Overview: Evolving Social Engineering Threats

When MGM Resorts and Caesars Entertainment went dark in late 2023, the culprits weren’t nation-state hackers with sophisticated malware but a loose band of teenagers calling themselves Scattered Spider. Better known to incident-response teams as UNC3944, Octo Tempest, or “0ktapus”, this group thrives not on technical exploits but on manipulating human behavior. Despite high-profile arrests, their tactics continue to evolve, forcing defenders to rethink how social engineering is weaponized at scale.

This retrospective covers key incidents involving Scattered Spider from their rise in 2023 through their recent June 2025 attacks, highlighting their methods, impacts, and law enforcement responses.

Major Attacks and the Impact of Social Engineering

Scattered Spider's hallmark is social engineering, which directly targets the human factor. Here's a detailed look at some of their most impactful campaigns:

Casinos Breached: MGM and Caesars (Sept 2023)

The group's high-profile attacks on two major Las Vegas casinos set the stage. MGM Resorts experienced a crippling, week-long outage after attackers vished an internal help desk employee, gained initial access, then spread ransomware (ALPHV/BlackCat) across their networks. The resulting chaos cost MGM an estimated $100 million in lost revenue and recovery expenses.

At Caesars Entertainment, the hackers infiltrated through a compromised IT support vendor, stealing sensitive loyalty program data. Caesars paid a $15 million ransom to avoid a broader leak. These incidents showcased Scattered Spider's capacity for substantial operational disruption through nothing more complex than a convincing phone call.

Cloud Data Theft: Snowflake Customers (Mid-2024)

By mid-2024, Scattered Spider expanded into the cloud. Exploiting phishing campaigns combined with MFA bypass techniques like Evilginx proxies, the group compromised around 165 Snowflake cloud customers, including prominent names like AT&T, Ticketmaster, and LendingTree. Stolen data was leveraged in extortion demands, demonstrating the group’s capability for massive-scale compromise.

Retail Disruption: UK and US (2025)

In early 2025, a coordinated ransomware campaign hit British retail giants Marks & Spencer, Co-op, and Harrods. The attackers spent months quietly harvesting credentials before unleashing a ransomware strain dubbed "DragonForce," causing massive operational disruptions. Marks & Spencer alone estimated losses of over £300 million (~$400 million).

The attacks quickly spread across the Atlantic in May 2025, impacting U.S. retailers such as Victoria's Secret and Adidas. These breaches again relied heavily on socially engineering third-party vendors and customer support teams, highlighting Scattered Spider’s persistence and flexibility.

Recent Shift: Targeting the Insurance Sector (June 2025)

Most recently, Scattered Spider pivoted to the U.S. insurance industry. Within days, Aflac, Philadelphia Insurance Companies (PHLY), and Erie Insurance all reported breaches. Aflac disclosed that attackers accessed sensitive customer data, including Social Security numbers and claims information. While ransomware was not used in these cases, the operational disruptions were substantial, forcing temporary shutdowns of key IT systems and sparking significant concerns around customer data protection.

Google’s Threat Intelligence Group explicitly warned the insurance sector mid-June about Scattered Spider’s likely involvement, signaling their increased awareness and monitoring of the group’s activities.

Unconfirmed but Alleged Other Targets

While not confirmed, other alleged targets include: Visa, Marks & Spencer, PNC Financial Services Group Inc., Transamerica, New York Life Insurance Co., Synchrony Financial, Truist Bank, and Twilio.

Timeline

Inside the Spider's Web: Their Playbook

Scattered Spider's attacks are methodically simple yet devastatingly effective. Their standard operating procedure involves several consistent steps:

1. Detailed Reconnaissance: Gathering employee details from LinkedIn, leaked HR documents, and publicly available breach data to build convincing personas.
   
   

2. Help Desk Exploitation (Vishing): Calling help desk teams pretending to be legitimate employees in distress, coaxing support staff into resetting passwords or overriding MFA protections.
   
   

3. Bypassing MFA Controls: Utilizing techniques like "MFA fatigue," repeatedly prompting users until they accept an MFA notification out of confusion or exhaustion, or simply tricking them into providing MFA tokens directly.
   
   

4. Living-Off-the-Land Tactics: Once inside, they leverage legitimate administrative tools, such as PowerShell, RDP, and Cobalt Strike, minimizing detection by avoiding the deployment of custom malware.
   
   

5. Double Extortion Strategy: If initial data theft isn't lucrative enough, they escalate to ransomware deployments, encrypting systems and extorting victims twice—once for stolen data and again for system recovery keys.
   
   
   

Law Enforcement Response: Arrests and Setbacks for Scattered Spider

Despite the group's boldness, law enforcement has not been idle. Notable arrests and indictments have significantly disrupted their operations:

• January 2024: Noah Michael Urban, also known as "Sosa," was arrested for cryptocurrency theft via SIM-swapping schemes, highlighting Scattered Spider’s diverse range of criminal activities.
  
  

• June 2024: Tyler Buchanan ("TylerB"), a suspected group leader, was apprehended in Spain with over $27 million worth of stolen Bitcoin, marking a critical law enforcement victory.

  
  

• July 2024: A 17-year-old suspect connected to the MGM attacks was arrested in the UK, underscoring the youthful profile of many involved and pointing to the broader hacker community from which Scattered Spider draws its talent.
  
  

• November 2024: The U.S. Department of Justice indicted Buchanan, Urban, and three others for phishing attacks impacting dozens of companies and causing millions in losses. This indictment revealed Scattered Spider’s extensive U.S. network and operational structure.
  
  
  

Yet despite these disruptions, new actors regularly emerge, reinforcing that Scattered Spider operates more like a decentralized collective rather than a traditional cybercrime syndicate.

Key Lessons for Enterprises: Defending Against Social Engineering

The persistent threat posed by Scattered Spider underscores the critical need for organizations to strengthen their defenses against social engineering. Here are essential steps organizations can adopt immediately:

• Enhance Verification Procedures: Implement mandatory call-backs or managerial approval for sensitive actions, such as MFA resets or password changes.
  
  

• Upgrade to Phishing-Resistant MFA: Adopt hardware-based MFA solutions, such as FIDO2 security keys, to significantly reduce the risk of token theft.
  
  

• Monitor MFA Fatigue Attacks: Set up alerts for repeated MFA push notifications, an effective early warning indicator of active social engineering attacks.
  
  

• Secure Third-Party Access: Evaluate and tightly restrict access provided to external vendors and partners, applying the principle of least privilege rigorously.
  
  

• Incident Response Drills: Conduct regular exercises simulating scenarios where attackers have already gained privileged access, preparing response teams for worst-case scenarios.
  
  

• Realistic Vishing Simulations: Asses how IT Help Desks respond to these types of attacks by emulating the same social engineering methods used by scattered spider. Go beyond traditional email phishing simulations to include realistic voice-based attack scenarios, increasing employee preparedness and vigilance.
  
  

The Human Factor is the Front Line

Scattered Spider’s extensive campaign over the last two years vividly illustrates how exploiting human trust remains one of the most potent cybersecurity threats facing enterprises. Although arrests have hindered their momentum, the techniques pioneered by Scattered Spider have set a new standard in social engineering threats, ensuring they will remain relevant and dangerous.

Companies must now focus intensively on reinforcing the human element, providing comprehensive, realistic training, securing identity and access management, and preparing for rapid response. Social engineering is unlikely to disappear anytime soon; rather, it's likely to grow even more sophisticated. The best-prepared organizations will be those that embed security vigilance into their culture, keeping Scattered Spider and groups like them firmly at bay.