on technical defenses.