Scattered Spider
Native-English-speaking financially-motivated crew, assessed to include members in the United States, United Kingdom, and Canada. Tradecraft centers on SIM-swap and voice-phishing of IT helpdesks to bypass MFA, followed by Okta and Azure AD identity-provider abuse. Most visible 2023 operations: the September 2023 intrusions into MGM Resorts (week-long casino floor disruption) and Caesars Entertainment ($15M ransom). Pivoted into BlackCat and later RansomHub affiliate work. Multiple arrests in 2024.
Aliases
Motivations
Target sectors
Target countries
Lineage & relationships
full graph →Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
- Scattered Spider
- Unknown
- financial gain
- telecommunications
- hospitality
- financial
- US
- GB
- +1 more
MITRE ATT&CK techniques
Tools & malware
4 entriesTimeline
2 events- CompromiseCritical2025-06-30·FBI Internet Crime Complaint Center (IC3)
Scattered Spider summer-2025 airline-sector wave: WestJet, Hawaiian, Qantas
Two months after the April 2025 UK retail-sector wave, Scattered Spider operators pivoted to the aviation industry during the Northern-Hemisphere peak travel season. Confirmed compromises: **WestJet** (initial access 13 June, 1M+ customer records affected), **Hawaiian Airlines** (June 2025), and **Qantas** (third-party contact-centre platform, 30 June 2025; up to 6M passenger PII records exposed). Operationally identical to the M&S / Co-op wave: voice-phishing of help-desk and contact-centre staff, MFA-bypass through device- enrolment, supplier / SaaS pivot. The FBI issued a sector-specific advisory on Scattered Spider's airline targeting in late June 2025.
aviationsocial-engineeringsaas-pivotthird-partypeak-season-targeting - CompromiseCritical2025-04-24·UK National Crime Agency / National Cyber Security Centre
Scattered Spider compromises Marks & Spencer, Co-op, Harrods
Scattered Spider operators executed coordinated intrusions against three of the UK's largest retailers in April 2025, ultimately deploying DragonForce ransomware against Marks & Spencer on 24 April. M&S subsequently disclosed an estimated £300M revenue impact (~$400M) — the costliest UK retail cyberattack on public record — with the Co-op disclosing £206M (~$277M). Initial access at M&S used compromised credentials from outsourced IT provider Tata Consultancy Services (TCS), a textbook Scattered Spider social-engineering pivot through a managed-services supplier. Active Directory contents were stolen during months of dwell time before encryption. UK NCA arrested four individuals, three of them teenagers, in July 2025.
supply-chainmanaged-servicesuk-retaildragonforcesocial-engineering
Indicators of compromise
3 indicators| Type | Value | First seen | Source |
|---|---|---|---|
| Name | family · AveMaria/WarZone Commodity remote-access trojan (also tracked as WarZone, MITRE S0670) used by Scattered Spider for hands-on-keyboard access post-compromise, per Table 2 of CISA AA23-320A. | Nov 15, 2023 | CISA |
| Name | family · VIDAR Information stealer listed in Table 2 of CISA AA23-320A as used by Scattered Spider for credential and cookie theft after initial help-desk social engineering. | Nov 15, 2023 | CISA |
| Name | family · Raccoon Stealer Information stealer (credentials, browser history, cookies) named in Table 2 of CISA/FBI joint advisory AA23-320A as part of Scattered Spider's post-access toolset. | Nov 15, 2023 | CISA |
Related actors
shared ATT&CK techniques- CN · ChinaAPT102 shared techniques
- CN · ChinaSalt Typhoon2 shared techniques
- RU · RussiaAPT291 shared technique
- CN · ChinaAPT311 shared technique
- IR · IranAPT331 shared technique
- IR · IranAPT341 shared technique
References
cite this page
Threat Intel Tracker. (2026-05-19). Scattered Spider — actor profile. Retrieved from https://threatintel.local/actors/scattered-spider