Who Are Scattered Spider? Origins, Tactics & How to Defend Your Workplace

Quick Intro

Scattered Spider (also known as Octo Tempest, UNC3944, Muddled Libra, or 0ktapus) is an English-speaking hacking crew that’s been behind some of the most disruptive attacks in recent years — think MGM Resorts, Caesars Entertainment, and even UK retailer Marks & Spencer.

They specialise in tricking people (not just computers), sneaking past identity systems, and then either stealing data or deploying ransomware.

So, Who Exactly Are Scattered Spider?

Think of them as the modern-day cybercriminal gang that prefers phone calls and charm over hoodie-in-a-basement hacking. They’re mostly young adults, English-speaking, based in the US and UK, and part of a larger online criminal network nicknamed “The Com.”

They’re financially motivated — they want money, data, or leverage to extort companies. Microsoft even called them “one of the most dangerous financial criminal groups” in operation today.

How to Leave Work Early on a Friday Without Getting Caught

How to escape work before 5pm on a Friday without getting caught. From dodging Teams calls to avoiding Everest Ed, here’s your ninja guide to making it out alive.

Office BantomimeJames Mason

How Big Is This Group (And Are They Getting Caught)?

Estimates vary:

• The FBI has suggested up to 1,000 people are connected to the wider group.
• Security researchers believe the real “brains” are just a small handful — maybe four core members — with many others working as affiliates.

Some arrests have happened:

• Five alleged members were charged in the US in late 2024.
• Four more were arrested in the UK in mid-2025.
  But the group is still active and dangerous.

Who Have They Targeted?

Scattered Spider loves big, visible targets where disruption will hurt — and where victims are likely to pay up.

• Casinos & Hotels: MGM Resorts, Caesars Entertainment
• Retail: Marks & Spencer (2025 attack disrupted online orders)
• Tech & Telecoms: Multiple identity and SaaS providers (Okta, cloud accounts)

Mastering the Elevator Pitch: How to Make a Lasting Impression in 30 Seconds

An elevator pitch is a brief, persuasive introduction that captures attention fast. In just 30-60 seconds, convey who you are, what you offer, and why you’re the right fit for an opportunity—just like Eminem’s “one shot.”

Office BantomimeJames Mason

How They Hack (And Why It Works)

Here’s where it gets scary — they rarely use “Hollywood” hacking. They just call your help desk.

Typical playbook:

1. Recon: They stalk LinkedIn or public staff directories to find IT and HR contacts.
2. Vishing (voice phishing): They phone the help desk, pretend to be an employee, and convince them to reset MFA or add a new device.
3. MFA Bypass: They steal session tokens, swap SIM cards, or spam MFA requests until someone clicks “approve.”
4. Cloud Pivot: Once in, they explore internal systems, spin up virtual machines, and grab whatever data they can.
5. Extortion: They might encrypt systems (ransomware) or just threaten to leak the stolen data.

What Weaknesses Let Them In?

• Weak help-desk processes (no callback, no identity verification)
• SMS-based MFA (easy to hijack with SIM swaps)
• Over-permissive cloud setups (Okta/Azure misconfigurations)
• Third-party vendor access (they’ll target your MSP if it’s easier)

The Complete Guide to Emotional Intelligence in the Workplace: Mastering Your Mood (and Everyone Else’s)

Master emotional intelligence at work: control your mood, read others, and turn office drama into productive teamwork. Your secret weapon for better meetings, less stress, and stronger results.

Office BantomimeJames Mason

Could They Hit Your Workplace Next?

If your company:

• Uses Okta, Azure AD, or Google Workspace
• Has a remote help desk that resets accounts over the phone
• Relies on vendors or MSPs with high-level access
  …then yes, you’re in their target profile.

How To Defend Your Workplace (Without Losing Your Mind)

Here’s the 15-step hardening plan every organisation should consider:

1. Use phishing-resistant MFA (FIDO2 keys, not SMS codes)
2. Lock down the help desk – callbacks, PINs, no quick resets
3. Separate admin accounts (no email on admin logins!)
4. Turn on conditional access (block logins from weird locations)
5. Shorten session times & revoke risky tokens
6. Enable SIM-swap protection for staff with privileged access
7. Collect SaaS logs (Okta, Google, M365) into a central SIEM
8. Use just-in-time admin access instead of permanent privileges
9. Deploy email protections (DMARC, external sender banners)
10. Lock down vendor accounts with least privilege and IP allowlists
11. Reduce public exposure of staff roles (LinkedIn cleanup!)
12. Run endpoint detection (EDR) on every machine
13. Add CASB/DLP controls to catch mass data downloads
14. Test backups so ransomware won’t ruin your week
15. Tabletop a vishing drill — yes, actually prank your help desk

Walking on Eggshells at Work: What It Really Means (and How to Stop It)

Feeling like you have to measure every word at work? Discover what “walking on eggshells” really means, why it happens, and how it impacts your company’s culture and success.

Office BantomimeJames Mason

What To Do If You Think You’re Under Attack

• Freeze all MFA resets and device enrollments
• Kill active sessions and block suspicious IPs
• Search for new OAuth apps and mailbox rules
• Alert leadership, legal, and comms teams
• Call your national cyber response authority

Final Thoughts

Scattered Spider is proof that cybercrime doesn’t always need fancy code — sometimes a phone call is all it takes. If your workplace hasn’t reviewed its help-desk security in the last year, now’s the time.

Editor’s note

Yes, they’re scary—and yes, the fix is less “Hollywood hacker” and more boring identity plumbing. Train your help desk like it’s a vault door, move your admins to hardware keys, and treat SaaS logs as first-class security telemetry. That’s how you de-fang the spider. 🕷️