Who They Are

Known by multiple aliases, such as UNC3944, Roasted 0ktapus, Starfraud, and Muddled Libra, Scattered Spider is a highly proficient cybercrime group that maintains a loose organization. The majority of them are young, English-speaking people suspected to be in the 19–22 age range.

Scattered Spider functions as a decentralized network of people who get together for particular activities rather than as a monolithic organization. They are able to be extremely resistant to attempts of identification or arrest by law enforcement because of their fluid structure.

The group's history is a little unclear, but they have been active since the middle of 2022, at the very least. They first gained notoriety for a string of cyberattacks that compromised large corporations through social engineering techniques.

How They Hack

Scattered Spider hacks using a whole range of different methods, including social engineering techniques. One of their most effective methods is multifactor authentication (MFA) bombing, where they flood a target with MFA approval requests, hoping that the victim will eventually approve one out of frustration or confusion. 

Image: An example of what a victim of MFA bombing would see on their mobile

This technique has proven to be highly effective, even against organizations with strong security measures in place because it relies on human fault. Once they have obtained initial access, Scattered Spider uses a variety of legitimate tools to move laterally within networks, escalate privileges, and maintain persistence. 

Their toolkit includes widely used software such as:

• Mimikatz: A tool used for extracting credentials from Windows systems.

• Teamviewer and Splashtop: Remote desktop applications that allow them to maintain access to compromised systems.

• Ngrok: A reverse proxy that creates secure tunnels to local networks, enabling remote access.

• Tailscale: A mesh VPN service that facilitates secure communication between compromised devices.

In addition to these tools, Scattered Spider has been known to exploit vulnerabilities in cloud infrastructure and SaaS (software as a service) applications. 

They often use synchronization utilities like Airbyte and Fivetran to exfiltrate data from compromised environments to cloud storage under their control. This method allows them to move large quantities of sensitive data with a lower risk of detection.

Image: Logs from Mandiant showcasing data exfiltration activity

The group is also adept at exploiting bring your own vulnerable driver (BYOVD) techniques to bypass security measures such as endpoint detection and response (EDR) systems. This involves installing vulnerable drivers on target systems, which can then be exploited to escalate privileges or disable security software. This specific method is particularly dangerous because it leverages legitimate drivers that are not typically flagged by most security software.

Victims of the Group

The reality behind this group is that their victim list reads like a list of the world‘s biggest global corporations. They have attacked large organizations mainly in hospitality, entertainment, telecommunications and technology. 

Some of their biggest victims include:

• MGM Resorts: The group's attack on MGM in September 2023, which started with SMS phishing and SIM swapping, was one of their most significant operations, resulting in widespread disruptions and substantial financial losses.

• Caesars Entertainment: Scattered Spider also targeted Caesars simultaneously with the MGM attack, using similar tactics to breach systems and deploy ransomware.

• Twilio: The group orchestrated a SMS phishing (smishing) attack on Twilio, successfully compromising employee accounts and accessing internal systems.

• DoorDash: Scattered Spider targeted DoorDash with a phishing attack, leading to the theft of customer data and other sensitive information.

• MailChimp: The group employed social engineering techniques to breach MailChimp's systems, accessing customer data and other sensitive information.

• Riot Games: Scattered Spider was linked to an attack on Riot Games, utilizing phishing and social engineering to infiltrate internal systems.

Additionally, there have been multiple cases of speculation within NFT and cryptocurrency communities that Scattered Spider may have been involved in one of the recent Trezor hacks.

Image: Chat logs from a semi-private NFT group hinting that Scattered Spider was involved in a Trezor hack

Trezor, a popular hardware wallet for securing cryptocurrency, was reportedly compromised, leading to significant losses for users. However, despite the rumors circulating within these communities, we’re unable to find any direct evidence linking Scattered Spider to any instances of these breaches. 

What is evident across many of the confirmed attacks linked to Scattered Spider is a common tactic: the exploitation of mobile devices. In several incidents, such as the Twilio breach, mobile-based attack vectors like smishing were used to gain access to the target company's systems.

Mobile-Driven Lateral Movement

In addition to what we’ve mentioned above, in 2023, a Scattered Spider attack was uncovered that began with social engineering to obtain credentials. The attackers gained initial access by resetting an IT administrator's account password through unspecified social engineering tactics.

Once they intercepted MFA requests, they initiated an MFA bombing attack, overwhelming the user with multiple authentication prompts until one was approved, thereby gaining access. The attackers then enrolled their own device in the MFA system, ensuring continued access.

With valid credentials, Scattered Spider quickly pivoted from the cloud to on-premises environments. They accessed SharePoint, where they found sensitive IT documentation, including network architecture and privileged access guides. This enabled them to move laterally within the network, targeting on-premises assets with speed. 

Using compromised credentials, they authenticated through Citrix Workspace, hijacked VDI sessions, and conducted Active Directory (AD) discovery with tools like AD Explorer to map the internal network for further exploitation.

For data exfiltration, the group used Ngrok to create secure tunnels to external servers and the domain transfer.sh to exfiltrate sensitive data. Their access persisted via mobile-enrolled MFA, allowing them to bypass detection even as the attack unfolded. To maintain long-term access, they also deployed reverse proxy tools like Ngrok, ensuring they could continue their operations undetected.

Internal Conflicts

In June 2024, Spanish authorities working in conjunction with the FBI arrested 22-year-old Tyler Buchanan in Palma de Mallorca, Spain, in an important development in the investigation into Scattered Spider.

Buchanan, allegedly the leader of Scattered Spider, was detained trying to board a flight to Italy. It was a major legal win for the police who believe Buchanan was behind some of the group's biggest attacks - on Twilio, LastPass and Mailchimp.

Image: Clipped footage of Tyler Buchanan's arrest in Spain

This arrest followed the January 2024 apprehension of another alleged Scattered Spider member, 19-year-old Noah Michael Urban, in Florida. Urban, also known by the aliases "Sosa" and "King Bob," was charged with stealing at least $800,000 through a series of SIM-swapping attacks.

Image: A news article detailing the arrest of Noah Michael Urban (Sosa)

Beyond their online activities, Scattered Spider members have also been involved, and have sometimes been the victims in violent real-world attacks. Rival cybercrime gangs frequently resort to "violence-as-a-service," an awful trend where individuals hire others to carry out physical attacks on their behalf. These attacks can range from bricking windows and slashing car tires to more severe actions like home invasions.

iVerify has observed videos circulating in Telegram communities showing individuals allegedly connected to Scattered Spider engaging in real-life extortion, stalking, harassment, and other crimes against family members. In some cases, discussions about kidnapping have also been noted within these communities.

MITRE Information

Scattered Spider's tactics align with several techniques within the MITRE ATT&CK framework. Here are some of the key techniques associated with their activities:

Mitigating the Risks of Mobile Threats

Strong defensive measures are essential for fending off modern mobile threats. iVerify's Advanced Mobile EDR provides a comprehensive solution through combining threat detection, mobile forensics, and automated response and remediation. 

This holistic strategy guarantees optimal privacy and security by defending against complex threats like mobile malware, unpatched vulnerabilities, smishing attempts, and credential theft at an enterprise level. Click here to learn more about how we can protect your organization.

About the Authors

iVerify Research Team and Daniel Kelley, Threat Researcher, collaborated to research the latest threats and tactics employed by this cybercrime group.