Scattered Spider is a term used in the cybersecurity industry to describe a cluster of activity tied to social engineering, credential theft, SIM swapping, ransomware deployment, and data theft and extortion. The group has been active across Telegram communities including The Com, Star Fraud, LAPSUS$, and more recently, scattered lapsus$ hunters.
Aliases such as SpidermanData, Sp1d3r, and Sp1d3r Hunters have been linked to extortion attempts in the past year. Their tactics overlap with other well-known data leak and extortion groups, including Shiny Hunters. The group has also been tracked under multiple designations, including Octo Tempest, Oktapus, Muddled Libra, UNC3944, and UNC6040.
Connections to ransomware operations are also a defining feature. Members have been associated with major Ransomware-as-a-Service (RaaS) groups such as ALPHV/BlackCat, Qilin, DragonForce, RansomHub, and Hellcat. Recently, they even claimed to have launched their own RaaS group called ShinySpider or ShinySp1d3r, as reported in a recent Threat Profile.
The group is known for a wave-style approach to targeting industries. Instead of spreading attacks thinly across multiple sectors, they launch concentrated campaigns against one industry at a time. Financial services were hit in late 2023, followed by food service companies in May 2024, and then a large-scale campaign against U.S. and U.K. retailers heading into 2025. Beyond those industries, Scattered Spider has also focused on cryptocurrency services and gaming companies. Their preference is for large enterprises, which provide greater leverage in ransom negotiations and the potential for broader disruption.
According to the Threat Profile from Flashpoint, this pattern of behavior highlights the group’s adaptability and reach. By aligning with or overlapping tactics from other extortion collectives and by creating or associating with multiple RaaS ventures, Scattered Spider has positioned itself as one of the most persistent and resourceful threat actors currently tracked.
(AI was used in part to facilitate this article.)
