Recent arrests of individuals associated with the notorious hacking group Scattered Spider have led to a noticeable decrease in their activities. However, cybersecurity experts caution that this lull may be temporary, as other threat actors continue to employ similar tactics, maintaining pressure on organizational security defenses.
Google Cloud’s Mandiant Consulting has observed a significant drop in intrusions directly linked to Scattered Spider, also known as UNC3944, following the apprehension of several alleged members in the United Kingdom. Charles Carmakal, Chief Technology Officer at Mandiant Consulting, emphasized the importance of utilizing this period to strengthen security measures. He stated, This presents a critical window of opportunity that organizations must capitalize on to thoroughly study the tactics UNC3944 wielded so effectively, assess their systems, and reinforce their security posture accordingly.
Despite the current decline in Scattered Spider’s activities, Carmakal warned against complacency. He highlighted that other cybercriminal groups, such as UNC6040, are adopting similar social engineering techniques to infiltrate target networks. While one group may be temporarily dormant, others won’t relent, Carmakal added.
Background on Scattered Spider
Scattered Spider, also referred to as UNC3944, is a hacking group primarily composed of teenagers and young adults believed to reside in the United States and the United Kingdom. The group has gained notoriety for its involvement in high-profile cyberattacks and data extortion schemes targeting major corporations.
The group’s modus operandi includes social engineering tactics such as phishing, push bombing, and SIM swap attacks to obtain credentials, install remote access tools, and bypass multi-factor authentication (MFA). They have been known to impersonate employees to deceive IT and help desk staff into providing sensitive information or resetting passwords, thereby gaining unauthorized access to corporate networks.
Notable Incidents Involving Scattered Spider
In April 2025, the UK’s National Crime Agency (NCA) arrested four individuals—three men aged 19, 19, and 17, and a 20-year-old woman—in connection with cyberattacks on major British retailers Marks and Spencer (M&S), Co-op, and Harrods. These attacks resulted in significant disruptions and potential financial losses amounting to hundreds of millions of pounds. The suspects are believed to be linked to Scattered Spider, which targets corporate IT help desks and extorts stolen data. M&S Chairman Archie Norman described the impact as traumatic and revealed that the company sought assistance from the U.S. Federal Bureau of Investigation (FBI) to address the breach.
In another significant incident, Scattered Spider was implicated in the hacking and extortion of Caesars Entertainment and MGM Resorts International, two of the largest casino and gambling companies in the United States. The group gained access to these companies’ internal systems through social engineering, bypassing MFA by obtaining login credentials and one-time passwords. Caesars Entertainment reportedly paid a ransom of $15 million to Scattered Spider to prevent the release of sensitive customer data.
Additionally, Scattered Spider has been linked to the Snowflake data breach, where they accessed customer environments by exploiting stolen credentials obtained via infostealer malware. These credentials, which often lacked MFA protection, allowed the attackers to log in to Snowflake customer instances directly using just a username and password. Over 160 customer environments may have been accessed during this breach.
Ongoing Threats and Recommendations
Despite the recent arrests and a temporary decline in Scattered Spider’s activities, the threat landscape remains dynamic. Other cybercriminal groups continue to employ similar tactics, posing ongoing risks to organizations. The U.S. government, alongside Canada and Australia, has released updated advisories outlining Scattered Spider’s tradecraft, emphasizing the need for vigilance.
These advisories highlight the group’s use of various ransomware variants, including DragonForce ransomware, and their reliance on social engineering techniques to gain unauthorized access. They also note the group’s use of readily available malware tools like Ave Maria (aka Warzone RAT), Raccoon Stealer, Vidar Stealer, and Ratty RAT to facilitate remote access and gather sensitive information.
Organizations are urged to take advantage of the current lull to study the tactics employed by groups like Scattered Spider, assess their systems for vulnerabilities, and reinforce their security posture accordingly. Implementing robust MFA protocols, educating employees on social engineering tactics, and maintaining up-to-date security measures are critical steps in mitigating the risk of future attacks.
