No time to read? Listen here:

Australia’s flagship airline, Qantas, has reportedly become the latest victim of attacks on the aviation industry conducted by Scattered Spider. This persistent and highly skilled cybercriminal group has been linked to dozens of attacks across the globe. The Qantas breach, though still unfolding, follows a consistent pattern of social engineering and credential abuse that has defined Scattered Spider’s operations since 2022.

This blog offers a comprehensive overview of Scattered Spider’s evolution, tactics, victims, and current threat level, drawing from a Scattered Spider Threat Actor Profile*, which compiles research and reporting about the actor. It serves as both a high-level summary and a deep dive for security professionals and threat intelligence teams seeking the latest insights on this active threat group.

Who Is Scattered Spider?

Scattered Spider is a financially motivated threat group that emerged in early 2022. Composed largely of native English-speaking young adults, the group is affiliated with a decentralized cybercrime community known as “The Com”—an underground network notorious for data theft, SIM swapping, extortion, and public harassment.

It has been reported that the group initially targeted the telecommunications and technology

sectors in the US. Over time, their targets expanded to include business process outsourcing, hospitality, retail, media, entertainment, financial services, and more. Scattered Spider has primarily targeted English-speaking countries such as the United States, Canada, the United Kingdom, and Australia, but has also extended its attacks to nations including Singapore, India, Thailand, South Korea, Sweden, and the Cayman Islands.

The group is known to employ social engineering tactics, including phishing, as well as conduct SIM swaps. By mid-2023, they allegedly began deploying BlackCat/Alphv ransomware and, in June-July 2024, started operating as a RansomHub and Qilin affiliate. In 2025, Scattered Spider added the DragonForce ransomware to their arsenal.

Scattered Spider has been tracked under several aliases, including Roasted 0ktapus, Octo Tempest, Storm-0875, Starfraud, UNC3944, Scatter Swine, and Muddled Libra.

Notable Attacks and Victims (2022–2025)

Here’s a brief look at a timeline of notable attacks and victims: 

2022

Security researchers discovered a campaign conducted by the group compromised 9,931 user accounts across over 130 organizations, primarily targeting those using Okta’s Identity and Access Management services. The campaign, active since at least March 2022, involved phishing sites mimicking Okta login pages to steal credentials and 2FA codes. The following organizations are allegedly victims of the campaign: Twilio, Cloudflare, Klaviyo, Mailchimp, DoorDash, LastPass, and T-Mobile. 

2023

In 2023, Scattered Spider escalated its operations, targeting high-profile organizations across technology, finance, gaming, and hospitality. The group was linked to the breach of Riot Games, where attackers disrupted operations and demanded a $10 million ransom. Coinbase and Reddit were also compromised through sophisticated social engineering campaigns that exposed internal systems and corporate directories. Perhaps most notably, Scattered Spider played a key role in the MGM Resorts breach, initially gaining access via social engineering and later partnering with BlackCat/ALPHV ransomware operators. 

2024

In 2024, Scattered Spider continued to expand its reach and sophistication, focusing heavily on phishing campaigns using lookalike domains to impersonate corporate login portals. One of the most prominent victims was Charter Communications, which was targeted through fake Okta domains as part of a broader campaign. The group’s phishing infrastructure showed a disturbing level of coordination, with vulgar and offensive elements embedded in the phishing kits to taunt victims. That same year, Scattered Spider broadened its geographic footprint, targeting organizations in Thailand (True Corporation), South Korea (Samsung), Sweden (Sinch), and the Cayman Islands (Binance). These attacks often followed a consistent pattern: credential harvesting via phishing, followed by social engineering and potential data exfiltration—demonstrating the group’s adaptability and continued threat to global enterprises.

2025

In 2025, Scattered Spider intensified its global operations, launching a coordinated campaign against major U.K. retailers including Co-op, Marks & Spencer, and Harrods, often deploying DragonForce ransomware and using social engineering tactics to gain internal access. The attack on Co-op, for example, resulted in the theft of sensitive customer data, including password hashes, while Marks & Spencer experienced full ransomware deployment. The group also shifted focus toward U.S. retailers, with Google warning of similar tactics being used across the Atlantic. 

And most recently, Qantas and other airlines were reportedly targeted in a cyberattack attributed to Scattered Spider. While details are still emerging, the incident is consistent with the group’s expanding victim profile and reinforces its status as a persistent and highly capable threat actor with a global reach

Recommendations: How to Defend Against Scattered Spider

Despite a few key members of Scattered Spider being arrested, they continue to pose a threat to organizations. To defend against Scattered Spider's tactics, organizations should:

• Strengthen Help Desk Verification: Implement mandatory in-person or live video verification for new accounts and critical access changes.

• Enhance Password/MFA Reset Validation: Require temporary manual workflows with at least two separate authentication factors and out-of-band communication for all resets.

• Implement Robust Out-of-Band Verification: Apply out-of-band verification to all sensitive transactions.

• Adopt Phishing-Resistant MFA and FIDO2 Keys: Implement cryptographic solutions like FIDO2 keys for privileged access.

• Transition to Passwordless Authentication: Develop a roadmap for a complete transition to passwordless authentication to enhance security and user experience.

• Educate Non-IT Staff: Provide mandatory, recurring training to all non-IT staff on data privacy, verification best practices, and the risks of using easily accessible personal data for identity verification.

• Request the Full Threat Profile: KELA tracks threat actors like Scattered Spider across dark web communities, leak sites, and threat actor forums. While this blog summarizes third-party reporting, KELA offers tailored threat intelligence to help your organization stay ahead.

*KELA’s full report is available to customers; it also covers the Tactics, Techniques & Procedures (TTPs), arrests and key members, and more details from Scattered Spider’s playbook. For non-customers, contact KELA to access the complete Scattered Spider profile and get proactive with your cyber defense strategy.