Scattered Spider / Octo Tempest: Threat Actor Profile
Scattered Spider is the most operationally significant English-speaking cybercrime collective of the cycle, weaponizing help-desk social engineering and SIM swaps to breach 100+ organizations for $100M+. A full profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
Scattered Spider is the most operationally significant English-speaking cybercrime collective of the current cycle. MITRE ATT&CK describes it as a native English-speaking group active since at least 2022 that relies heavily on social engineering, help-desk impersonation, MFA bypass, cloud identity abuse, and ransomware deployment.
Scattered Spider: at a glance
- Aliases: Octo Tempest, UNC3944, Roasted 0ktapus, Storm-0875, Muddled Libra; associated with 'The Com'
- Country / affiliation: Financially motivated; loosely organized English-speaking actors in the U.S. and U.K.
- Assessed status (as of July 2026): Active
- Primary objectives: Extortion, ransomware deployment, theft of cloud and identity access, and reputational clout
- Financial destruction / gain: >$100 million in ransom payments and extensive collateral losses, per U.S. prosecutors and Reuters
- Type: Social-engineering-driven cybercrime collective
Who is Scattered Spider?
Reuters reported in July 2026 that the DOJ links the group to more than 100 breaches and over $100 million in ransom payments. Its significance is not just payout volume; it is the degree to which it weaponized identity infrastructure rather than exotic malware.
Aliases and attribution
Scattered Spider is a loose, decentralized collective of mostly young, native-English-speaking members tied to the broader 'The Com' community, tracked as Octo Tempest (Microsoft), UNC3944 (Mandiant), and Roasted 0ktapus. Its fluid membership complicates cyber attribution and has allowed it to keep operating despite multiple arrests. It has partnered with ransomware-as-a-service (RaaS) brands like ALPHV/BlackCat and DragonForce.
Financial impact and damage
U.S. prosecutors and Reuters tie Scattered Spider to $100 million-plus in ransom payments and extensive additional damage across 100+ breaches, including high-profile casino (MGM, Caesars) and retail intrusions. Its impact is amplified by targeting identity providers and cloud platforms, turning one social-engineered help-desk call into enterprise-wide compromise.
Scattered Spider timeline
- 2022: Telecom and identity-focused activity (0ktapus-style phishing)
- 2023: MGM Resorts and Caesars operations disrupt major casinos
- 2025: UK / US retail attack waves
- 2026: DOJ extradition tied to 100+ breaches (Reuters)
Notable attacks and campaigns
The 2023 MGM and Caesars attacks showed how a single social-engineered help-desk reset could cripple a Fortune 500 company. Scattered Spider pioneered high-pressure vishing (voice phishing) and SIM-swap-driven MFA bypass, then abused Okta, Azure AD, and AWS to seize cloud environments before deploying ransomware such as BlackCat and DragonForce.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1566.004 — Voice Phishing / Help-Desk Impersonation: CISA and ATT&CK highlight spearphishing-by-phone and help-desk impersonation. Lock down help-desk identity-reset processes and require step-up verification.
- T1098 — Account Manipulation in Cloud Identity: The group adds cloud roles, credentials, and device registrations for persistence. Alert on new device enrollment, IAM changes, and new federated identities.
- T1486 — Data Encrypted for Impact: Scattered Spider deploys BlackCat and DragonForce, including against ESXi. Detect remote-access-tool installation on vCenter and unusual hypervisor encryption.
Detection and defense against Scattered Spider
Scattered Spider attacks identity, not endpoints, so the strongest defenses are around help desks and cloud IAM:
- Lock down help-desk identity-reset and MFA-reset processes with strict step-up verification.
- Use phishing-resistant MFA (FIDO2) that resists SIM-swap and push-fatigue attacks.
- Alert on new device enrollment, IAM changes, SSO trust changes, and new federated identities.
- Monitor for remote-access-tool installation on vCenter and unusual hypervisor encryption.
- Detect mass downloads and search-indexing across cloud collaboration suites (S3, SharePoint, OneDrive).
The bottom line
Scattered Spider proved that fluent English and a convincing phone call can defeat defenses no malware could — making identity, not the endpoint, the new front line. See how Scattered Spider ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
Who is Scattered Spider?
Scattered Spider is a financially motivated, mostly English-speaking cybercrime collective active since 2022, also tracked as Octo Tempest and UNC3944, known for elite social engineering, SIM swapping, and cloud identity abuse.
What is Scattered Spider known for?
It is known for social-engineering help desks, SIM-swap MFA bypass, and cloud takeover, including the 2023 MGM Resorts and Caesars casino attacks, tied to 100+ breaches and $100M+ in ransoms.
Is Scattered Spider still active?
Yes. Despite multiple arrests and a 2026 extradition, the decentralized collective continues to operate because of its fluid membership and ties to the broader 'The Com' community.
How does Scattered Spider bypass MFA?
Primarily through social engineering — impersonating employees to help desks to reset credentials and MFA, SIM swapping to intercept codes, and MFA push-fatigue rather than technical exploits.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: