Scattered Spider / UNC3944: The English-Speaking Crew Still Running The Casino Playbook

# Scattered Spider / UNC3944: the English-speaking social engineering crew still running the casino playbook

Scattered Spider is the most-discussed threat actor of the last three years, and 2026 is not slowing them down. They're not Russian, not North Korean, not Chinese. They're English-speaking, mostly American and British, mostly young, and they made more than $100 million doing to Las Vegas casinos what traditional APTs spend years trying to do to Fortune 500s. Then they did it again, and again, and again.

This post walks through what Scattered Spider actually does, the specific playbook that works against mid-market to large enterprise targets, the 2024-2026 incidents that stuck, and the defensive controls that break the chain.

#Who Scattered Spider is

Names used interchangeably in threat intelligence reporting:

• Scattered Spider (CrowdStrike)
• UNC3944 (Mandiant / Google Cloud)
• Muddled Libra (Palo Alto Unit 42)
• 0ktapus (Group-IB, for the 2022 campaign specifically)
• Scatter Swine (Okta)

The group is loosely affiliated rather than a single corporate entity. Core members are English-speaking, predominantly based in the US and UK, typically 17-25 years old, historically connected to "The Com" online community (SIM-swap, gaming cheat, and extortion-focused forums).

Arrests in 2024 (UK) and 2024-2025 (US DoJ indictments) identified several members by name but the group continued operations after each wave. The replacement rate exceeds the arrest rate.

#The playbook that built the brand

Scattered Spider operations from 2022 onward follow a consistent pattern, with incremental evolution each year.

#1. Target identification

Large enterprises with:

• Outsourced or large internal IT help desks (easy social engineering surface).
• Okta or similar IdP as the primary identity layer.
• Cloud infrastructure (AWS, Azure, GCP) where lateral movement post-auth is fast.
• Publicly identifiable executive and IT staff (LinkedIn, corporate directories).

2023 wave: hospitality and gaming (MGM Resorts, Caesars Entertainment).

2024 wave: financial services, SaaS, and BPOs.

2025-2026 wave: cloud-native enterprises, crypto firms, logistics.

#2. Reconnaissance

• LinkedIn scraping for employees and org structure.
• Public-directory and corporate website enumeration of IT staff.
• Job postings that reveal tech stack (Okta, CrowdStrike, particular VPN products).
• Social media profiling of specific targets for personal detail (name, birthday, family, pets) to answer help-desk verification questions.

#3. Initial access: social engineering the help desk

The signature Scattered Spider move. The attacker calls the IT help desk impersonating an employee. Common scripts:

• "I'm traveling, my phone broke, I need my MFA reset."
• "I lost my Yubikey, I need a temporary code."
• "I'm locked out of my account, I need a password reset and MFA enrollment on a new device."

The help desk verifies identity by asking for info the attacker already has (name, employee ID, manager's name, last four of SSN). All available from breach data, LinkedIn, or pretexting calls earlier in the day.

Help desk resets MFA or password or enrolls a new MFA factor on an attacker-controlled device. Attacker logs in.

Variants:

• SIM swap as an alternative path. If the help desk won't help, the attacker SIM-swaps the target's phone number and uses SMS-based auth.
• Push-bombing. Spam the target's legitimate MFA app until they approve one out of frustration or misclick.
• Adversary-in-the-middle (AiTM) phishing via a reverse-proxy phishing kit (EvilProxy, Tycoon). Target clicks a legitimate-looking link, enters credentials + MFA into a proxy site that forwards to the real IdP and captures the session cookie.

#4. Post-auth: lateral movement via Okta

Once logged in as a legitimate user, the attacker:

• Pivots into Okta admin console (if the compromised user has admin roles, or escalates via help-desk re-engineering).
• Reviews SSO connections to SaaS applications.
• Identifies the most valuable targets in the customer's SaaS estate: AWS, Azure, GitHub, source control, financial systems, customer data stores.
• Extracts session tokens, OAuth tokens, or uses SSO to authenticate to downstream apps.

Scattered Spider is particularly effective at recognizing which downstream apps hold the most valuable data. They spend time inside the environment reading Slack, SharePoint, Confluence, and wiki content to map the business.

#5. Cloud infrastructure abuse

Once in cloud consoles:

• Create IAM users / roles with broad permissions for persistence.
• Exfiltrate customer data from S3, blob storage, or databases.
• Extract secrets from Secrets Manager or Key Vault.
• Where applicable, deploy ransomware via cloud automation.

In the MGM incident (2023), the attackers used cloud access to deploy ALPHV/BlackCat ransomware across the enterprise, encrypting systems and demanding payment.

#6. Extortion

Scattered Spider is ransomware-affiliated (historically ALPHV/BlackCat, then RansomHub, then DragonForce after affiliate shuffling). Post-breach they either:

• Deploy ransomware for encryption + extortion. Standard ransomware playbook.
• Pure data extortion. No encryption, just steal and threaten to publish. Lower effort, lower forensic footprint, sometimes higher payout.
• Triple extortion. Encrypt, exfiltrate, and threaten to contact customers of the victim. Used against high-touch B2B targets.

#Defining incidents 2023-2026

#MGM Resorts (September 2023)

MGM's IT help desk was social engineered into resetting an employee's password and MFA. Attacker pivoted into Okta admin, then AWS, then deployed ALPHV/BlackCat ransomware. MGM shut down slot machines, hotel room keys, and digital payments. Recovery cost estimated at $100 million. MGM refused to pay ransom.

#Caesars Entertainment (August 2023)

Similar attack pattern against Caesars. Caesars paid approximately $15 million ransom. Disclosed via SEC 8-K filing.

#Transport for London (September 2024)

TfL breach attributed to Scattered Spider-adjacent actor. Services including the Oyster card system and TfL Pay as You Go disrupted. UK arrested a 17-year-old in connection.

#Multiple BPO breaches (2024-2025)

A wave of business process outsourcing firm compromises. Targets selected because BPO employees have legitimate access to end-customer systems. Once inside a BPO, lateral movement into customer environments was frequently possible without triggering customer-side controls.

#Cloud provider-adjacent breaches (2025-2026)

Several SaaS providers disclosed Scattered Spider intrusions attributed to help-desk social engineering or SIM swap. Customer data from those SaaS providers used for downstream targeting.

#What makes Scattered Spider successful

1. Social engineering beats technical controls. No MFA bypass needed if you convince help desk to enroll your MFA.
2. English-language fluency. Removes the "non-native speaker" signal that trained help desk staff to flag calls.
3. Persistent targeting. They come back for the same targets across months, building knowledge.
4. Affiliate model. Multiple ransomware families to choose from. Not tied to any single infrastructure that can be taken down.
5. Speed. Time from initial help-desk call to ransomware deployment can be under 24 hours.

#The defensive controls that actually work

#1. Help desk identity verification that survives an English-speaking attacker

Traditional verification (name, employee ID, manager) fails. Real verification:

• Video callback to the corporate Zoom/Teams account known to belong to the employee.
• Manager co-sign via a separate channel (Teams DM to manager's known account, not a call that could be spoofed).
• Out-of-band confirmation via a pre-registered personal email or phone known to HR.
• Physical credential reset required for MFA changes (in-person at office, or mail-delivered to HR-verified address).

Help desks that still reset MFA based on a phone call will get breached. The training and tooling to prevent this has to be deployed.

#2. Phishing-resistant MFA

FIDO2 / WebAuthn hardware keys or platform authenticators tied to verified device.

• Remove SMS and app-push as MFA options for privileged accounts.
• Yubikeys or equivalent for all IT and admin roles.
• Conditional Access policies that deny login without phishing-resistant MFA.

Scattered Spider's AiTM phishing kits cannot complete a FIDO2 authentication because the attestation is cryptographically bound to the legitimate domain.

#3. Okta-specific hardening

Given Okta is the most common identity layer in Scattered Spider targets:

• Restrict Okta Admin role to named individuals with hardware MFA.
• Enable Okta ThreatInsight (blocks known malicious IPs).
• Require device trust + managed-device signal for admin actions.
• Use Okta's new phishing-resistant MFA enforcement policies.
• Monitor for MFA factor additions, admin role changes, and policy modifications.

#4. Privileged access management

Jump servers with session recording for administrative access. Ephemeral credentials for cloud console access. No standing administrative access.

#5. Detection that fires on the Scattered Spider pattern

• Alert on MFA factor additions outside business hours or from unusual devices.
• Alert on Okta admin sign-ins from residential IPs or VPNs.
• Alert on mass-read of Slack, SharePoint, Confluence by a single account.
• Alert on cloud console logins followed by IAM user/role creation within a short window.
• Alert on data exfiltration patterns (large S3 gets, database dumps, Git clones of full repos).

#6. Incident response plan that assumes help-desk compromise

Most IR playbooks assume the attacker is external. Scattered Spider-adjacent incidents require a playbook where the attacker has legitimate user credentials and has been inside for 24-72 hours before detection.

Specific plays:

• Mass password + MFA reset procedure.
• Session revocation across all SSO-integrated apps.
• Admin role revocation and re-certification.
• Cloud IAM rollback procedures.
• Communication plan assuming customer data exposure.

#What this means for enterprise threat modeling

Scattered Spider is the operational example of why social engineering still works against Fortune 500s with hundreds of millions in security spend. Every mature threat model now includes a help-desk compromise scenario. Most organizations still test their controls against technical phishing (email link clicks, malicious attachments) and skip the phone-call-to-IT scenario entirely.

Valtik runs red-team exercises that specifically emulate the Scattered Spider playbook, including pretexted help-desk calls, Okta pivots, and cloud infrastructure abuse. If your organization hasn't tested against this class of attack and you rely on a single IdP for all SSO, the MGM incident is a template for what happens next.

#Sources

1. CrowdStrike Scattered Spider threat profile
2. Mandiant UNC3944 profile
3. Palo Alto Unit 42 Muddled Libra analysis
4. MGM Resorts 10-K disclosure. October 2023
5. Okta Scatter Swine advisory