Scattered Spider is not one gang but a sprawling cybercrime movement

Scattered Spider, the name behind some of the most damaging social engineering attacks of the past three years, is not a single organized gang at all. That is the central finding of new research from Group-IB, which argues the label is better understood as a loose cybercrime movement made up of many independent subclusters that share tactics rather than a chain of command.

The distinction matters for defenders and investigators. Attacks tied to Scattered Spider have hit Twilio and roughly 125 of its downstream customers in 2022, the MGM Resorts and Caesars Entertainment breaches in 2023, and the Marks and Spencer and Co-op intrusions in 2025. Yet Group-IB says there is no evidence the crews behind those campaigns are the same people. Instead, they operate like the Anonymous hacktivist collective: separate cells connected by common playbooks, tools, and occasionally shared forums or chat channels.

One name, many crews

Group-IB places its own long-tracked 0ktapus cluster inside the Scattered Spider umbrella as one subcluster, not as a synonym for the whole. The researchers note the same activity has been catalogued across the industry under a wall of vendor names, including Palo Alto Unit 42's Muddled Libra, Microsoft's Octo Tempest, and Mandiant's UNC3944. Group-IB also suggests much of what is now called Scattered Spider overlaps with the sprawling online criminal community known as "The Com". We track the actor and its documented intrusions on our Scattered Spider profile, and earlier reporting detailed its use of Teleport for cloud persistence and DragonForce ransomware partnerships.

How the subclusters operate

The common thread is aggressive social engineering. Subclusters lean on phishing pages that impersonate Okta, Microsoft, Citrix, Google, and OneLogin sign-in screens, often standing a fake portal up moments before a scripted phone call and taking it down seconds after a victim logs in. Voice phishing (vishing) and SMS phishing (smishing) run in parallel, with attackers impersonating IT or HR staff and, in some cases, pushing a remote access tool such as AnyDesk disguised as a "runtime diagnostics" utility once credentials are submitted.

Their targets cluster around a few goals. Marketing and communications platforms like Twilio, Mailchimp, and SendGrid are compromised not as end goals but as launchpads for further phishing. US and Canadian mobile carriers, including Verizon, AT&T, and T-Mobile and their authorized retailers, are hit for SIM swapping, sometimes by bribing employees up to 3,000 dollars to act as insiders or, in one observed case, by physically stealing unlocked iPads from retail stores. Cryptocurrency holders are the ultimate prize, drained through P1 bots and wallet drainers after a SIM swap or credential theft.

What defenders should take away

Because there is no single group to disrupt, arrests of individual members have not stopped the activity, and new subclusters keep emerging with shifting targets. Group-IB urges organizations to harden help desk identity verification, scrutinize trust relationships with outsourcing and support vendors that these crews exploit as stepping stones, and treat any unsolicited call directing staff to a login page as a red flag. Phishing-resistant multi-factor authentication and tight controls on remote access tools blunt the collective's two favorite entry points.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions