Real-time information, Cybersecurity

Starting in May 2025, a criminal entity known as “Scattered Spider” (re)emerged following several high-profile operations.

The flurry of disruptive activity targeting multiple sectors in quick succession brought the entity believed responsible—Scattered Spider—into the spotlight of the quickly evolving crime ecosystem. Yet, Scattered Spider is hardly a new entity in this arena, but rather an accomplished if somewhat amorphous threat actor with several high-profile intrusions to its name.

Organizations that leverage real-time threat detection to study and stay abreast of Scattered Spider’s tactics and operational patterns can begin to develop a proactive defense strategy. 

Who is Scattered Spider?

Scattered Spider is a cyber criminal entity active since at least 2022. Notable for both its origins (individuals residing in the U.S. and UK) and its expertise in leveraging various types of social engineering, the group has been associated with multiple high-profile, high-impact events since its inception. Initially thought to be a loose collective of participants from a larger criminal community known as “the Com,” more recent evaluation identifies a core group of individuals likely guiding Scattered Spider activity.

Scattered Spider operations originally consisted of end user targeting by spoofing help desk or similar support personnel to extract credentials or prompt employees to run remote access tools to enable access. These early tactics have evolved into targeting help desks and managed service providers to facilitate access to victim organizations. Prominent throughout Scattered Spider operations are long-running tendencies in domain registration to spoof authentication portals and similar infrastructure. Such items are then used in social engineering campaigns to capture credentials and multifactor authentication tokens.

Scattered Spider is focused on financial gain, but has achieved this through multiple mechanisms. Initially starting out as a data theft and extortion operation, Scattered Spider shifted to ransomware deployment over time. The group has been associated with several ransomware-as-a-service (RaaS) entities, including BlackCat, DragonForce, and Qilin.

New Targets, Same Tactics

Scattered Spider is known for multiple high-profile incidents, including previously mentioned operations affecting Las Vegas casinos, prominent retailers in the UK, and aviation companies. The group may also have been involved in large-scale attacks focused on Snowflake cloud storage instances. 

While the group appears to shift focus in industries and verticals targeted over time, there is no evidence of an overriding strategy guiding such decisions, with operations instead appearing to be a combination of arbitrarily chosen or opportunistic in nature. In particular, individuals associated with Scattered Spider have been arrested several times following high-profile incidents. The group’s distributed and shifting nature, however, has meant operations continue despite periodic disruptions.

Scattered Spider operations have reemerged as one of the leading threats to enterprises following the UK retailer events then subsequent targeting of insurance and aviation entities. As seen in the group’s operations over time, methodology has shifted while core objectives remain largely unchanged. Social engineering remains a hallmark of Scattered Spider operations with the goal of subverting trust relationships within or between organizations to facilitate access to victim networks. Identifying these items as they emerge is necessary as Scattered Spider has shown significant flexibility in adapting to disclosure and other mechanisms designed to defeat its efforts.

Moving Beyond Reactive Defense

Core security best practices, such as the implementation of robust multi-factor authentication (MFA) solutions, remain paramount to defeat a wide number of potential adversaries. The same applies to Scattered Spider, which relies on collected credentials and authentication material for both access and internal lateral movement in victim environments. Unfortunately, the group has developed effective mechanisms to subvert MFA via effective social engineering. Additional care and user awareness are thus required to defeat the tactics deployed by entities such as Scattered Spider and similarly-operating entities like Atlas Lion

In addition to hardening services and extending best practices among users, awareness and monitoring enter the equation. For example, Dataminr Pulse for Cyber Risk continuous monitoring for domain spoofing—both root domains and potential subdomains—remains a key awareness item to identify emerging infrastructure used to facilitate credential and token theft.

As outlined by other researchers, Scattered Spider and similar entities work to spoof logon and authentication portals for credential capture, often with common characteristics across campaigns. Visibility into this activity can allow organizations to work towards either preemptive blocking of suspicious infrastructure or build awareness of active targeting of the organization for defensive response.

Aligned with Scattered Spider’s infrastructure tendencies (and variations) is the group’s shift in social engineering targets. The group has transitioned from end users to help desks to service providers through various campaigns. Identifying who is being targeted can allow for targeted guidance and support to inform potential victims of activity of concern as it is emerging. Real-time analysis and alerting is needed to keep pace with dynamic, evolving threat actors as shown across multiple Scattered Spider campaigns.

Finally, while Scattered Spider targeting does not appear to be especially focused or purposeful, the group does appear to operate in “themes” in terms of industries and geographies, as opposed to completely random targeting. Identifying and alerting on these shifts can allow organizations within targeted sectors to rapidly vector resources and support to identify potential ongoing or imminent intrusions prior to adversary actions on objectives in the victim environment.

Turning Awareness Into Action

Scattered Spider operations remain concerning due to the group’s amorphous nature and demonstrated skill in breaching organizations. The group’s tradecraft is uniquely designed to subvert key trust and working relationships to facilitate unauthorized access leading to data loss or operational disruption. Although concerning and targeting some of the weakest areas of security controls, organizations are not without options in dealing with entities such as Scattered Spider.

Maintaining situational awareness of threat actor operations, understanding how threat actors operate, and translating this understanding into actions across preventative controls and policies can allow organizations to get ahead of such threats. Effective, near real-time threat intelligence and support can enable defenders and decision makers to take the steps necessary now to mitigate against emerging threats that can hold the organization at risk. Only through this type of domain and entity awareness, translated into action, can entities seek to deter or defeat adversaries, whether Scattered Spider or other.

blue data on a black background

Dataminr Pulse for Cyber Risk

See how organizations like yours use Dataminr Pulse for Cyber Risk to strengthen cyber resilience and preemptively defend against threats.

Learn More
Author
Joe Slowik, Director, Cybersecurity Alerting Strategy
July 25, 2025
  • Real-time information
  • Cybersecurity
  • Cyber Risk
  • Blog

Related resources

Blog

The ROI and Strategic Benefits of Dataminr First Alert’s Real-Time Event Detection

Explore key findings from a new Forrester report, “The Total Economic Impact™ of Dataminr First Alert,” to understand the return on investment (ROI) of First Alert and how it benefits public sector organizations—from enhancing decision making to boosting efficiency and crisis response times.

Blog

Tackling AI-Driven Cyber Threats at InfoSecurity Europe 2025

In keeping with the event's theme “Building a Safer Cyber World,” we showcased advancements in Dataminr Pulse for Cyber Risk, and explored how the product helps cybersecurity professionals keep pace with threat actors by delivering actionable intelligence for preemptive defense.

Blog

AI for Preemptive Cyber Defense: Cutting Through the Noise for Greater Efficiencies

As the U.S. government refocuses cybersecurity via new executive orders, the shift is clear: a critical recalibration of our national cyber strategy. The most significant impact is the shift in focus toward tangible, proactive defense, especially in two areas: the defensive use of AI and secure software development. This revolution is key to defending systems and trust.