The FBI and the Cybersecurity and Infrastructure Security Agency issued a joint advisory on July 30, 2025, warning that the cybercrime group known as Scattered Spider has deployed new techniques to launch attacks against multiple industries. The advisory highlights the group’s expanding scope and the urgent need for organizations to strengthen their defenses against sophisticated social engineering campaigns that have already cost victims hundreds of millions of dollars.
The Exploit Mechanics
Scattered Spider, also tracked as Muddled Libra, Octo Tempest, and UNC3944, specializes in social engineering tactics designed to trick companies into handing over employee credentials and bypassing multifactor authentication. The group operates through multiple subsets, each with its own targets and preferred techniques, rather than as a centralized unit. Their methods include phishing texts that harvest employee credentials, SIM swapping to intercept authentication codes, and impersonation of IT staff to manipulate help desks into resetting passwords. Once inside a target network, the group establishes persistence, exfiltrates sensitive data, and deploys ransomware to extort victims.
Affected Systems
The group’s reach extends across hospitality, telecommunications, retail, insurance, and aviation. Major victims include MGM Resorts, where a 2023 ransomware attack cost the company more than $100 million by disrupting hotel operations, locking guests out of rooms, and disabling slot machines. Clorox suffered months of product shortages after a breach that led to a $380 million lawsuit against its IT vendor. In April 2025, Scattered Spider launched attacks against Marks and Spencer, Harrods, and Co-op in the United Kingdom, costing an estimated 440 million British pounds. More recently, the group has targeted Aflac, Allianz Life, Philadelphia Indemnity Insurance, Hawaiian Airlines, and Qantas. Whole Foods distributor United Natural Foods warned that its breach could result in up to $400 million in lost sales. With Bitcoin trading around $117,800 and the total crypto market cap exceeding $2.3 trillion, the intersection of traditional finance and digital assets presents an increasingly attractive target for groups like Scattered Spider.
The Mitigation Strategy
Organizations must adopt a layered defense approach to counter Scattered Spider’s tactics. Implementing phishing-resistant MFA methods such as FIDO2 hardware keys can significantly reduce the effectiveness of credential theft and SIM swapping. Regular social engineering training for employees, particularly help desk staff, is critical since the group frequently impersonates IT personnel. Network segmentation limits lateral movement once an attacker gains entry, and zero-trust architecture ensures that every access request is verified regardless of origin. Security teams should also monitor for indicators of compromise associated with the group and establish rapid incident response protocols.
Lessons Learned
Scattered Spider’s success demonstrates that technical controls alone are insufficient when attackers exploit human psychology. The group consists largely of English-speaking young men, including many teenagers, from the United States and United Kingdom, yet their impact has been devastating. In November 2024, the Department of Justice charged five individuals connected to the group, and British authorities arrested four more in July 2025, but the decentralized nature of the collective means that arrests of individual members do not neutralize the threat. Organizations must treat social engineering as a primary attack vector and invest accordingly in both technology and training.
User Action Required
Individual users and organizations should immediately review their authentication methods and replace SMS-based MFA with hardware security keys wherever possible. Enable alerts for unusual login activity and verify any credential reset requests through multiple independent channels. Cryptocurrency holders should use hardware wallets for significant holdings and ensure that exchange accounts use the strongest available authentication methods. Security teams should review the FBI-CISA advisory and assess their exposure to the specific techniques documented in the report.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always consult with qualified professionals for specific security recommendations.
Education is still the biggest barrier to mainstream adoption
The gap between crypto and TradFi is narrowing fast
narrowing gap between crypto and tradfi security is a double edged sword. better tooling but also bigger attack surface for groups like this
This is exactly the kind of development the space needs
the MGM and Clorox incidents cost over $480M combined and they started with a simple phishing text. social engineering remains undefeated
impersonating IT staff to reset passwords is embarrassingly low tech but it works because help desks are trained to be helpful not suspicious
phish_reel_ help desks are the soft underbelly of every company. one convincing IT impersonation call and your MFA is bypassed
got SIM swapped in 2024 and lost access to everything for 6 hours. the fact that groups of 1000+ people are coordinating this at scale is terrifying
6 hours without access must have been terrifying. did you get everything back or did they drain accounts?
MGM attack started from one phishing text and cost $480M. the ROI on social engineering is why these groups exist