Skip to main content
Threat IntelligenceEmerging Threats

Scattered Spider Morphs into Decentralized Cybercrime Network

Dimly lit, cluttered hackerspace with multiple workstations, notes, and tech gadgets.

On June 7, Group-IB published an analysis that reframes Scattered Spider not as a single, centrally run hacking gang but as a decentralized cybercrime collective made up of independent clusters that share methods and communities.

Group-IB’s reclassification: a collective tied by tactics

Group-IB’s report challenges the traditional view of Scattered Spider as a unified operation and instead describes a model in which multiple, smaller clusters operate separately while sharing tactics, tools and online communities. The firm likened the arrangement to the structure of the Anonymous hacktivist collective — separate actors using a shared identity without necessarily coordinating directly. Group-IB also noted that some activity previously attributed to Scattered Spider may have been carried out by unrelated actors.

Names, aliases, and a split of responsibility

The activity tracked under Scattered Spider has appeared in threat reporting under a range of labels, including 0ktapus, Muddled Libra, Octo Tempest and UNC3944. Group-IB specifically distinguished its 0ktapus tracking from the cluster linked to the Marks & Spencer and Co-op attacks, stating there is no evidence those incidents were operated by the same individuals. That differentiation underscores the firm’s central point: shared signatures and shared names do not necessarily mean a single command-and-control structure.

Recurring targeting patterns across clusters

Despite the decentralized organization, Group-IB identified several recurring targeting behaviors observed across the clusters it studied. These patterns form the connective tissue that allows intelligence and defensive guidance to travel between otherwise separate operators:

  • Employees at technology and communications companies used as access points into larger targets.
  • Mobile carrier staff targeted for SIM swapping operations that enable account takeover.
  • Cryptocurrency users targeted through fraud campaigns tied to credential theft and SIM swaps.
  • Enterprises compromised for extortion and ransomware activity, often as part of broader intelligence-gathering.

Social engineering and identity-provider phishing as a central technique

Group-IB’s analysis found that social engineering remains the consistent thread across clusters. Attackers frequently impersonate IT, security or human resources teams to persuade employees to hand over credentials or access. The report highlights the use of phishing pages that impersonate well-known identity providers, listing Okta, Microsoft, Citrix and Google as common targets for credential-harvesting pages.

The firm also observed combinations of enterprise compromise and cryptocurrency theft: attackers using stolen credentials, SIM swaps and phishing campaigns to both siphon digital assets and compromise organizations to learn more about potential victims. Some clusters have supplemented these techniques with commercial remote-access tools such as AnyDesk and by recruiting insiders at telecommunications companies to facilitate unauthorized access.

Clusters, arrests, and the limits of disruption

Group-IB argued that the decentralized nature of the collective helps explain why activity tied to Scattered Spider has continued despite arrests and disruption efforts directed at some alleged members. The firm concluded that targeting individual actors through law enforcement actions is unlikely to eliminate the broader threat because similarly skilled operators can reconstitute activity within separate clusters that share methods and markets.

How technologists, enterprises, and cryptocurrency users should respond

  • Technologists and security teams: focus defensive efforts on identity-based attacks and social engineering, particularly phishing pages impersonating Okta, Microsoft, Citrix and Google, and controls that mitigate SIM swap and credential-theft vectors.
  • Enterprises and procurement leaders: account for the likelihood that remote-access tools such as AnyDesk and insider-assisted telecommunications access are part of attackers’ playbooks when evaluating vendor controls, logging and privileged-access workflows.
  • Cryptocurrency users: be aware that fraud campaigns and SIM swapping are recurring tactics tied to clusters that also compromise enterprises for intelligence on victims; protections against account takeover and out-of-band authentication weaknesses are central to risk reduction.

Group-IB’s reclassification reframes the problem: defenders must act on a set of shared tactics rather than assuming dismantling a single gang will end the threat. The analysis makes a clear, operational claim — that common techniques link otherwise independent operators — and leaves a practical follow-on: strengthen identity defenses and social-engineering resilience where attacks repeatedly land.

Original story: Scattered Spider’s Structure More Like a Cybercrime Collective Than a Unified Gang — Infosecurity Magazine