Scattered Spider's Web
Almost a year ago, when I started this blog, I began with some tools to help me organize and understand the threats that are out there. ‘Trending’ malware, a news feed that collated the numerous reports from numerous sources in one place, the most active threat actors. I learned their names and behaviors from the perspective of pattern analysis more than detection, familiarizing myself with the volume of data in order to present my findings in a way that could educate people that are affected by these variables but may not be fully versed in them. ‘Taking the technical jargon and translating it for the layperson’ is my usual description of my job.
Scattered Spider was one of the first groups I became aware of. They’ve been described in such terms as ‘financially motivated hacker group’, ‘cybercriminal gang’, and other informal titles that link them together as a cohesive unit. And yet, with every intended takedown and disruption, they never stopped committing attacks, and they never seemed to get actually caught. Little was known about the individuals within the group, who they are, how they’re connected, what their overall goal is. All we’ve had is a list of attacks that can be attributed to them over the course of the last four years, some of which are high profile. And even those have been subject to some disagreement. Are they part of Lapsus? ShinyHunters? Do they work together only sometimes, or are they coincidental and entirely unrelated? I can remember at least one incident where those other threat actor groups denied involvement with something attributed to Scattered Spider, while there have been others where they all claim responsibility.
Based on evidence tracked and collected by Group-IB, Scattered Spider isn’t a group so much as a movement, according to their article detailing the work they’ve been doing. They liken the hackers to being more like Anonymous than a definitive group or gang. Loosely affiliated, operating out of subclusters and given different names from different security experts. What binds all the subclusters together is shared tactics, techniques, and procedures (TTPs), tools, and occasional common forums or chats. But otherwise, they work independently of each other.
The focus of the actors within Scattered Spider is mostly in communications. Early activity involved SIM swapping of stolen mobile phones back in 2022, which escalated into using those ‘burners’ to carry out phishing campaigns, often aimed at telecommunications companies with the purpose of data scraping. These weren’t endpoints, but rather intermediary stages for exploiting distribution tools for greater targets among those companies’ users. Another shared commonality is crypto fraud, a typical vector used in ransomware attacks. There is no evidence suggesting the group is going after traditional banking institutions for outright theft, which would require far more sophisticated intrusion techniques, but rather is profiling victims from among a bank’s clients with the intention of further social engineering attacks. They’ve also dipped their toes into extortion of insurance companies, the gaming industry, casinos, and even movie production and high end retailers. Phishing kits include impersonation of recognizable entities like Google, Microsoft, and Okta.
In short, it’s a little bit of everything. Which the name implies. Scattered.
Tracking them down has been challenging, but some common factors have emerged. They are native English users, determined by SingleFile artifacts found on their phishing sites, timezones, and rare instances of members disclosing their location. They use many of the same TTPs in terms of social engineering scripts and platforms from which they execute said phishing schemes. The overlap of Telegram chats suggests subclusters tend to be small, sometimes no more than five people. And given the nature of heavy reliance on cryptocurrency, a medium that generally attracts a certain demographic, I’d hazard a guess that members are young, early to mid 20’s at best.
The upshot here is that this loosely affiliated ‘group’ isn’t an organized conglomerate. Their threats are fairly low level in comparison to some of the higher profile data breaches I’ve covered, although that is always subject to change depending on their target. They don’t act in concert so much as spread chaos all over a variety of sectors. It appears that some subclusters don’t even know what others are doing and don’t communicate among themselves all that often.
What’s more relevant is understanding this shift into modular cells as a practice means that disruption and even arrests of members will not stop the whole system. Coordinated defensive campaigns like Operation Endgame won’t be effective here. You never find just one cobweb, after all. Take one down, another will pop up somewhere else. It’s frustrating to feel like a defender’s work is never done, but that’s cybersecurity in a nutshell, isn’t it? Research such as Group-IB’s helps, however, by giving us the knowledge and awareness of how threat actors work and interact. And that’s worth something.
Posted, 7/8/26
















