In the post-incident analysis of the Marks & Spencer breach, UK investigators classified the coordinated retail attacks as a “Category 2 systemic event” with an estimated financial impact between £270 million and £440 million. That figure covers just two companies. When you add in the insurance firms, airlines, and the cascading effects on their supply chains, the true cost of Scattered Spider’s 2025 campaign is incalculable.
What makes this campaign remarkable is not the technical sophistication of the tools involved. It is the systematic exploitation of human trust, third-party access, and the predictable weaknesses in how organizations verify identity over the phone.
Who Is Scattered Spider?
Scattered Spider — also tracked as UNC3944, Octo Tempest, 0ktapus, and Storm-0875 — is a financially motivated cybercrime collective whose members are primarily English-speaking teens and young adults based in the United States and United Kingdom. The group is affiliated with “The Com,” a broader online cybercriminal community that recruits heavily from gaming platforms like Roblox and Minecraft.
The group first gained notoriety in 2022 with a wave of SMS-based phishing attacks against technology companies including Twilio, Okta, Mailchimp, and Cloudflare. They escalated dramatically in September 2023, when a single ten-minute social engineering phone call gave them access to MGM Resorts’ internal systems, ultimately costing MGM over $100 million and earning Caesars Entertainment a $15 million ransom payment.
“There is a clear pattern that some of the most depraved threat actors first joined cybercrime gangs at an exceptionally young age.” — Allison Nixon, Chief Research Officer, Unit 221B
By 2025, the group had merged operations with the ShinyHunters collective and adopted Ransomware-as-a-Service platforms — first BlackCat/ALPHV, then DragonForce — lowering the technical barrier while amplifying the destructive potential of each compromise. Their playbook matured from simple SIM swapping into a repeatable, sector-by-sector campaign model: pick an industry, map the third-party vendor ecosystem, exploit the weakest human link, and move fast.
Security vendors and government agencies track this group under multiple names: Scattered Spider (CrowdStrike), UNC3944 (Mandiant/Google), Octo Tempest (Microsoft), Storm-0875 (Microsoft), Scatter Swine (Okta), Muddled Libra (Palo Alto Unit 42), and 0ktapus (Group-IB). In late 2025, the collective also operated under the banner Scattered LAPSUS$ Hunters after merging with elements of LAPSUS$ and ShinyHunters.
English-speaking cybercrime collective known for help desk social engineering, SIM swapping, and ransomware deployment across retail, insurance, and aviation sectors.
The 2025 Scattered Spider Attack Chain Timeline
Despite attacking across three different industries, Scattered Spider relied on a remarkably consistent attack chain throughout 2025. Understanding this chain is critical because it reveals that the same defensive gaps were exploited over and over — and that each phase of the attack had a window where defenders could have intervened.
Step 1: Reconnaissance
The attack begins well before anyone picks up a phone. Scattered Spider members scrape LinkedIn for employee names, job titles, and reporting structures. They cross-reference this data with credentials obtained from infostealer malware logs and previous breaches. By the time they make their call, they already know the target’s name, department, manager, and often their employee ID.
Step 2: Initial Access via Help Desk Social Engineering
This is the group’s signature move. A native English speaker — often a teenager — calls the target organization’s IT help desk posing as a locked-out employee or contractor. Using insider jargon, a convincing story, and the employee details they’ve already gathered, they persuade help desk staff to reset a password or bypass MFA. In many cases, the call takes fewer than ten minutes.
When help desk calls don’t work, the group falls back to phishing campaigns using typosquatted domains that impersonate Okta, SSO portals, VPN gateways, and HR platforms. Analysis by ReliaQuest found that 81% of the 600+ domains registered by Scattered Spider between 2022 and 2025 impersonated technology vendors. These domains use keywords like okta, sso, vpn, helpdesk, and corp and are often active for just a few hours before being taken down by registrars.
Step 3: MFA Bypass
If help desk manipulation alone doesn’t clear the MFA hurdle, Scattered Spider deploys additional techniques: MFA fatigue attacks (also called push bombing), where the victim is flooded with authentication prompts until they approve one out of frustration; SIM swapping, where the attacker takes over the victim’s phone number to intercept SMS-based codes; and phishing frameworks like Evilginx, which operate as adversary-in-the-middle proxies to capture both credentials and session tokens in real time.
Step 4: Persistence and Lateral Movement
Once inside, the group moves fast — often completing their objectives within hours. They install legitimate remote monitoring and management (RMM) tools alongside custom malware like Spectre RAT and Warzone RAT. Living-off-the-land techniques using PowerShell, RDP, and native administrative tools help them blend in with normal IT operations. They pivot rapidly through cloud environments, targeting Azure, AWS, and SaaS applications like Salesforce and Snowflake.
Step 5: Data Exfiltration and Ransomware Deployment
Before deploying ransomware, Scattered Spider exfiltrates as much data as possible — often terabytes at a time — using cloud storage services like Mega. In cases involving Snowflake environments, investigators observed attackers running thousands of queries in rapid succession. Only after the data is safely exfiltrated do they deploy DragonForce ransomware to encrypt VMware ESXi servers and other critical infrastructure, ensuring maximum pressure for extortion.
Phase 1 — UK Retail: M&S, Co-op, and Harrods
The 2025 campaign kicked off over Easter weekend in late April, when Scattered Spider compromised accounts belonging to Tata Consultancy Services (TCS), a global IT contractor working with multiple UK retailers. TCS has since stated that its own systems were not breached, but the investigation into whether contractor accounts were used as a stepping stone remains ongoing.
Marks & Spencer was hit first and hardest. The attackers used social engineering against help desk personnel to gain access, then moved laterally through M&S’s systems before deploying DragonForce ransomware. The impact was severe and immediate: online orders were suspended, contactless payments failed across stores, click-and-collect services went down, and shelves sat empty as supply chain systems went offline. The company’s stock price dropped nearly 7%.
“We are working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible.” — Stuart Machin, CEO, Marks & Spencer (May 2025)
The UK’s Cyber Monitoring Centre classified the M&S and Co-op attacks as a single combined cyber event, estimating the total financial impact at £270–440 million ($363–$592 million). The Co-op confirmed that customer data had been accessed, and Harrods disclosed a separate intrusion attempt around the same timeframe.
The UK’s National Cyber Security Centre (NCSC) issued a public advisory specifically warning organizations about help desk social engineering, and the National Crime Agency launched a formal investigation. Within weeks, similar attack patterns were observed hitting US retailers including Victoria’s Secret and Adidas.
The M&S breach was not a direct attack on M&S infrastructure. The attackers entered through a trusted vendor relationship. Organizations that do not treat their third-party vendors as extensions of their own attack surface are operating with a dangerous blind spot.
Phase 2 — US Insurance: Aflac, PHLY, and Erie
By early June 2025, Scattered Spider had pivoted to the US insurance industry. Threat intelligence analysts at Google’s Mandiant division spotted the shift almost immediately: the same help desk social engineering playbook, the same focus on customer service platforms, the same operational tempo.
“Given this actor’s history of focusing on a sector at a time, the insurance industry should be on high alert, especially for social engineering schemes which target their help desks and call centers.” — John Hultquist, Chief Analyst, Google Threat Intelligence Group (June 2025)
Within days of that warning, Philadelphia Insurance Companies (PHLY) disclosed unauthorized network access that took its systems offline. Aflac followed with a disclosure confirming that attackers had accessed sensitive customer data, including Social Security numbers and claims information. Erie Insurance also reported suspicious activity consistent with the same TTPs.
The insurance sector attacks underscored a consistent Scattered Spider pattern: each new industry was chosen not because it was technically easier to compromise, but because it was rich in sensitive personal data that could be leveraged for extortion. Customer claims data, policy details, and financial records create enormous pressure to pay when threatened with exposure.
Phase 3 — Global Aviation: Airlines and Airports
By late June, the FBI issued a formal warning that Scattered Spider was expanding into the airline sector. Almost simultaneously, Hawaiian Airlines and WestJet in North America reported cyber incidents, followed by Qantas in Australia. The Qantas breach was traced to a compromised external call center platform — once again, a third-party entry point.
While none of these incidents affected flight operations, they resulted in the compromise of millions of customer records. The pattern was unmistakable: target the third-party customer service and help desk ecosystems that airlines, like retailers and insurers, rely on.
In September 2025, a separate but related attack struck Collins Aerospace’s vMUSE airport operations platform, causing ransomware disruptions at Heathrow, Brussels, and Berlin airports. The incident demonstrated how deeply interconnected aviation infrastructure has become, and how a single vendor compromise can cascade across international borders within hours.
The Law Enforcement Response
The international law enforcement response to Scattered Spider intensified throughout 2025, resulting in a series of arrests that have slowed — but not stopped — the group’s operations.
The most consequential arrests include Noah Michael Urban, 20, of Florida, who pleaded guilty and was sentenced to ten years in federal prison in August 2025; Tyler Buchanan, 22, of the UK, who was arrested in Spain with $27 million in stolen Bitcoin and extradited to the US; and Thalha Jubair, 19, and Owen Flowers, 18, who were arrested in the UK in July 2025 in connection with the retail attacks. Prosecutors allege Jubair was found in possession of over $50 million in cryptocurrency and linked to at least 120 network intrusions and $115 million in ransom payments.
In September 2025, the collective posted a public withdrawal announcement on Telegram, with members issuing apologies and claiming they would “work toward using our skills for the good of this world.” By November, however, security firm ReliaQuest observed the group resuming operations and claiming responsibility for new breaches via Gainsight integrations within Salesforce.
“Since the recent arrests tied to the alleged Scattered Spider (UNC3944) members in the U.K., Mandiant Consulting hasn’t observed any new intrusions directly attributable to this specific threat actor. This presents a critical window of opportunity that organizations must capitalize on.” — Charles Carmakal, CTO, Mandiant Consulting at Google Cloud (July 2025)
The group’s decentralized structure — more a pattern of activity than a fixed membership — means that arrests disrupt but don’t eliminate the threat. New actors adopt the same playbook, and the social engineering techniques Scattered Spider refined have already been replicated by copycat groups tracked as UNC6040 and others.
Defensive Takeaways
The 2025 Scattered Spider campaign is, at its core, a case study in the exploitation of human trust and third-party dependencies. Every phase of the attack chain had a window where defenders could have intervened. The following recommendations are drawn from advisories issued by the FBI, CISA, the NCSC, and the incident response findings published by Mandiant, ReliaQuest, and Darktrace.
- Harden help desk verification. The single most impactful defensive measure is implementing rigorous, non-bypassable identity verification for all help desk interactions — especially password resets and MFA modifications. This means moving beyond security questions to callbacks to verified numbers, manager approval workflows, or in-person verification for sensitive changes. If an attacker can get a password reset with a convincing phone call, no amount of technical security matters.
- Deploy phishing-resistant MFA. SMS-based and push-notification MFA are directly targeted by Scattered Spider via SIM swapping and fatigue attacks. FIDO2/WebAuthn hardware security keys or passkeys eliminate these vectors entirely. Organizations that still rely on SMS or app-based push for privileged accounts are carrying known, exploitable risk.
- Treat third-party vendors as your own attack surface. The M&S breach entered through a vendor. The Qantas breach entered through a call center platform. Your security posture is only as strong as the weakest link in your vendor ecosystem. Require contractual security standards, conduct regular assessments, and implement network segmentation that limits what a compromised vendor account can reach.
- Monitor for living-off-the-land techniques. Scattered Spider avoids custom malware in favor of legitimate tools like PowerShell, RDP, and commercially available RMM software. Defenders need behavioral detection that flags anomalous use of administrative tools — not just signature-based detection looking for known malware.
- Implement speed-matched detection and response. Once initial access is achieved, Scattered Spider can move from credential compromise to ransomware deployment in hours. Manual investigation workflows that take days are too slow. Organizations need automated alerting on suspicious identity events (mass MFA resets, unusual login locations, lateral movement across cloud tenants) with pre-planned response playbooks that can execute at machine speed.
- Assume breach and plan for containment. Given Scattered Spider’s success rate and the persistence of the threat, every organization should have a tested incident response plan that assumes an attacker has already gained initial access. Table-top exercises that simulate a help desk social engineering scenario — followed by lateral movement into cloud infrastructure — are directly relevant to this threat.
# Quick check: Are you exposed to Scattered Spider TTPs?
# Run these questions against your current security posture:
[1] Can a help desk agent reset MFA with only a phone call?
[2] Do you use SMS-based MFA for any privileged accounts?
[3] Do third-party vendors have standing access to production systems?
[4] Can you detect anomalous RMM tool installation within 15 minutes?
[5] Have you tested your IR playbook against a social engineering scenario?
# If you answered "yes" to [1], [2], or [3] — you are directly
# in the crosshairs of this threat actor's playbook.Scattered Spider’s 2025 campaign was not a story about technical genius. It was a story about the systematic failure of organizations to verify identity, manage third-party risk, and respond at the speed of the threat. The tools exist to defend against every stage of this attack chain. The question is whether organizations will implement them before the next sector rotation begins.
The arrests have created a temporary window. Mandiant confirmed a drop in activity directly attributable to Scattered Spider following the UK arrests, but copycat groups are already filling the void. The clock is ticking. Organizations that use this window to harden their help desks, deploy phishing-resistant MFA, and audit their vendor access will be the ones that don’t end up in next year’s headlines.