An aggressive and elusive ring of young cybercriminals, known as Scattered Spider, has approximately 1,000 members, Bryan Vorndran, assistant director of the FBI’s Cyber Division, said at the Sleuthcon conference.
Vorndran described Scattered Spider as a “very, very large, expansive, disbursed group of individuals,” noting that many members do not know each other directly. The group originates from an online community called “the Com.”
Scattered Spider (aka 0ktapus, UNC3944, and Storm-0875), is a relatively new player on the cybercrime scene known for their use of a variety of social engineering tactics for gaining initial access, including calling employees and impersonating IT staff, using Telegram and SMS messages that redirect to phishing sites, and employing MFA fatigue.
Scattered Spider has been linked to several high-profile breaches, targeting major companies such as the casino giant MGM Resorts and the identity management company Okta. The MGM breach impacted some of the hotel chain’s IT systems, including the main website, online reservations, and in-casino services, like ATMs, slot machines, and credit card machines.
The group primarily consists of native English speakers from the United States and the United Kingdom and is considered one of the top security threats, alongside Russian and Chinese state-backed threat actors.
In January 2024, the US authorities arrested and charged 19-year-old Noah Michael Urban (aka “Sosa,”“Elijah,” “King Bob,” and “Anthony Ramirez,”), an alleged member of Scattered Spider, with wire fraud, aggravated identity theft, and conspiring with others to use SIM-swapping to steal cryptocurrency.