The Help Desk Call That Keeps Working, Even After Arrests: Inside Scattered Spider
The call to Marks & Spencer’s third-party help desk in April 2025 probably lasted just a few minutes. The person calling in knew enough to be plausible — a name, a role, the cadence of an internal support request. The caller was locked out, and they needed access restored. Maybe there was a time pressure like a shift starting or a manager waiting. Whatever the exact flow of conversation, the caller was convincing enough that the help desk agent reset the credentials and moved on to the next ticket.
The technically sophisticated part of the M&S attack came later. But the move that opened the door was simply a convincing lie. That call — or one like it — led to one of the most visible cybercrime campaigns of 2025. Scattered Spider’s retail wave hit Marks & Spencer, Co-op, and Harrods. It forced M&S to suspend online clothing orders for 46 days, exposed customer data at Co-op, and left M&S estimating a £300 million hit to operating profit.
Who They Are
Scattered Spider is a loosely affiliated, financially motivated cybercriminal collective, operating since at least May 2022. They’re being tracked under a sprawling list of names, including UNC3944, Octo Tempest, Roasted 0ktapus, Storm-0875, Starfraud, Scatter Swine, and Muddled Libra.
The group is notable for what it lacks — it has no nation-state backing, no apparent political agenda, and no formal hierarchy. Members coordinate loosely via platforms like Telegram and Discord. Alleged members and suspects are primarily teens and young adults, based in the US and the UK.
Their youth and informality are part of what makes them dangerous. These are tech natives with an intuitive understanding of US and UK corporate culture, IT processes, and the social dynamics of help desk interactions.
Motivation and Targeting Pattern
Scattered Spider’s motivation is straightforward — money. By 2023 the collective had adopted a double extortion model, moving from credential theft, SIM swapping and data extortion into ransomware-enabled extortion.
Their target selection follows a pattern. They use a wave approach, choosing a particular industry and then attacking as many organizations within that sector as possible over a short period. These sector-based wave attacks have included a focused campaign against financial services in late 2023, food service companies in May 2024, and the retail sector in 2025. The FBI has recently observed the group expanding its targeting to the airline industry. The throughline is large enterprises with complex IT environments, lots of employees, and help desks that handle high volumes of credential reset requests.
Signature TTPs (Mapped to MITRE ATT&CK)
Scattered Spider's TTPs reveal a consistent approach: get in through people, stay in through legitimate tools, and make yourself look like normal network traffic for as long as possible.
Initial Access
Attacks typically begin with SMS phishing, phone calls to victim help desks, and SIM swapping. After compromising credentials via social engineering, the threat actors impersonate employees in calls to victim organizations' service desks, attempting to secure MFA codes or password resets.
ATT&CK mappings: T1566.004 (Spearphishing Voice), T1598 (Phishing for Information), T1539 (Steal Web Session Cookie)
Persistence and Privilege Escalation
In 2023, the group added BYOVD techniques using an Intel driver exploit, and began abusing federated identity and SSO trust relationships. By 2024 the focus had shifted to cloud app pivoting, federated IdP abuse, and Azure/Okta backdoors.
ATT&CK mappings: T1556 (Modify Authentication Process), T1078 (Valid Accounts), T1484.002 (Domain Trust Modification)
Defense Evasion
They historically evade detection using living-off-the-land techniques and allowlisted applications to navigate target networks, and frequently modify their TTPs. In at least one instance, they hijacked a victim's EDR tool by using its remote shell or script execution features, creating a backdoor for themselves.
ATT&CK mappings: T1562.001 (Disable or Modify Tools), T1036 (Masquerading)
Lateral Movement and Exfiltration
Following initial access, they use legitimate software such as AnyDesk and ScreenConnect to maintain persistence, then employ tools like Mimikatz and secretsdump to escalate privileges, moving laterally through the network using RDP, SSH, and other services.
Notable Operations Attributed to Scattered Spider
| Operation | The Impact |
|---|---|
| 0ktapus / Okta-themed phishing campaign, 2022 | Essentially the origin story for Scattered Spider’s public reputation. SMS phishing against Okta users at scale, affecting more than 130 organizations, with Twilio and Cloudflare among the best-known examples. |
| Telecom/BPO/SIM-swap operations, 2022–2023 | This is where Scattered Spider’s tradecraft sharpened. Targeted telecom and business-process outsourcing environments to support SIM swaps, account takeovers and downstream fraud. |
| MGM Resorts attack, 2023 | The signature Scattered Spider incident. It turned help-desk social engineering into a boardroom-level operational crisis, with hotel/casino systems disrupted and major reported financial impact. |
| Caesars Entertainment attack, 2023 | Paired with MGM in the “casino campaign.” It showed the same basic model could produce both data theft/extortion and very different business outcomes depending on response, containment and ransom decisions. |
| ALPHV/BlackCat ransomware affiliate phase, 2023 | This marks their jump from social-engineering-heavy intrusion crew to full ransomware/extortion operations, including reported ransomware deployment against VMware ESXi environments. |
| UK retail wave: Marks & Spencer, Co-op, Harrods, 2025 | This revealed their sector targeting strategy and real-world retail disruption, with M&S suffering particularly visible operational and market impact. |
| Aviation / airline targeting wave, 2025 | This shows the group’s continued reliance on identity, help-desk and third-party access paths in high-pressure operational environments. |
What's Changed Recently
Scattered Spider has taken hits. Alleged or known members including Tyler Robert Buchanan, Noah Michael Urban, and Thalha Jubair have been arrested or charged. Buchanan, a senior member, pled guilty to wire fraud conspiracy and aggravated identity theft last week.
There's a detail in the Buchanan case worth sitting with. Per the DOJ's own timeline, his involvement in the group ran from September 2021 to April 2023. MGM, Caesars, the UK retail wave, the aviation targeting — everything that made Scattered Spider a household name in security circles — happened after he was out. The person that Allison Nixon, chief research officer at Unit 221B, called “the glue that held this gang together" didn't run the attacks everyone associates with the name Scattered Spider.
The collective's fluid affiliations make disruption difficult, and the talent pool keeps refreshing. If anything, Scattered Spider's story is one of continual adaptation — a crew that moved from SMS phishing and SIM swapping into corporate identity compromise, help-desk manipulation, SaaS data theft, and ransomware-enabled extortion.
A July 2025 joint advisory from the FBI, CISA, and international partners confirmed the group's continued evolution: new social engineering techniques, additional malware variants, and an expanding roster of ransomware affiliations including DragonForce and Qilin.
Their ransomware-as-a-service relationships have shifted too. After ALPHV/BlackCat's shutdown, Scattered Spider became an affiliate of RansomHub in 2024, then pivoted again after RansomHub's infrastructure went dark in early 2025. They're not loyal to any particular ransomware brand — they're loyal to whatever gets the job done and makes them money.
Detection and Defense Considerations
The standard advice — implement MFA, train employees on phishing — misses the specific challenge Scattered Spider has most successfully exploited. They're not breaking MFA cryptography or following simple phishing tactics. They're defeating the processes around MFA: help desk resets, MFA token transfer, and push fatigue.
Help desk verification procedures need to be resistant to someone who already knows an employee's name, ID, and various personal details. Callback verification to a number on file (not one provided by the caller) is one good control. Hardware security keys remove push-fatigue paths, but only if help desk recovery and MFA reset workflows are equally hardened.
On the detection side: the group frequently modifies its TTPs to remain undetected, so behavioral baselines matter more than signature-based detection. Watch for unusual identity federation changes, new SSO configurations, and anomalous use of legitimate RMM tools — especially in environments where those tools aren't regularly used by the flagging account.
Sources Used
- CISA Advisory AA23-320A, Scattered Spider / updated July 2025: cisa.gov
- MITRE ATT&CK, Scattered Spider (G1015): attack.mitre.org
- HC3 Threat Actor Profile, Scattered Spider / October 2024: hhs.gov
- Microsoft Security, Octo Tempest Crosses Boundaries to Facilitate Extortion, Encryption and Destruction / October 2023: microsoft.com
- CrowdStrike, Scattered Spider Attempts to Avoid Detection With BYOVD Tactic / January 2023: crowdstrike.com
- Group-IB, 0ktapus Campaign / 2022: group-ib.com
- Flashpoint Threat Profile, Scattered Spider / January 2026: flashpoint.io
- Barricade Cyber CTI Report, Scattered Spider / 2025: barricadecyber.com
- CyberScoop, Scottish Man Pleads Guilty to Attack Spree That Created Scattered Spider’s Notoriety / April 2026: cyberscoop.com
- DOJ Press Release, British National Pleads Guilty to Hacking Companies and Stealing at Least $8 Million in Virtual Currency / April 2026: justice.gov
- KrebsOnSecurity, Scattered Spider Member TylerB Pleads Guilty / April 2026: krebsonsecurity.com
- National Crime Agency, Retail Cyber Attacks: NCA Arrest Four for Attacks on M&S, Co-op and Harrods / July 2025: nationalcrimeagency.gov.uk
- FBI Public Warning on Airline Sector Targeting / June 2025: x.com/FBI
- The Hacker News, RansomHub Went Dark April 1, Affiliates Move to Qilin, DragonForce / April 2025: thehackernews.com
- The Guardian, coverage of Harrods / UK retail cyberattack wave / May 2025: theguardian.com
- Business Insider, coverage of airline-sector targeting / June 2025: businessinsider.com