The rise and fall of the ‘Scattered Spider’ hackers


After evading capture for more than two years following a hacking spree that targeted some of the world’s biggest tech companies, U.S. authorities say they have finally caught at least some of the hackers responsible.

In August 2022, security researchers went public with a warning that a group of hackers had targeted over 130 organizations as part of a sophisticated phishing campaign that stole the credentials of almost 10,000 employees. The hackers were specifically targeting companies that used Okta, a single sign-on provider used by thousands of companies worldwide to let their employees log in from home. 

Because of its focus on Okta, the hacking group was dubbed “0ktapus.” To date, the group hacked Caesars Entertainment, Coinbase, DoorDash, Mailchimp, Riot Games, Twilio (twice), and dozens more

The hackers’ most notable sizable cyberattack by way of downtime and impact was the hack against MGM Resorts in September 2023, which reportedly cost the casino and hotel giant at least $100 million. In that case, the hackers worked with the Russian-speaking ransomware gang ALPHV, and demanded a ransom from MGM for the company to get its files back. The hack was so disruptive that the casinos owned by MGM had trouble providing services for days.

For the last two years, as law enforcement has been closing in on the hackers, people in the cybersecurity industry tried to figure out exactly how to categorize the hackers and whether to put them in one group or another. 

The hackers’ techniques, such as social engineering, email and text message phishing, and SIM swapping, are common and widespread. Some of the individual hackers were part of several groups responsible for different data breaches. These circumstances have made it difficult to understand exactly who belongs in what group. Cybersecurity giant CrowdStrike dubbed this umbrella group of hackers “Scattered Spider,” and researchers believe there is some overlap with 0ktapus.

The group was so active — and successful — that U.S. cybersecurity agency CISA and the FBI issued an advisory in late 2023 with details on the group’s activities and techniques, in an attempt to help organizations prepare for and defend against anticipated attacks. 

Scattered Spider is “a cybercriminal group that targets large companies and their contracted IT help desks,” CISA wrote in its advisory. The agency warned that the group “have typically engaged in data theft for extortion,” and noted their known links to ransomware gangs.

One thing that’s relatively certain is that the hackers are mostly English-speaking, and widely believed to be in their teens and early-20s — and sometimes referred to as “advanced persistent teenagers.”

“There is a disproportionate number of minors involved, and that’s because the group deliberately recruits minors because of the lenient legal environment these minors exist in and they know nothing will happen to them if the police catch a kid,” Allison Nixon, chief research officer at Unit 221B, told TechCrunch at the time.

Over the last two years, some of the members of 0ktapus and Scattered Spider have been linked with a similarly nebulous group of cybercriminals known as “the Com.” People in this wider cybercrime community have committed crimes that crossed over into the real world. Some of them have been responsible for violent acts, such as robberies, burglaries, and brickings — hiring thugs to throw bricks at someone’s house or apartment; as well as swatting — where someone tricks authorities into believing there’s a violent crime happening, triggering the armed police unit to intervene. While born as a prank, swatting is known to have fatal consequences

After two years of hacking, authorities are finally starting to identify and charge members of Scattered Spider. 

In July, U.K. police confirmed the arrest of a 17-year-old in connection to the hack at MGM.

In November, the U.S. Department of Justice announced that it had indicted five hackers: Ahmed Hossam Eldin Elbadawy, 23, of College Station, Texas; Noah Michael Urban, 20, of Palm Coast, Florida, who had been arrested in January; Evans Onyeaka Osiebo, 20, of Dallas, Texas; Joel Martin Evans, 25, of Jacksonville, North Carolina; and Tyler Robert Buchanan, 22, from the United Kingdom, who was arrested in June in Spain.

Leave a Reply

Your email address will not be published. Required fields are marked *