VYPR
researchPublished Jul 8, 2026· 1 source

Scattered Spider: The Anarchic Collective Defying Easy Cybercrime Categorization

A new report highlights the challenges in understanding and combating the decentralized, adolescent-driven cybercrime collective known as Scattered Spider.

The amorphous hacking group known as Scattered Spider presents a unique challenge to cybersecurity professionals due to its unstructured and undirected nature. Unlike traditional organized cybercrime entities, Scattered Spider operates more as a decentralized collective of shifting actors rather than a group with a clear hierarchy or division of responsibilities. This "anarchic" operational model makes it difficult to categorize, track, and ultimately combat their activities.

A report from cybersecurity firm Group-IB emphasizes that Scattered Spider cannot be analyzed as a single, organized group. Instead, it is a "decentralized cybercrime collective" comprising multiple subclusters. These subclusters share common tactics, techniques, and procedures (TTPs), tools, and sometimes even online forums or chat spaces, but they act independently. Despite this fragmented structure, Scattered Spider has been responsible for significant damages, reportedly in the hundreds of millions, and has seen some members identified and arrested.

Notable "greatest hits" attributed to Scattered Spider include a data exfiltration attack on Riot Games in January 2023, significant hacks against Caesars Palace and MGM Resorts in 2023, and attacks on British retailers like Marks & Spencer in mid-2025. They have also been known to collaborate with ransomware-as-a-service groups such as DragonForce. However, Group-IB notes that not all incidents can be traced back to the same subcluster, even when TTPs appear to overlap, suggesting that shared characteristics stem from learning from common resources or online communities rather than direct affiliation.

The moniker "Scattered Spider" was coined by CrowdStrike in 2022. Other cybersecurity firms track the group under various aliases, including Roasted 0ktapus, Octo Tempest, Storm-0875, and UNC3944. The group is particularly known for its proficiency in smishing and vishing, employing social engineering tactics to impersonate IT personnel. These attacks often direct victims to credential harvesting sites or trick them into running commercial remote monitoring and management tools.

Understanding Scattered Spider is further complicated by its origins within "The Com," a predominantly English-speaking cybercriminal ecosystem known for its voice phishing attacks. Cybersecurity firm Resecurity describes this loosely organized network as a "cybercrime youth movement," primarily composed of teenagers and young adults. The FBI has categorized "The Com" into various subgroups, including "Hacker Com," "In Real Life or IRL Com" (which facilitates real-world violence stemming from online conflicts), and "Extortion or Extort Com" (focused on exploiting minors, often through threats of doxing, swatting, and real-world violence).

When Scattered Spider targets corporations, their "anarchic adolescent energy" often appears to be a dominant factor in attack execution, especially in data theft and extortion schemes. Unlike older, more established Russian ransomware groups that build a "brand name" and consistent behavior for victim trust, these younger actors may operate with less predictable motives. This was exemplified by the "Scattered Lapsus$ Hunters" entity, which claimed participants from Scattered Spider provided initial access to victims for ShinyHunters to pursue data theft and extortion.

Despite the challenges in attribution and categorization, the collective's impact is undeniable. The decentralized nature, coupled with the youth of many actors and their reliance on social engineering, makes them a persistent and evolving threat. Cybersecurity professionals must adapt their strategies to account for this fluid, less structured adversary, focusing on understanding the shared resources and communities that bind these disparate actors together.

Synthesized by Vypr AI