Don’t let overlooked obligations become incidents. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Start for Free
HomeThreat LibraryThreat Actors
Scattered Spider
Threat Actor Profile

Scattered Spider

Scattered Spider, also tracked as UNC3944, Starfraud, and Muddled Libra, is a prominent cybercriminal group active since at least 2022 (CISA). The collective is notorious for social engineering schemes, advanced phishing campaigns, and the use of Ransomware-as-a-Service (RaaS). Targeting industries like telecommunications, retail, healthcare, and critical infrastructure, their operations frequently revolve around data theft, extortion, and ransomware deployment.

Threat Actor Profile

Scattered Spider

Country of Origin

Scattered Spider’s origins are murky, but evidence suggests the group primarily operates from the US, UK, and Europe. Members are often young, tech-savvy English speakers who coordinate loosely via platforms like Telegram and Discord.

Members

Scattered Spider operates as a loosely affiliated network rather than a hierarchical organization. Arrests revealed members as young as 17, underscoring their reliance on digital natives adept at social engineering. The group continually recruits skilled individuals, complicating efforts to estimate group size or accurately profile members.

Leadership

The decentralized nature of Scattered Spider makes identifying formal leadership challenging. Publicly documented arrests in 2024 revealed key figures such as Tyler Buchanan (aka "TylerB") and Noah Urban (aka "King Bob"). However, the collective's fluid affiliations make broader disruption difficult.

Scattered Spider TTPs

Scattered Spider has evolved its tactics significantly since its emergence, blending technical skill with psychological manipulation.

Tactics

  • Focused on financial extortion, data exfiltration, and ransomware attacks.

  • Targets often include IT departments and helpdesk teams to exploit trusted relationships.

Techniques

  • Social Engineering:

    • MFA Fatigue (flooding users with authentication requests).

    • SIM Swapping to capture identity tokens.

    • Helpdesk impersonation to request credentials or authentication codes.

  • Phishing:

    • Advanced campaigns leveraging fake domains, smishing, and spear-phishing techniques.

  • Exploitation of Cloud Platforms:

    • Abuse of Active Directory and virtual environments to perform credential theft.

  • Living Off the Land (LOTL):

Misusing legitimate remote management tools like TeamViewer and ScreenConnect.

Procedures

  • Hosting short-lived phishing domains for data exfiltration.

  • Deploying malware, including Spectre RAT, Raccoon Stealer, and BlackCat ransomware.

  • Embedding within compromised organizations by monitoring internal communications.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

MGM Resorts Breach (2023)

Threat actors used a simple social engineering call to deploy ransomware, impacting over 100 servers.

Caesars Entertainment Data Breach (2023)

Over 65 million loyalty accounts were compromised.

Twilio & MailChimp Campaigns (2022)

Phishing attacks led to large-scale credential and identity theft.

Riot Games (2023)

Stolen source code and a $10M ransom demand disrupted global operations.

Law Enforcement & Arrests

Despite several arrests in 2024, Scattered Spider's decentralized structure has allowed its operations to continue:

  • 2024 Arrests:

    • Multiple members apprehended in the US, UK, and Europe.

    • Key figures like Tyler Buchanan were indicted, yet broader deterrence remains elusive.

  • Cooperation Efforts:

    • Agencies like FBI and Europol are collaborating to dismantle the group’s infrastructure.

Glitch effectGlitch effect

How to Defend Against Scattered Spider

1

Employee Training:

Educate teams on recognizing social engineering attempts.

2

Enhance Authentication: Implement phishing-resistant MFA solutions like hardware-based tokens.

3

Restrict Access: Enforce least-privilege access policies in directories and systems.

4

Monitor and Respond: Deploy tools for endpoint detection and real-time threat monitoring.

5

Secure Backups: Maintain immutable and offline backups of critical data.

Huntress offers comprehensive endpoint detection and response solutions to pinpoint Scattered Spider activities. From phishing detection to remote access controls, our tools safeguard organizations against evolving threats.

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free