Get a quote

Scattered Spider and ‘The Com’:
What the 2025 Attacks Reveal about Modern Cyber Crime

10 July 2026

Aniket Pachchhapur

Blog

Cyber Security

Penetration Testing

Phishing

Ransomware

Security Testing

Few cyber criminal groups have attracted as much attention in recent years as Scattered Spider.

Since rising to prominence in 2023 following its attacks on MGM Resorts and Caesars Entertainment, it’s remained a high-profile threat despite the arrest of several alleged members.

In 2025, the group was associated with a series of attacks on organisations including Marks and Spencer, Harrods and the Co-op, costing those companies millions of pounds in losses.

These incidents highlight the reality of modern cyber crime: the RaaS (ransomware as a service) model and the fluid nature of cyber criminal groups such as Scattered Spider mean that law enforcement activity often does little to diminish the threat.

In this article, Aniket Pachchhapur examines the attacks associated with Scattered Spider in 2025, what they reveal about the evolving ransomware-as-a-service ecosystem and what you can do to protect your organisation from similar attacks.

Ransomware as a service: the threat in context

RaaS has fundamentally changed the economics of cyber crime.

Where launching a ransomware attack once required significant technical capability, the RaaS model allows criminal groups to operate like businesses: developers build and maintain the malware, while affiliates – who may have little technical expertise of their own – use it to carry out attacks.

The result is a scalable, franchise-like ecosystem in which the volume and sophistication of attacks bear little relationship to the technical capabilities of the people conducting them.

Scattered Spider: who they are and where they came from

Scattered Spider (also tracked as UNC3944, Octo Tempest and Muddled Libra) emerged from ‘The Com’, a loosely affiliated online community mainly composed of teenagers.

The group began with a relatively simple approach: use social engineering to target corporate help desks while impersonating employees or contractors, and persuade staff to reset passwords or register new MFA devices.

Over time, however, its technical capabilities grew more sophisticated.

According to CrowdStrike, Scattered Spider’s early operations relied on built-in Windows tools, including PowerShell, for AD (Active Directory) reconnaissance. It then exploited VMware vCenter to create unmanaged virtual machines and dump the AD database (ntds.dit), install legitimate protocol-tunnelling and proxy tools, and exfiltrate data to adversary-controlled S3 buckets.

It soon developed custom tooling – including malicious kernel drivers called STONESTOP and POORTRY to disable endpoint protection – and exploited vulnerabilities such as CVE-2015-2291, an Intel Ethernet driver vulnerability, to load malicious drivers at the kernel level and CVE-2021-35464, a Java deserialization vulnerability in versions of ForgeRock AM, to escalate privileges on Cloud instances.

It also adopted LotL (living-off-the-land) techniques, abusing built-in OS tools and remote management software to reduce its detection footprint, alongside AiTM (Attacker-in-the-Middle) phishing kits capable of intercepting session tokens in real time.

Security researchers have identified an overlap between Scattered Spider and two other groups that share roots in The Com: ShinyHunters and LAPSUS$ collectives. Google’s Threat Intelligence team has tracked related SaaS breaches under the UNC6040/6240 (ShinyHunters) and UNC3944 (Scattered Spider) designations, noting probably shared membership and tooling.

In practice, however, the groups tend to divide labour, with Scattered Spider conducting full network breaches and ShinyHunters focusing on large-platform data theft. They both operate within the same ecosystem and draw on the same ‘Com’ community.

Although the group’s early activity was largely US-centric, 2025 marked a significant geographical expansion, with British and European organisations becoming prominent targets.

The 2025 attacks: what happened?

Scattered Spider began 2025 with a focus on SaaS (software-as-a-service) platforms. In February, campaigns targeted Klaviyo and HubSpot, using phishing infrastructure hosted on lookalike domains – including klv1.it – to harvest credentials from corporate users.

In April came the a wave of social engineering attacks that brought the group to mainstream attention in the UK. Marks and Spencer, Harrods, and the Co-operative Group were all targeted using help-desk vishing (voice phishing) tactics.

May and June brought a concentrated series of attacks on retailers and insurers, including Cartier, North Face, Aflac, Erie Insurance and Philadelphia Insurance.

The group then shifted its focus to the aviation industry. In June, Hawaiian Airlines and Canada’s WestJet announced breaches and Qantas reported the breach of a third-party contact centre system. The FBI publicly warned in July 2025 that Scattered Spider was now targeting airlines with social engineering attacks.

Although it targeted a range of industries, its tactics remained consistent: whether focusing on the retail, insurance or aviation industries, Scattered Spider consistently used help-desk social engineering to penetrate its targets.

The cost: what these attacks did to businesses

The financial consequences of the UK retail attacks alone illustrate the scale of exposure that a successful social engineering campaign can create.

M&S reported that its statutory profit before tax for the first half of the year slumped 99% from £391.9 million to £3.4 million compared with the prior year, and it lost an estimated £324 million in online and store sales after its website was taken offline for weeks. The Co-op, meanwhile, estimated its losses at £80 million.

How Scattered Spider was hit by law enforcement takedowns

The law enforcement response to Scattered Spider has been substantial.

In the wake of the MGM and Caesars attacks in 2023, the FBI, UK NCA (National Crime Agency) and Spanish authorities worked together on an extensive intelligence sharing operation.

Progress came when investigators spotted the group’s own mistakes, such as using hardware linked to SIM-swapping and Telegram handles that were insufficiently anonymised.

In June 2024, Spanish police arrested Tyler Buchanan at Palma de Mallorca airport; he was later extradited to the US, where the DOJ (Department of Justice) unsealed indictments in November 2024 against five members aged 20 to 25, covering campaigns conducted from September 2021 to April 2023.

There was further action in 2025. In July, the UK NCA arrested four suspects linked to the April retail attacks. In August, Noah Urban became the first member to be convicted, receiving a 10-year sentence in the US for fraud and identity theft, with $13 million in restitution ordered.

In September, US authorities charged the UK national Thalha Jubair in connection with more than 120 attacks and $115 million in ransom demands, including intrusions into US critical infrastructure and federal courts. He faces up to 95 years.

UK police separately arrested Jubair and Owen Flowers in September, charging them with conspiring to commit unauthorised acts against Transport for London under the Computer Misuse Act. Both pleaded not guilty to computer hacking charges during a hearing at Southwark Crown Court in November 2025.

Alongside these individual prosecutions, authorities targeted the group’s infrastructure. In August 2025, the DOJ unsealed warrants authorising the forfeiture of over $2.8 million in cryptocurrency, $70,000 in cash and other assets connected to ransomware activity. In October, the FBI and the DOJ, in coordination with French cybercrime units, executed a major takedown of BreachForums, seizing both clearnet and dark web domains, and disrupting backend servers, escrow payment systems and database archives dating back to 2023 – effectively neutralising one of the most persistent leak sites on the internet.

These actions highlight a strategic shift by law enforcement towards targeting both the operational and financial lifelines of cyber criminal ecosystems. However, Scattered Spider is not a conventional criminal organisation with a fixed hierarchy that can be dismantled by removing its leadership – it’s a fluid, loosely affiliated network whose members communicate through shared online communities, collaborate opportunistically and can reconstitute around new individuals when others are arrested.

What to expect in 2026

The core techniques that have defined Scattered Spider’s campaigns are likely to persist and, in some areas, intensify. Mass smishing campaigns directing employees to fraudulent login portals will continue, with a continued focus on imitating corporate SSO (single sign-on) by bypassing MFA (multifactor authentication controls.

SIM-swapping will remain a preferred method for account compromise, especially against cryptocurrency and financial platforms, with attackers leveraging credentials sourced through phishing or dark web marketplaces, often in collaboration with initial access brokers.

Partnerships between groups such as Scattered Spider and RaaS operators such as  ALPHV/BlackCat signal continuing hybrid attacks combining phishing, privilege escalation and ransomware deployment. Multi-extortion tactics, in which data theft and encryption are combined with harassment of executives or customers to maximise pressure for payment, show no sign of diminishing

Three emerging vectors warrant particular attention.

First, AI-driven vishing – using synthetic voices to make impersonation calls more convincing – is an increasingly accessible capability that could significantly improve the success rate of help-desk attacks.

Second, insider recruitment – in which attackers offer financial incentives for credentials or MFA tokens – is a growing concern.

Third is the abuse of self-service password reset and account recovery processes. Where identity checks are weak or rely on easily obtained information, it becomes relatively straightforward to regain access without drawing attention. These gaps are easy to miss in day-to-day operations, but in practice they give attackers a reliable way to get back in, even after initial access has been removed.

What your organisation should do

The consistency of Scattered Spider’s approach means that effective preparation is possible. These attacks do not rely on zero-day exploits or novel malware – they rely on finding organisations that haven’t tested whether their controls actually work under realistic conditions.

Help-desk identity verification is the most immediate control to review. Organisations should establish and enforce robust identity-proofing protocols for any request involving a password reset or MFA device change – ideally using a second, out-of-band channel to confirm the requester’s identity rather than relying on information an attacker could easily obtain. Where IT service desk functions are outsourced, those protocols must extend to the third party beyond the means of their own validation and internal training

MFA configuration also warrants close attention. Push notification-based MFA is vulnerable to both push-bombing and AiTM interception. Account recovery and self-service password reset processes should be reviewed for identity-proofing weaknesses – these are frequently overlooked as attack vectors but have proven reliable entry points.

Active Directory and Cloud IAM (identity and access management) environments should be validated against adversarial tactics. Scattered Spider has repeatedly exploited weak identity configurations to move laterally across environments. Weak IAM policies within SaaS environments  are a particular risk.

Detection coverage for native OS tooling is also worth examining: living-off-the-land techniques are effective partly because built-in tools tend to attract less monitoring than third-party applications.

Finally, and most importantly: test the human layer. Social engineering simulations and red team exercises that replicate real-world techniques will surface vulnerabilities that technical controls can’t detect. A help-desk operator who has experienced a realistic vishing simulation is materially better prepared than one who has only read a policy document.

 

How GRC Solutions can help
GRC Solutions provides comprehensive, multi-layered testing services designed to validate your security controls in the Cloud, active directory environments and human workflows.

Contact us today to see how we can evaluate the resilience of your entire ecosystem, identifying critical visibility gaps in your infrastructure and behavioural vulnerabilities in your workforce before adversaries can exploit them.