CTI & OSINT

ShinyHunters, Scattered Spider and sp1d3rhunters Malware

by  • 

I am sharing an analysis of two groups making headlines in the cybersecurity landscape, along with the sp1d3rhunters malware.
All information comes from open sources, so you can verify every detail presented in this article.

I wish you an excellent read.

1. General overview and history:
ShinyHunters is a financially motivated hacking group that emerged in 2020, believed to be an offshoot or successor of the 2019 breach seller GnosticPlayers. Some researchers noted operational similarities and even overlapping membership (one GnosticPlayers member “Prosox” allegedly went on to form ShinyHunters), although ShinyHunters has denied any direct connection, saying they were only inspired by GnosticPlayers’ tactics. The group primarily targets large troves of user data for theft and resale. In its early days (May 2020), ShinyHunters burst onto the scene by offering over 200 million stolen user records from multiple companies on dark web marketplaces.

This included 91 million accounts from Indonesia’s Tokopedia and 22 million from India’s Unacademy, among others. Around the same time, ShinyHunters claimed to have breached Microsoft’s private GitHub repositories, obtaining ~500 GB of source code (and leaked 1 GB as proof). Through mid-2020, the group continued a spree of data breaches (often referred to as “Stage 1” and “Stage 2” leaks) affecting services like Zoosk, HomeChef, Mindful, Chatbooks, Minted, etc., with hundreds of millions of user records stolen.

In late 2020, they leaked or sold databases from BigBasket (~20M users), Animal Jam (46M), Pluto TV (3.2M). Going into 2021, ShinyHunters kept breaching companies: e.g., Pixlr (1.9M users) and Nitro PDF (77M) were leaked in Jan 2021, as well as others like Bonobos and MeetMindful. In total, a U.S. indictment in mid-2021 linked ShinyHunters to selling data from over 60 companies, causing tens of millions of dollars in damages. One suspected core member, a 21-year-old Frenchman, was arrested in Morocco in May 2022 and is facing extradition to the US on charges related to ShinyHunters’ breaches. After a quieter period in 2022 (likely due to law enforcement pressure), ShinyHunters re-emerged in 2023-2024 with new tactics, targeting corporate cloud data stores (such as Snowflake data warehouses and Salesforce CRM systems) and engaging in more overt extortion. Notably, in 2023 ShinyHunters’ persona took on an administrative role on BreachForums, partnering with the admin “Baphomet” to relaunch the forum (after RaidForums was taken down).

By 2024-2025, ShinyHunters had formed an alliance with Scattered Spider to carry out high-profile data theft-extortion campaigns (the combined group referring to themselves as “Sp1d3rHunters”). Key incidents include the Ticketmaster/Snowflake breach in 2024 and a wave of Salesforce data thefts in 2025 impacting multiple large organizations.

2. Tactics, techniques and procedures (TTPs): ShinyHunters’ methods have evolved from straightforward credential theft to complex social engineering. Initially, the group relied heavily on phishing (email) to gain access – for example, FBI investigations revealed they sent developers emails linking to fake GitHub login pages, thus stealing credentials and breaching private code repositories (MITRE technique T1566.001 – Spearphishing Link). Once inside a network or service, ShinyHunters performs credential dumping (T1003) and lateral movement to consolidate access (for instance, dumping database credentials or Active Directory accounts to expand their reach). They have also engaged in brute-force or credential stuffing attacks (T1110) using previously leaked credential databases, leveraging reused passwords. A hallmark of ShinyHunters is the focus on data exfiltration over web services (T1567.002) – they exploit legitimate cloud or web APIs to extract large datasets.

For example, in the 2024-2025 Salesforce breaches, they abused the Salesforce Data Loader API or similar web interfaces to export entire CRM objects in bulk. During the Snowflake incident, they likely ran large queries or downloads via normal database access channels. By using approved channels, they avoid triggering malware alarms. In recent operations, ShinyHunters has adopted advanced social engineering akin to Scattered Spider: conducting vishing calls to employees or IT support to trick them into granting access or OAuth tokens, and setting up highly targeted phishing websites (e.g., fake Okta or Microsoft login pages) to capture credentials and MFA tokens.

This includes the “MFA fatigue” technique (T1621) – bombarding a user with push notifications until they approve, which ShinyHunters has leveraged via their collaboration with Scattered Spider. Notably, ShinyHunters typically does not deploy custom malware or ransomware in their breaches; instead, they live off the land using stolen credentials and legitimate tools. This makes detection challenging, as their activities blend in with normal user behavior.

3. Known victims and targeted sectors: ShinyHunters has compromised a wide range of organizations across multiple sectors and geographies. In 2020, their victims were largely online services and platforms: e.g., Tokopedia (91 million user accounts) and Wishbone (40M) in May 2020, Zoosk (30M), HomeChef (8M), Minted (5M) in subsequent weeks. They also leaked user databases from Wattpad (270M users), Havenly (interior design, 1.3M), Dave (fintech, 7M) in mid-2020, and in Nov 2020, BigBasket (20M) and Pluto TV (3.2M). In early 2021, ShinyHunters released data from Pixlr (1.9M) and Nitro PDF (77M) for free, plus others like MeetMindful (2.3M) and several Indian startups (BuyUCoin, Juspay, WedMeGood, etc.). One high-profile target in 2021 was AT&T – ShinyHunters began selling data on ~70 million AT&T wireless customers (including phone numbers, DoBs, Social Security Numbers). AT&T initially denied a breach, but in 2024 acknowledged an incident, suggesting ShinyHunters had indeed obtained their data.

Moving to 2023-2025, the group’s focus shifted to large enterprises and their cloud-stored data, often in partnership with Scattered Spider. Notable victims include Ticketmaster (via a compromised Snowflake account, leaking millions of ticket barcodes and user records), Allianz Life (USA) – in 2025 hackers stole ~2.8 million records of customers and partners from a Salesforce CRM, and several global companies in a Salesforce data theft wave: e.g., an Australian airline (Qantas), a luxury conglomerate (LVMH/Chanel), and tech/finance firms like Pandora jewelry and Chanel (which confirmed breaches amid that campaign). In mid-2025, Google disclosed that one of its corporate Salesforce databases was breached by ShinyHunters (tracked by Google as UNC6040). In that incident, ShinyHunters accessed ~2.5 million records of prospective Google Ads customers, and attempted to extort 20 BTC from Google. The group later claimed the Google extortion was a “prank” (likely to brag rather than truly expecting payment). Sectors: Initially, ShinyHunters targeted mostly consumer-facing online services (e-commerce, social, tech platforms). Over time, their scope widened to telecommunications (AT&T), media/entertainment (Ticketmaster events), financial services and insurance (Allianz, possibly others), luxury retail (Chanel, LVMH), and aviation (Qantas). Essentially, any organization with a large trove of customer data is a potential target. Geographically, many victims are in the United States, but also Asia (Indonesia, India) and Europe (France – e.g., breaches involving French services or French user data). This underscores ShinyHunters’ global reach. The group’s impact is measured in the hundreds of millions of records stolen and traded on forums, making them one of the most prolific data breach actors of the last few years.

4. Modus operandi and tools used: ShinyHunters operates somewhat like a “breach brokerage” outfit. They are deeply embedded in the dark web leak forums ecosystem: they monetized data via forums like RaidForums and later BreachForums, where the ShinyHunters persona was both a major seller and even served as an administrator. This gave them a platform to both sell data dumps and, when needed, leak them for free (to show credibility or punish non-paying victims). In terms of technical tools, ShinyHunters is notable for not using custom malware or implants. Instead, they abuse legitimate tools and services of their victims: for example, using the Snowflake web interface/queries to extract data, or leveraging the Salesforce Data Loader (an official admin utility) to export CRM data.

In fact, by mid-2025 they reportedly switched to a custom Python script to expedite Salesforce data exfiltration, after victims started monitoring Data Loader usage. This shows their adaptability in crafting or modifying tools as needed. For initial compromise, ShinyHunters often capitalized on credentials obtained through phishing or purchased from other threat actors. Notably, a 2024 analysis by threat intel firm Hudson Rock indicated that infostealer malware logs (from malware like RedLine) contained many corporate credentials (e.g., Snowflake credentials) that ShinyHunters then used to breach those companies’ data. Thus, they leverage the cybercrime underground effectively: if employees’ machines are infected by generic malware, ShinyHunters can later exploit those stolen login details to access cloud systems (if MFA isn’t enforced). On the extortion side, ShinyHunters is known for negotiating ransoms and public shaming. They communicate through forum posts and emails to victims, often making sensational claims to pressure companies.

For example, their Ticketmaster ransom note threatened to leak 680 million user records plus millions of ticket barcodes if not paid. They backed this by releasing samples and even a “tutorial” on how to use the stolen barcodes. They interact with media outlets or leak sites (e.g., sending data to journalists or leak blogs) to amplify their extortion. Regarding C2 infrastructure, none is typically needed in the classic sense since they do not deploy persistent malware – once they have credentials, they operate via normal web traffic (e.g., logging in via VPN or cloud API). This lack of traditional C2 is one reason they are hard to detect via network signatures. For communications among themselves or with the community,
ShinyHunters (in mid-2025) attempted to use Telegram – launching a channel called “Scattered Lapsus$ Hunters” in August 2025 along with Scattered Spider. That channel was used for a brief time to taunt security firms and announce potential new tools (like a ransomware), but it was taken down by Telegram after a few days.

In summary, ShinyHunters’ MO is characterized by stealth and legitimate abuse: obtaining authentic credentials, logging in as a valid user, using built-in export functions or APIs, and quietly exfiltrating data, followed by high-profile extortion demands on public forums.

5. Known IOCs (Indicators of Compromise): Since ShinyHunters does not use custom malware, IOCs are mostly related to their infrastructure and behaviors:

  • Online personas and aliases: The handles “ShinyHunters”, “Shiny”, “Sp1d3r”, and “Sp1d3rHunters” are strongly associated with the group across various forums. Monitoring appearances of these names (or slight variations) on dark web forums and leak sites can yield early warning of new activity (for instance, ShinyHunters famously used those names on RaidForums/BreachForums as a seller and even admin).
  • Phishing domains: ShinyHunters (especially when teamed with Scattered Spider) has been observed setting up phishing pages tailored to targets. These often mimic SSO login pages (Okta, Microsoft, etc.), frequently on lookalike domains. For example, domains incorporating company names with words like “login”, “auth”, “account” but under odd TLDs (.app, .info, etc.) were used in 2024-2025 campaigns. While specific domains are taken down quickly, patterns include use of generic SSL certificates (Let’s Encrypt) and hosting on bulletproof VPS infrastructure. Any detection of such domains targeting your organization should be treated as an IOC of attempted attack.
  • Exfiltration patterns: One IOC is the occurrence of unusually large data transfers via web APIs. For example, logs showing a single user or service account extracting an entire database via API calls (e.g., a sequence of Salesforce API queries pulling thousands of records each), or a Snowflake user issuing select queries returning millions of rows at off hours. These are behavioral IOCs indicating the presence of an intruder engaged in bulk data theft.
  • Unusual OAuth applications: In the Salesforce attacks, the threat actors tricked employees into approving a malicious OAuth app which gave API access to the data. The presence of unknown or suspicious OAuth integrations in your cloud accounts (especially those requesting broad data permissions) is a strong indicator of compromise.
  • Previous leaked data appearances: If your organization’s user data suddenly appears for sale on a dark web forum where ShinyHunters is known to operate, that is obviously an IOC that you’ve been breached. ShinyHunters often dumped data in stages – for example, they leaked databases of 25 companies for free in mid-2020. Organizations should monitor leak sites (or use threat intel services) to quickly identify if their data is in a breach dump.
  • IP addresses and hosts: ShinyHunters leverages legitimate access, so their source IPs may often be cloud servers or residential proxies. However, some anomalies can stand out: for instance, logins to corporate services from IP ranges not normally associated with your users (e.g., an AWS or Azure address when users normally come from ISP networks). In the Google breach, Google noted seeing Python scripts making data requests instead of standard tools. This might correspond to user-agent or script usage patterns that could be flagged (though details were not public).
  • File hashes: There isn’t a known malware hash for ShinyHunters (no custom RAT or virus), but there are file hashes for leaked databases they’ve published (e.g., Nitro PDF 77M users dump had a known MD5). If those appear on internal systems, it implies someone downloaded the breach data. Also, any file artifacts of their exfil scripts (if captured) would be valuable, but thus far none have been shared publicly.

    Status of IOCs: Many infrastructure IOCs (domains, specific IPs) tied to ShinyHunters are transient; they often expire or are taken down quickly. BreachForums itself was seized, and any accounts there are moot now. Therefore, defense should focus on telltale behaviors as IOCs (e.g., abnormal data export). That said, tracking ShinyHunters’ forum announcements via threat intel channels remains important – they often pre-announce or advertise breaches, which can be a critical IOC for impending data leaks.

6. Links or correlations with the other entities: ShinyHunters is tightly linked to Scattered Spider in recent operations. Starting in 2024, evidence shows they collaborated: ShinyHunters themselves admitted that they work with Scattered Spider, stating “ShinyHunters and Scattered Spider are one and the same” when it comes to these attacks. Essentially, Scattered Spider provides initial access, and ShinyHunters handles the data dumping and extortion, a partnership they dub “Sp1d3rHunters”.

This was clearly observed in the Snowflake/Ticketmaster incident and the Salesforce breaches where both groups’ TTPs were present. There’s also overlap with the LAPSUS$ group: in August 2025, a Telegram channel named “scattered LAPSUS$ hunters” emerged combining references to all three (ShinyHunters, Scattered Spider, Lapsus$). The channel suggested a pooling of members or at least a close alliance, and even mentioned developing a joint ransomware “ShinySp1d3r”.

Although that channel was quickly shut down, it indicates that certain threat actors operate across these groups or at least coordinate. Moreover, both Scattered Spider and Lapsus$ have been associated with the same hacker community called “The Com”, an English-speaking network of SIM swappers and cybercriminals.

It’s believed that The Com is a loose collective from which Scattered Spider originated and that also had Lapsus$ members, hence the natural alignment. In summary, ShinyHunters should not be viewed in isolation in the 2023-2025 timeframe – they are part of an e-crime cluster. The Sp1d3rHunters collaboration effectively merges ShinyHunters’ data theft specialty with Scattered Spider’s social engineering prowess, making a potent combined threat. Therefore, any analysis of ShinyHunters’ threat should consider Scattered Spider’s involvement (and vice versa), and even the influence of Lapsus$-style tactics.

7. Threat level assessment:

  • For CERT (Incident Response Teams): ShinyHunters presents a high-priority threat to incident responders. The nature of their attacks (stealthy data breaches often discovered only when data is leaked or a ransom demand is received) means a CERT might be reacting to an incident that has been ongoing undetected for weeks or months. The potential scope (millions of records) and multi-jurisdictional impact (users across countries) add complexity. A corporate CERT facing ShinyHunters needs strong capabilities in forensics, especially cloud forensics (examining SaaS logs for unusual access) and coordination with legal and PR teams due to the likely data breach disclosure obligations. At a national CERT level, ShinyHunters is significant because they have hit numerous organizations in critical industries (tech, telecom, finance), implying many others could be targeted. The threat level is severe – an attack can result in loss of valuable data (IP or PII) and require notifying regulators and customers, not to mention potential follow-on fraud if personal data is leaked. The likelihood of large enterprises being targeted by ShinyHunters (or their affiliates) is non-trivial, as evidenced by the broad victim list, and the impact is high given the volume of data and public exposure. CERTs should treat any suspected ShinyHunters incident as a major incident, likely requiring a full incident command structure and possibly law enforcement engagement. Speed is critical: ShinyHunters can exfiltrate data rapidly, so containment must happen as soon as even a hint of their presence is detected.

  • For SOC (Security Operations Center): From a SOC perspective, ShinyHunters is a stealthy, data-focused adversary. The threat level is critical, since traditional SOC detection may not catch them – they don’t drop malware or trigger IDS signatures easily. SOC analysts must rely on behavioral analytics and anomalies (as described earlier). The presence of ShinyHunters in your network might only manifest as irregular user behavior (e.g., an employee account performing large data exports at odd times). A SOC must therefore have use-cases for detecting such anomalies (e.g., alerts for mass data downloads, suspicious creation of OAuth apps, unusual login patterns). This expands the SOC’s monitoring scope into cloud services and employee actions, which can strain resources if not already in place. Additionally, because ShinyHunters often reveal themselves through external leaks (e.g., a forum post with your data), a SOC might need to integrate threat intelligence monitoring into its workflow – effectively watching external sources for signs of compromise. The SOC’s challenge is twofold: detection and response. In response, they must be prepared to handle potentially enormous data theft incidents – containing access, preserving evidence, and supporting the CERT in analysis. Given the alliance with Scattered Spider, SOCs should also be prepared that an initial alert (like a suspicious MFA push or helpdesk call) could be the start of a ShinyHunters data theft chain. So, the SOC requires a heightened state of awareness. The overall threat is high – an unprepared SOC could entirely miss the exfiltration until the damage is done. Thus, improving logging and monitoring of cloud environments is a key mitigation for SOCs to handle this threat.

  • For CISO (Chief Information Security Officer): ShinyHunters poses a strategic risk to organizations. The threat level is very high in terms of potential damage – primarily reputational and regulatory, in addition to direct financial loss (extortion demands or breach fines). A successful ShinyHunters attack means a company’s customer or proprietary data is in criminal hands and possibly public, eroding customer trust. The CISO should assume that if attackers like ShinyHunters gain access, they will manage to steal large datasets given their track record, so prevention and early detection are paramount. The likelihood of being targeted depends on the nature of the business – companies with millions of user records (tech firms, e-commerce, etc.) or valuable data (credentials, personal data) are at higher risk. As ShinyHunters has shown willingness to collaborate (e.g., with Scattered Spider), even organizations with strong perimeter defenses can be breached via social engineering or third-party compromise. The CISO must thus focus on resilience and readiness: ensuring the company has robust data access controls, cloud security posture management, and an incident response plan that covers large-scale data breaches and extortion. This includes practicing how to handle a leak of internal data, communications with stakeholders, and possibly deciding on ransom responses (in alignment with legal counsel, as paying is generally discouraged and in some jurisdictions illegal). Another aspect is intelligence sharing – the CISO should ensure the organization is plugged into ISACs or other industry groups to get early warnings of tactics like those used by ShinyHunters. Strategically, the rise of ShinyHunters-type threats means CISOs need to advocate for stronger identity security (e.g., phishing-resistant MFA at scale, zero trust principles) and cloud security controls, which historically have lagged on monitoring. On a positive note, ShinyHunters’ brazenness (public leaks) means if a breach occurs, it will likely come to light rather than remain hidden – but that’s double-edged, as it forces a very public incident. Overall, the CISO should rate this threat as high severity/high probability (for relevant industries), necessitating board-level attention and possibly increased budget allocation for preventative measures.

8. Detection and mitigation recommendations:

  • Enforce strong authentication and account hygiene: Implement phishing-resistant MFA (such as FIDO2 security keys or app-based push with number matching) for all critical accounts. Basic MFA (SMS, push without context) is no longer sufficient given MFA fatigue attacks. Ensure that high-privilege accounts (admins, developers with code access) use hardware-based authentication where possible. Regularly audit accounts for unused or excessive privileges, and remove access that isn’t needed (ShinyHunters often exploits accounts that have broad access, like a forgotten admin or an over-privileged service account). Use unique, strong passwords and consider password rotation policies for accounts integrating with third-party platforms (as those credentials, if leaked, can be weaponized, as happened with infostealer logs). Monitor for credential leakage – subscribe to breach notification services or dark web monitoring that can alert if employee corporate credentials appear in dumps.

  • Monitor cloud and data access activities: Deploy robust monitoring on your key data stores (cloud or on-prem). For SaaS like Salesforce, Snowflake, AWS, use their logging capabilities to track query and export activities. Set up threshold alerts: e.g., if a single user account reads or exports an unusually large number of records, triggers should fire. Leverage Data Loss Prevention (DLP) tools to detect large data downloads or uploads to external sites. In practice, companies targeted by ShinyHunters noticed large queries or data transfers only after the fact – proactive detection might have caught these. Also monitor for the creation of new third-party apps or API tokens in your environment.

    The moment an unrecognized OAuth app is authorized, especially with read access to sensitive data, treat it as suspicious. These measures can help detect the kind of stealthy data exfiltration ShinyHunters performs.

  • Strengthen helpdesk and social engineering defenses: Since ShinyHunters may collaborate with groups like Scattered Spider, train your IT support staff to recognize and handle vishing attempts. Implement strict verification procedures for any password resets or MFA resets requested via phone/email. For instance, require support staff to call the requester back on a known number, or verify a secondary piece of information that attackers wouldn’t easily have. You can introduce secret verification codes for internal support interactions, or use identity verification tools. Regularly conduct social engineering drills targeting your helpdesk and employees (including spear-phishing simulations) to keep awareness high. An emphasis should be on resisting urgency and verifying identities – many ShinyHunters/Scattered Spider successes come from creating a false sense of urgency or authority.

  • Limit data access and employ need-to-know: Review who can access critical data sets (customer data, databases, etc.). Employ network segmentation and zero trust principles for data access. For example, employees shouldn’t be able to directly query production databases with millions of records from their workstation. Use just-in-time access provisioning for sensitive systems: require an extra approval step for mass export operations. Had the victims implemented tighter data segmentation or export controls, ShinyHunters might not have been able to grab everything in one go. Consider implementing anomaly-based safeguards: e.g., if a query attempts to pull an entire dataset, require manager approval or multi-party confirmation.

  • Improve detection of credential abuse and anomalies: Set up UEBA (User and Entity Behavior Analytics) in your SIEM or XDR solution to identify when a legitimate user account behaves abnormally – e.g., logging in from an unusual location or at odd hours, then accessing large amounts of data. Cross-correlate logs from different sources: an alert by a cloud service (like unusual API usage) combined with a suspicious VPN login could indicate an ongoing breach. Also, deploy PowerShell logging and command-line monitoring on key systems: although ShinyHunters doesn’t use malware, any attempt to run mass export scripts or tamper with security settings (like disabling Defender via PowerShell, as seen in Scattered Spider’s toolkit) should be flagged and investigated immediately.

  • Prepare a data breach response plan: Given ShinyHunters’ modus operandi, have a solid data breach incident response plan ready. This should include steps for internal containment (revoking compromised credentials, plugging the breach), forensic preservation (especially of cloud logs which can be volatile), external communications (draft templates for notifying customers/regulators within required timeframes), and engaging law enforcement. Decide in advance the stance on ransom payments with input from legal – law enforcement advises against paying, as ShinyHunters may not honor deletion promises or might return later. Practice this plan via tabletop exercises. When Google faced the Salesforce breach, they were able to quickly analyze and respond, partly thanks to prior awareness and planning. Similarly, planning can significantly limit damage and speed up response if the worst happens.

  • Collaborate and share threat intel: ShinyHunters operates across many industries – sharing information can be a strong defense. Participate in industry ISACs or local CERT information-sharing programs to get timely intelligence on active campaigns. For example, alerts from other companies or official sources (like the CISA alert on Scattered Spider tactics) might tip you off to relevant TTPs or IOCs. If your organization is attacked, consider submitting key IOCs (anonymously if needed) to intel-sharing platforms so others can benefit. ShinyHunters often reused certain tactics or infrastructure across multiple targets, so one organization’s detection could prevent another’s breach. Also, maintain contact with law enforcement cyber units – in some cases, they can provide decryption tools or confirm if stolen data has been recovered, etc., given ShinyHunters members have been arrested and infrastructure seized. In short, no organization should battle this threat alone; a community defense approach is recommended.

9. Timeline of major events:

  • May 2020: ShinyHunters emergence. The group appears on dark web markets, selling breaches like Tokopedia (91M accounts) and Unacademy (22M). Within weeks, they also claim a breach of Microsoft’s GitHub (500GB of source code) and leak some of it, proving their capabilities. This month also sees them leak the entire user database of Wishbone (~40M records). Security researchers and media start paying attention to this new prolific actor.
  • Mid-2020 (June–July): “Stage 1 & 2” mass leaks. ShinyHunters dumps databases from over a dozen companies on hacker forums. In early July, they release data from 18 companies (~386 million records) for free – including Wattpad (270M users) and others – in what appears to be a move to build reputation (mirroring GnosticPlayers’ style). By now, they’ve leaked or sold over 500M records in total, establishing themselves among the top breach brokers.
  • Late 2020: Continued breaches. In November, ShinyHunters sells BigBasket’s 20M customer database and leaks Animal Jam (46M) and Pluto TV (3.2M) records. The group also begins leaking smaller or regional services (like Indonesian, Indian platforms), suggesting a broad targeting scope. Cybersecurity firms start linking their dumps to earlier mega-breaches by GnosticPlayers, fueling speculation they might be connected.
  • Jan 2021: New leaks and India focus. ShinyHunters leaks Pixlr (1.9M users) and Nitro PDF (77M) user records on forums, free of charge. They also leak several Indian companies’ databases (Juspay, WedMeGood, etc.), indicating a spree in that region. Around this time, they put up AT&T’s alleged database (70M) for sale, which AT&T initially denies. The overall number of companies victimized exceeds 50 by early 2021.
  • Mid-2021: Law enforcement action. On June 23, 2021, a U.S. grand jury indicts members of ShinyHunters for hacking and selling data from over 60 companies. The indictment (and a second superseding one in 2022) lists victims like Pixlr, Bonobos, Nitro, Tokopedia, BigBasket, etc., and identifies a French suspect, Sébastien Raoult, as part of the conspiracy. In parallel, cybersecurity firms estimate ShinyHunters’ earnings in the “tens of millions” of USD from these sales. This legal pressure likely forces the group to lie low for a period. Raoult is arrested in Morocco in May 2022 on a U.S. warrant.
  • 2022: Regrouping and BreachForums involvement. While one member awaits extradition, ShinyHunters activity slows in terms of new public breaches. However, behind the scenes, they maintain presence on forums. In 2022, the original RaidForums is taken down by authorities; in April, a new forum BreachForums arises. June 2022-June 2023: The ShinyHunters persona partners with “Baphomet” (admin of BreachForums) to help moderate and grow the forum. This involvement indicates ShinyHunters diversifying – not just selling data, but facilitating a marketplace for all breach data. In late 2022, some incidents (like a reported AT&T data leak of 23M records in Nov 2022) are attributed to ShinyHunters, but confirmation is unclear. The group likely continues to accumulate breaches or buy access but doesn’t do big public dumps during this period.
  • Early 2023: Prelude to collaboration. In early 2023, a series of breaches occur (e.g., AT&T 9 million customer CDR leak reported in March, possibly ShinyHunters; Weee! grocery app breach of 1.1M in Feb claimed by ShinyHunters). Meanwhile, Scattered Spider (UNC3944) is active with social engineering attacks (e.g., MGM/Caesar’s in Sept 2023). By mid-2023, ShinyHunters and Scattered Spider likely establish ties as they plan to target cloud data sources. In June 2023, BreachForums (run by Baphomet with ShinyHunters’ help) suffers a setback – its v2 domain is seized after the FBI arrest of Baphomet. However, ShinyHunters apparently launches BreachForums v3 later in 2023, using alt accounts (until it disappears inexplicably in April 2025). This shows ShinyHunters’ attempts to keep a foothold in the leak market despite law enforcement pressure.
  • May 2024: Snowflake mega-breach (Ticketmaster). ShinyHunters (with Scattered Spider) compromises a Snowflake data warehouse that hosts data for numerous companies (estimated 160 organizations impacted). Among them is Ticketmaster. On BreachForums, a new user “Sp1d3rHunters” (implicitly Scattered Spider’s persona “Sp1d3r” rebranded) posts an extortion message on July 4, 2024. They claim to have stolen Ticketmaster’s customer database and 170k Taylor Swift concert ticket barcodes, offering them for sale or leak. They demand $2 million, threatening to leak 680M user records plus 30M event tickets for various concerts and sports if not paid. This marks the first public appearance of the Sp1d3rHunters moniker, explicitly tying ShinyHunters (the data thieves) and Scattered Spider (initial access via “Sp1d3r”) together. Ticketmaster responds stating stolen barcodes can’t be used due to dynamic refresh (SafeTix) and refuses to negotiate, effectively calling the bluff.
  • July 2024: Leak and escalation. In response to Ticketmaster’s stance, Sp1d3rHunters leaks the 170,000 stolen ticket barcodes on BreachForums. They also list on the forum how to use those barcodes to gain entry to events, demonstrating the potential harm. This public leak garners media attention – it’s an unusual breach impacting a pop culture event (Taylor Swift’s tour). Ticketmaster downplays risk, but the incident highlights the threat of third-party data store compromise (the root cause was Ticketmaster’s Snowflake credentials being compromised). Meanwhile, ShinyHunters (through the Sp1d3rHunters alias) denies Ticketmaster’s claims that the barcodes are unusable, stating they also obtained “print-at-home” tickets with static barcodes. This exchange shows the attackers actively countering the victim’s public statements.
  • Late 2024: Widespread cloud breaches. Through latter 2024, multiple companies quietly suffer data breaches via cloud services. Reports surface of leaks at AT&T (again) – in October, Kaspersky notes an actor (Sp1d3rHunters) leaking data purportedly from AT&T’s Snowflake (including cell phone barcode records). Similarly, Neiman Marcus, Bausch & Lomb, Advance Auto Parts are mentioned as breached via infostealer-obtained credentials to Snowflake. Many of these incidents are not fully publicized, but threat intel indicates Sp1d3rHunters was behind a spree of Snowflake intrusions affecting various sectors (retail, eyewear, automotive). This demonstrates the group’s scalable technique: using stolen logins to raid data warehouses across industries.
  • June–July 2025: Salesforce data theft campaign. Google’s Threat Intelligence Group (GTIG) publishes a blog in June 2025 warning of ongoing attacks targeting Salesforce CRM systems. The threat actor UNC6040 (identified as ShinyHunters) is said to be behind these, using voice-phishing to get OAuth access. Around the same time, companies like Allianz Life (insurance) and Qantas (airline) confirm breaches of third-party CRM data (Allianz on July 16, 2025). Allianz’s entire Salesforce “Contacts” and “Accounts” tables (2.8M records) were stolen and leaked by the attackers, who claimed credit on a Telegram channel. On August 9, 2025, Google publicly confirms its own Salesforce breach: it says ShinyHunters (UNC6040) accessed a database of 2.55M prospective Google Ads customers. Google notes the attackers were in their system for a brief window and data taken was mainly business contact info. ShinyHunters tells media they worked with Scattered Spider on these breaches (the initial access provided by Scattered Spider), and emphasize “ShinyHunters and Scattered Spider are one and the same” in this campaign. They dub the collaboration “Sp1d3rHunters” openly. ShinyHunters also admits they demanded ~20 BTC from Google, but claim it was just to “have a laugh” and they didn’t actually expect payment. By now, ShinyHunters are using a custom Python exfiltration tool (instead of Salesforce Data Loader) to speed up theft, and Google acknowledges seeing such scripts used.
  • August 2025: Alliances and takedowns. On Aug 8, a Telegram channel titled “scattered LAPSUS$ hunters – The Com HQ” appears. It associates ShinyHunters, Scattered Spider, and Lapsus$, and claims to be the HQ of “The Com”. On this channel, they boast about breaches (including the Allianz Life leak), taunt security companies, and announce they are developing a RaaS (ransomware-as-a-service) platform called “ShinySp1d3r” to compete with LockBit. The channel gains thousands of subscribers but is shut down by Telegram after 3 days, likely for violating terms. Around the same time (Aug 8), four individuals in France are arrested by French police (BL2C) for allegedly running BreachForums, and one of those is believed to be the ShinyHunters persona. On Aug 10, ShinyHunters (or someone posing as them) posts a message via DataBreaches.net claiming that BreachForums is now controlled by law enforcement (a honeypot). They reveal that their alt admin accounts “Anastasia” and “Hollow” were both them (one person) and have been compromised by police. This effectively signals the end of ShinyHunters’ overt presence on forums. These events – Telegram ban and key arrests – deal a significant blow to Sp1d3rHunters’ operations. International law enforcement collaboration (FBI, DOJ with French police) has clearly escalated against them.
  • Late 2025: Aftermath and current status. With BreachForums under control and Telegram presence wiped, ShinyHunters/Sp1d3rHunters have largely gone quiet publicly. The remaining members likely reverted to operating in private channels or different aliases. The high-profile nature of their crimes means any small activity could be under watch. However, threats remain: leaked data from previous attacks continue to circulate, and there are concerns the group may rebrand or its members join other crews. The alliance with Scattered Spider, for example, might persist informally even if “Sp1d3rHunters” isn’t used as a name anymore. Strategically, August’s crackdown marked the peak and partial fall of Sp1d3rHunters. Yet, similar attack patterns (cloud data theft + extortion) are expected to continue by other actors following the blueprint they set.

10. Strategic evaluation (future trends & likelihood of attacks): ShinyHunters exemplifies the evolution of cybercrime towards data-centric extortion. Future trends: We anticipate that more threat actors will adopt ShinyHunters’ approach of targeting cloud infrastructure and third-party services as these often yield massive data with a single credential. The collaboration between ShinyHunters and Scattered Spider indicates a trend of specialization and alliance: initial access brokers teaming up with data thieves for mutual benefit. This model (seen in Sp1d3rHunters) could inspire similar partnerships, blurring group lines. Another trend is the convergence of data extortion and ransomware. While ShinyHunters historically did not encrypt data, their discussions about launching “ShinySp1d3r” ransomware suggest that even groups focused on leaks are considering adding encryption to double their leverage.

Conversely, ransomware groups might increasingly steal data for extortion, as that tactic has proven effective for ShinyHunters. Therefore, future attacks may be hybrid, involving both data theft and system encryption, maximizing damage. Strategically, ShinyHunters’ aggressive public leaks and taunting brought swift law enforcement attention. This may deter groups from being as overt; we might see a shift back to quieter monetization (selling data on marketplaces rather than public leaking) to avoid drawing heat. However, the “clout” factor in younger hacker circles means some will still seek notoriety – the Lapsus$ and Sp1d3rHunters style isn’t going away entirely. Instead, we might see cycles of rebranding: e.g., after ShinyHunters, another alias might arise using similar tactics once the dust settles. Likelihood of attacks: For organizations holding valuable data, the likelihood of being targeted by a ShinyHunters-like attack in the next 12-24 months remains high. Even if ShinyHunters group is disrupted, other groups (or splinters of it) are adopting their playbook. The Salesforce campaign in 2025 impacted multiple companies; it’s probable more such campaigns will occur given the success rate. Particularly, companies not rigorously enforcing MFA or monitoring their cloud environments are prime targets – exactly the scenario ShinyHunters exploited.

On the flip side, increased awareness (via advisories, media coverage) might push potential victims to harden defenses, possibly reducing some opportunities. Still, the sheer number of possible targets means attack opportunities remain abundant. ShinyHunters, or their successors, will likely continue refining techniques (maybe going after other SaaS like data lakes, code repositories, etc.). In summary, the strategic threat posed by ShinyHunters and their collaborative model is significant: it has influenced the broader cybercrime landscape. Organizations must assume that even if one group is taken down, the methodology persists and will be used by others. The future will likely see more syndicated cybercrime operations (multiple groups pooling skills for big scores) and continued emphasis on extortion without encryption, which has proven extremely disruptive. The probability of facing such an attack is elevated for any large enterprise, making it imperative to learn from ShinyHunters’ cases and bolster defenses proactively.

Now about Group Scattered Spider (alias UNC3944, “0ktapus”)

1. General overview and history: Scattered Spider (tracked by Mandiant as UNC3944) is a financially motivated threat group that surfaced around 2022. It is known for its expertise in social engineering, especially targeting telecommunications and tech companies’ employees and contractors. The group’s composition is unusual – reports indicate it consists largely of teenagers and young adults in the US and UK. Despite their youth, they are highly skilled at deception and audacity. Scattered Spider is believed to have roots in the criminal SIM-swapping community called “The Com,” which is a network of SIM swappers and hackers fluent in English and known for identity theft and crypto theft.

The group first gained broad attention in mid-2022 through a campaign dubbed “0ktapus” (by Group-IB) – a massive SMS phishing campaign targeting over 130 organizations (mostly IT, software, and telecom companies) to steal Okta identity credentials. The moniker “0ktapus” (a portmanteau of “Okta” and “octopus”) refers to how the attackers had many tentacles (targeting many companies) yet were part of one campaign. Internally, Scattered Spider is also called Octo Tempest (by CrowdStrike) and Scatter Swine, reflecting different vendors’ naming. The group’s early operations primarily involved stealing credentials and performing SIM swaps for cryptocurrency theft – they would port a victim’s phone number to intercept SMS 2FA and drain crypto accounts (this was likely circa early 2022).

However, by 2023, Scattered Spider pivoted to bigger game: they became one of the most active initial access brokers/affiliates for major ransomware groups, notably ALPHV/BlackCat. Their playbook expanded to include breaching corporate networks via helpdesk manipulation and VPN compromise, then selling or partnering that access with ransomware gangs. CrowdStrike labeled them part of the “Big Game Hunting” ecosystem due to their role in high-profile attacks like those on MGM Resorts. Despite their capabilities, Scattered Spider is not nation-state; it’s classified as eCrime. Their motivation is primarily monetary (extortion payments, selling stolen data/access), but they also exhibit a penchant for notoriety – often bragging or engaging in antics (similar to Lapsus$). The group faced a setback in late 2023 when several suspected members were arrested (including an alleged member extradited from Spain to the US and another arrested in the UK or US). These arrests corresponded with a drop in observed activity, yet by mid-2024, Scattered Spider reemerged, possibly with remaining or new members, and joined forces with ShinyHunters (forming Sp1d3rHunters). Scattered Spider is distinct for targeting not just companies but also their outsourced IT support providers and using fluent English social engineering, making them extremely dangerous to enterprises reliant on external helpdesks.

2. Tactics, techniques and procedures (TTPs): Scattered Spider’s hallmark is multi-pronged social engineering to bypass security controls. Key initial access techniques include:

  • Smishing (SMS phishing) – They send text messages pretending to be corporate IT or security, often containing a link to a phishing site (Technique T1566.002). The 0ktapus campaign involved fake Okta login pages where employees entered credentials and 2FA codes, handing control to the attackers.
  • Voice Phishing (Vishing) – They frequently follow up via phone calls. For example, impersonating an IT helpdesk agent, calling a target and asking them to approve a push notification or reveal a one-time code. They expertly leverage information gleaned from LinkedIn or compromised internal systems to sound convincing.
  • MFA Fatigue attacks – Leveraging the tactic MITRE calls “Multiple MFA Push Requests” (T1621), they bombard a user with repeated push notifications or login prompts. The goal is to wear down the user or trick them (by calling and pretending to be IT) into accepting one. This has been used to great effect, enabling them to take over accounts even with MFA.
  • SIM Swapping – Scattered Spider members are adept at SIM swapping (contacting mobile providers to swap a victim’s phone number to an attacker’s SIM). This lets them intercept SMS 2FA codes (circumventing SMS-based MFA). They used this in earlier crypto heists and potentially in corporate attacks if an account reset relies on phone OTPs.
    Once initial access is gained (e.g., obtaining VPN or Okta credentials of an employee), Scattered Spider moves laterally:
  • Valid Accounts abuse (T1078) – They use the stolen credentials to log into VPNs, remote desktops, Okta portals, etc., as legitimate users. If the account lacks needed privileges, they will perform privilege escalation or seek out accounts that have higher access (by targeting other employees).
  • Lateral Movement & Living-off-the-Land: They extensively use built-in admin tools (RDP – T1021, PowerShell, Windows Admin tools) to move through the network. For example, after getting into a corporate VPN, they might RDP into an internal server using the credentials or extract session cookies from a compromised machine to pivot. In cloud environments, they may create new VM instances or use existing ones for persistence. Notably, in one case, they created a hidden VM inside a victim’s VMware ESXi environment to maintain access even if initial accounts were locked – this VM was used to run crypto mining and could have been used as a beachhead. Creating clandestine VMs or cloud instances is an advanced persistence trick reflecting their creativity.
  • Disabling Security Tools (T1562): Scattered Spider employs scripts and tools to evade detection. One known script is a “privacy” PowerShell script used to disable Windows Defender and other security controls on compromised machines. They also have been observed resetting EDR agents, uninstalling security software, or using group policy to turn off security logging. Another tactic is using legitimate credentials to log into security consoles (like EDR management) and silently disable them, essentially turning off the company’s defenses from the inside.
  • Credential Theft & Dumping: Once in, they try to harvest credentials to expand access. They use tools like Mimikatz or built-in OS features to dump LSASS memory, extract password hashes, or crack them offline. They also target password vaults – for instance, using tools (or knowledge) to exploit privileged access management systems (like running CyberArk’s own PowerShell modules to pull credentials). A specific example: they used a tool called PSPAS (PowerShell module for CyberArk) to extract secrets from a vault. This shows they research and exploit the exact tools their targets use.
  • Remote Service exploitation: They often hijack remote services like VPNs and RDP (T1021) to maintain persistent access. If they gain domain admin, they might create new remote users or schedule tasks to allow re-entry. In cloud, they generate API tokens or backdoor accounts.
  • Data collection & exfiltration: Scattered Spider’s end goal is usually extortion or hand-off to a ransomware partner, so they collect sensitive data (customer databases, intellectual property, etc.). They have been known to use the Rclone tool (an open-source file sync tool) to exfiltrate data to cloud storage under their control (T1041 – Exfiltration over C2 channels). Rclone can transfer large files directly to services like Mega or Google Drive, blending with normal traffic. Additionally, they sometimes deploy ransomware themselves. By 2023, they were closely tied to ALPHV/BlackCat RaaS – in multiple intrusions (like MGM), Scattered Spider handled the break-in and then allowed ALPHV to deploy their ransomware. More recently (late 2024/2025), reports indicate they themselves have used a ransomware variant called DragonForce in some cases, alongside their usual data theft, signaling they can do encryption too if needed.
    Other notable TTPs: they have been observed doing screen captures (T1113) or video recordings once they get admin access, likely to capture data that isn’t stored but viewable on dashboards (this tactic was rumored in some support desk breaches). They also are not afraid to use brute force on passwords (especially if they have a list of hashed passwords from one system, they’ll crack them offline to reuse elsewhere).

3. Known victims and targeted sectors: Scattered Spider has compromised many high-profile companies across different sectors since 2022. Confirmed or reported victims include:

  • Telecom and Tech: The 0ktapus 2022 campaign targeted Twilio, a cloud communications firm, and by extension Twilio’s clients. Twilio’s breach led to secondary unauthorized access in companies like Cloudflare (attempt thwarted) and DoorDash (some customer data exposed via Twilio). They also reportedly hit telecom carriers via SIM swaps (there were multiple hacks of T-Mobile in 2022/2023, though attribution is not always clear). In mid-2023, Microsoft disclosed that a hacking group (possibly Scattered Spider/Lapsus$ affiliate) stole a signing key by accessing an engineer’s account – Microsoft traced it to a token theft; some analysts suspect overlap with this group due to similar tactics (social engineering).
  • Financial Services & Crypto: Scattered Spider’s origins in SIM swapping means early on they targeted individuals for cryptocurrency theft (May 2022, they stole from crypto wallets by SIM swapping and phishing). In 2023, Coinbase was attacked: the group phished a Coinbase employee in Feb 2023, getting as far as internal dashboard access, but Coinbase’s SOC detected the anomaly and prevented customer fund theft. Also, in late 2022, they breached Revolut (fintech) via an employee SMS phish, exposing 50k customer records (Lapsus$ took credit, but methods align with Scattered Spider). They also accessed trade data at Robinhood through a support desk compromise (again Lapsus$ linked). These show financial firms were certainly in their crosshairs.
  • Gaming/Entertainment: In Sept 2022, an attacker leaked gameplay footage of Rockstar’s GTA6 and hacked Uber – the UK teen behind that was associated with Lapsus$. There’s speculation that the same circles (including Scattered Spider) were involved or shared techniques. In Jan 2023, Riot Games was breached (source code theft) by social engineering, with a $10M ransom demand (Riot refused) – although not explicitly confirmed to be Scattered Spider, the methods and overlapping community suggest it was likely them or their associates.
  • Hospitality & Travel: The most notorious cases are MGM Resorts and Caesars Entertainment in Sept 2023. Scattered Spider called MGM’s IT helpdesk claiming to be an employee; within minutes they got a password reset for an account with domain access, enabling them to infiltrate MGM’s network. They then partnered with ALPHV/BlackCat to encrypt systems, causing multi-day outages at MGM (hotels, casinos offline). Similarly, they accessed Caesars via a third-party IT vendor, stole data on ~40M customers, and Caesars reportedly paid ~$15M to avoid data leak. Also, a low-profile incident: Southwest Airlines had a brief data incident in 2023 suspected to be from a targeted social engineering, possibly related (though not confirmed publicly). The aviation sector at large was warned by CISA after Qantas and others were hit in 2025 (the Salesforce breaches by Sp1d3rHunters), showing they did focus on airlines/travel data via ShinyHunters collab.
  • Retail and Outsourcing: Scattered Spider attacked several UK retail companies’ IT infrastructure in late 2023 (per media and SOCs). They often target outsourced IT support providers – e.g., in one case, a major IT service desk company was breached, leading to multiple client compromises. Their ties to “The Com” and SIM swapping means they also attacked mobile carriers (for SIM swap – e.g., they have history with AT&T, as indicated by prior infractions).
  • Healthcare/Public: In early 2024, US health sector was alerted (HC3) about social engineering attacks targeting hospitals. While not named, the TTPs aligned with Scattered Spider (fake IT support calls, MFA fatigue). The group itself or copycats potentially tried to breach healthcare orgs. One known case: an affiliate called “Octo Tempest” (Scattered Spider alias) attempted a ransomware attack on a Canadian hospital network in late 2023, but it’s unclear if it succeeded.
    Across these, the pattern is they target large enterprises with lots of employees and high access stakes, often in the US/Canada/UK. Industries specifically targeted: telecom and mobile, tech/SaaS, finance/crypto, gaming, hospitality (hotels/casinos), aviation, and potentially healthcare. The group has reportedly infiltrated over 100 organizations since 2022, which underscores that many sectors have been hit. The timeline shows at least a dozen big names (detailed above) plus numerous others not publicly named. A unifying theme is that the group tends to choose targets where a single compromised account can have outsized impact (helpdesk accounts, admin accounts in widely used platforms), and where downtime or data theft can be leveraged for extortion.

4. Modus operandi and tools used: Scattered Spider’s operations are characterized by meticulous planning and use of legitimate tools to avoid detection. Key elements include:

  • Pre-attack reconnaissance: They invest heavily in OSINT and profiling targets. They gather employee lists, titles, and phone numbers (from LinkedIn, data breaches, social media). They may also phish or buy access to smaller vendors to obtain org charts or ticketing system info. This reconnaissance enables extremely convincing phishing/vishing (knowing specific user details, internal project names, etc.). They often know the target company’s tech stack in advance – e.g., using language like “Okta verification” in phishing messages because the company uses Okta.
  • Phishing infrastructure: They set up quality phishing websites. For 0ktapus, they registered dozens of domains resembling legitimate login portals (e.g., vpn-[company].com or [company]-okta.com). These sites often had valid HTTPS and mirrored the real login page designs. The scale of domains (over 169 domains used in 0ktapus) shows they had an infrastructure to spin up tailored phishing pages quickly for each target. They likely used phishing kits that send captured creds in real-time to their server or telegram. They also leveraged pre-made smishing tools – possibly renting an SMS gateway or using SIM farms to blast messages.
  • Initial access and exploitation tools: After getting credentials, they might use specialized tools to bypass MFA. For example, one technique is using modiFS or custom scripts to replay session cookies (if they manage to steal a session token from a phishing site). They have been seen abusing Auth0 or Okta APIs – e.g., using stolen API tokens to list users or disable security policies. In one case, they used Muraena and NecroBrowser (reverse proxy tools) to capture MFA tokens in a real-time phishing attack, a method known as adversary-in-the-middle. There’s evidence they have a repository of infostealer logs too, which they can search for credentials. UnderTheBreach reported they used logs of infostealers to find employees’ saved passwords (like VPN or corporate logins) to hack companies.
  • Post-compromise tools (off-the-shelf and custom):
    • They often deploy Cobalt Strike Beacon (or other pentest frameworks) once inside, for easier control. However, they sometimes forego that to avoid detection (especially if no malware needed). They have used legitimate remote admin software like AnyDesk, TeamViewer, ScreenConnect – by installing these on a compromised machine, they maintain interactive access that blends with normal IT tools.
    • They use RMM (Remote Monitoring & Management) tools if available – in some cases, they leveraged an organization’s existing RMM to push commands widely (e.g., pushing a script to multiple machines via a tool like Kaseya or Datto RMM if the victim uses it).
    • Credential dumping: Tools like Mimikatz and LaZagne for grabbing credentials and cookies. They might also use Pwdump, ProcDump to dump LSASS memory and then exfiltrate it to parse offline. On domain controllers, they use ntdsutil or Volume Shadow Copy to get the NTDS.dit (AD database) for cracking. They often manage to get domain admin quickly, due to targeting helpdesks or MSPs that have high privileges by default.
    • Bypassing detection: Scattered Spider leverages LOLbins (Living-off-the-land binaries). For instance, using rundll32 to execute a malicious script, or wmic and schtasks for lateral movement. They might use Windows Safe Mode to run their steps with antivirus off (some ransomware affiliates have done this). They also utilize PowerShell extensively – including signing their scripts or using environment variables to hide execution. They run “Disable-Amsi” and remove security products with common scripts (like removing registry keys or stopping services). In one case, they reportedly used PCUnlocker (a bootable tool to reset Windows passwords) to regain admin access on a locked system without triggering alarms.
    • Cloud persistence: On cloud platforms (Azure/AWS), they create backdoor accounts or API keys – e.g., adding a new global admin in Azure AD, or creating an AWS IAM user with programmatic access. They also create Azure AD applications with wide OAuth consents to maintain access. We saw this tactic in the Salesforce breaches where they tricked users into installing a malicious app. That concept can persist because such apps may not be noticed immediately.
    • VM abuse: As mentioned, they innovated by creating hidden ESXi VMs – after gaining vCenter admin, they spawn a new virtual machine (often with innocuous names) on hosts, which they then use as an internal attack box. This VM can have its own networking that might bypass some logging. One victim found a cryptominer running on such a VM, indicating the attacker stayed a while undetected. Monitoring hypervisor logs is thus crucial.
  • Collaboration and communication: Internally, the group seems loosely organized. They reportedly coordinate on private channels (possibly Telegram or Discord) and share access and tools. The tie to “The Com” suggests they have a pool of contacts to recruit from or buy initial SIM swap info. Their merge with Lapsus$ elements in “Scattered Lapsus$” Telegram implies they are willing to coordinate with others for greater impact. In terms of dealing with victims, they typically hand over to ransomware gangs for negotiation or, if solo, might attempt extortion themselves by stealing data (like how Lapsus$ posted data to pressure victims). In some cases, Scattered Spider members themselves taunted victims in chats (e.g., contacting MGM IT directly to brag). This behavior shows a blend of financial motive and ego-driven clout seeking.

5. Known IOCs: Scattered Spider’s lack of malware use means traditional IOCs are sparse, but some have been documented:

  • Phone numbers and caller IDs: During vishing attacks, they often spoof legitimate numbers. For example, they may spoof a company’s helpdesk number when calling an employee. In one FBI alert, numbers from VoIP services or repeated short-code SMS senders were noted. If an organization sees multiple employees receiving IT-related SMS from the same unusual number, that’s an IOC of ongoing smishing.
  • Phishing domains: Scattered Spider registered a large volume of domains for 0ktapus and later phishing. Many had “okta” or company names in them, e.g., cloudflare-okta.com (example) or similar. They often used inexpensive TLDs (.xyz, .support, .live) with Let’s Encrypt certificates. Domains impersonating Okta login pages or VPN portals of known companies are a clear IOC cluster tied to this group’s campaigns (especially in 2022-2023). By 2025, analysis of domains matching their phishing patterns showed an uptick in domains targeting financial institutions. Organizations should share any such suspicious domain sightings (e.g., via services like URL monitoring or through ISACs).
  • Malware/Tools signatures: Though Scattered Spider rarely uses custom malware, the use of certain hacking tools can be indicative. For instance, detection of Cobalt Strike beacons in environments that coincide with social engineering incidents could point to them (e.g., they got in via social engineering then dropped a beacon for easier pivot). Specific tools like “Stonestop” and “FiveHands” (EDR killer and ransomware, respectively) were used by BlackCat affiliates, possibly including Scattered Spider. If such tools are found along with evidence of social engineering entry, that’s a strong sign of this group’s involvement. Also, any discovered script that disables EDR or MFA might be identifiable by patterns. A 2024 HC3 alert provided some YARA rules for common strings used in their phishing kits and scripts (though not public here).
  • Behavioral anomalies: The most reliable IOCs for Scattered Spider are behavioral. For example, a helpdesk account performing actions outside its normal scope (like accessing user accounts it never did before), or an employee’s account suddenly enrolling a new MFA device (especially late at night) – these could signal an attacker in progress. Another indicator: multiple users reporting MFA push spam around the same time. If several employees report receiving unsolicited MFA prompts, it might mean Scattered Spider is trying different accounts in succession (as happened in some campaigns).
  • Infrastructure clues: The group often uses VPNs and anonymity services to connect. One known alias “Scatter Swine” was tied to use of NordVPN and proxies. If logs show administrative access coming from consumer VPN exit nodes (like a digital ocean IP or known NordVPN IP), and that’s not normal for your org, it’s suspicious. Also, TOR usage – they sometimes use TOR for initial logins; any direct TOR connection to internal systems (VPN, etc.) could be flagged if normally not allowed.
  • Post-exploitation IOCs: presence of Rclone.exe on systems where it’s not typically used is a red flag (Scattered Spider used Rclone for exfil, e.g., in one UK retail breach). Also, creation of new local admin accounts named innocuously (they sometimes create accounts like “helpdesk_admin” or similar on machines). Check for Event IDs of account creation or group membership changes on critical systems at odd times. The use of legitimate admin tools unexpectedly is itself an IOC – e.g., if you see AnyDesk installed spontaneously on a server or a tool like PCUnlocker (which should never appear in normal operations) being executed, that’s a glaring sign of compromise.
    Current IOC status: Many of the actual domains and phone numbers used by Scattered Spider in 2022-2023 are now inactive (domain sinkholed or number disconnected). However, they constantly rotate infrastructure, so defenders should focus on patterns (like new similar domains cropping up) and share intel in real-time. The CISA alert (AA23-320A) from Nov 2023 (updated July 2025) contains extensive ATT&CK mapping and some IOCs for Scattered Spider’s recent operations. Organizations are strongly advised to consult that advisory for a fuller list of IOCs and mitigations.

6. Links or correlations with the other entities: Scattered Spider’s recent activities are deeply intertwined with ShinyHunters. Their coalition, referred to as “Sp1d3rHunters,” saw Scattered Spider’s social engineering prowess directly enabling ShinyHunters’ data theft. Practically, this meant that since 2024, many breaches (Snowflake, Salesforce) were not solely Scattered Spider or ShinyHunters but a blend. The shared Telegram channel “Scattered Lapsus$ Hunters” in Aug 2025 explicitly linked Scattered Spider with ShinyHunters and LAPSUS$. This indicates that members of Scattered Spider likely communicate or collaborate with members of Lapsus$ (which makes sense, as both have overlapping membership from The Com network and similar age profiles). In fact, Scattered Spider’s modus operandi in 2022-2023 was so similar to Lapsus$ (who breached Microsoft, Nvidia, etc. via social engineering) that some victims and researchers at first lumped them together. It’s now understood they are distinct groups but with operational overlap. For example, the Okta support breach in 2022 was claimed by Lapsus$, yet the techniques mirrored those of Scattered Spider – it’s conceivable that either they collaborated or one inspired the other. Furthermore, the The Com connection means Scattered Spider is part of a larger community of threat actors (including Lapsus$ members, SIM swappers, etc.). This collective nature is why they could mobilize quickly and why copycat incidents happened. Another link: after some Scattered Spider members were arrested in late 2023, the remaining ones gravitated even closer to ShinyHunters for resources and reach (leading to the combined attacks in 2024-25). In terms of threat ecosystem, Scattered Spider serves as the initial access/social engineering arm, ShinyHunters as the data exfiltration arm, and groups like ALPHV as the ransomware arm. All these interconnections suggest a convergence of e-crime groups, where they share tools, personnel, and targets to a degree. So, while one can analyze Scattered Spider on its own (as done here), in practice any incident involving them might also involve elements of ShinyHunters (e.g., stolen data handed off to ShinyHunters for monetization) or vice versa. For defenders, this means if you detect Scattered Spider’s presence, you should also be on high alert for data exfiltration (ShinyHunters style) or impending ransomware deployment (BlackCat or others). They are part of the same threat cluster. The Lapsus$ tie also indicates that chaotic, publicity-seeking behavior could occur (such as dropping in victim’s Slack to announce the breach – a Lapsus$ move – which Scattered Spider might replicate). In summary, Scattered Spider is not acting in isolation: it’s a key node in a network of criminal actors, and operations tend to blur lines between them (especially from 2024 onward).

7. Threat level assessment:

  • For CERT: Scattered Spider poses a major incident risk due to its focus on high-impact targets and ability to bypass traditional controls. A CERT (Computer Emergency Response Team) or CSIRT dealing with a Scattered Spider incident will likely face a multifaceted crisis: unauthorized access, potential ransomware deployment, and data breach all at once. The threat level is critical. The probability of large organizations being targeted by similar social engineering attacks is high (the FBI/CISA issued multiple warnings specifically about this group). If an incident occurs, the CERT must be ready for complex investigation – it’s not a simple malware cleanup; it involves log analysis across identity providers, VPN, endpoints, possibly telecom providers (if SIM swap is involved). Coordination is crucial: law enforcement might need to be involved early (due to criminal nature), and in some cases, immediate response like contacting telecoms to undo SIM swaps or cloud providers to revoke tokens will be necessary. The impact is potentially severe – as seen, operations were disrupted (MGM), and sensitive data was stolen (Caesars, others). For a national CERT, Scattered Spider’s broad targeting of critical infrastructure sectors (commercial facilities, communications, etc.) means it’s a top threat to monitor. Many organizations might seek CERT guidance during such an incident, thus national CERTs rank this group as a high priority (e.g., the joint advisory by US, UK, CA, AU agencies underlines how serious they consider it). In summary, for CERTs, the threat is very high and requires a state of readiness akin to ransomware crises – playbooks should incorporate scenarios of breaches via social engineering without malware.
  • For SOC: Scattered Spider is an extremely challenging threat for Security Operations Centers. The threat level is very high because the group evades many traditional detection mechanisms. An average SOC well-tuned for malware or network intrusions might still miss a Scattered Spider attack if they’re not monitoring identity and user behavior closely. The SOC must deal with significant ambiguity: distinguishing a real support call or user action from a malicious one can be non-trivial. There’s also a high chance of alert overload – e.g., push spam might generate user complaints rather than automated alerts. SOCs should incorporate behavioral analytics to catch things like impossible travel logins, unusual after-hours admin activities, simultaneous logins from different geographies, etc. (Scattered Spider often triggers those kinds of anomalies). Another challenge is speed: once Scattered Spider is in, they often escalate and move quickly (the MGM intrusion progressed to domain admin in a day or two). The SOC’s window to detect and contain is narrow. The required monitoring extends to telephony (if possible, alerting when an employee’s SIM is swapped – few SOCs have that capability, but some mobile carriers provide notifications) and to cloud admin actions. The potential impact if missed is severe – a full domain compromise and likely ransomware or data theft. Thus, a SOC should treat any hint of Scattered Spider activity (like repeated MFA prompts or an employee report of weird IT calls) with the highest urgency. The SOC’s effectiveness heavily relies on well-drilled incident response – they must be prepared to cut off compromised accounts swiftly and perhaps even disconnect parts of the network to prevent spread (like if a helpdesk is compromised, maybe temporarily disable VPN access until re-verified). Overall, the threat level for SOC is critical, necessitating enhanced detection content and cross-team collaboration (with IT, HR, etc., for user verification).
  • For CISO: Scattered Spider represents a top-tier risk to any large enterprise’s security. The group’s strategy targets weaknesses not just in technology, but in processes and people. This means even companies with strong technical defenses can fall victim if their processes (like support verification, MFA enrollment) are flawed. The CISO should consider the likelihood of an attempt by such an actor as high, especially if the organization is high-profile or holds valuable data. The potential business impact is very high: beyond data theft, there’s operational downtime (ransomware or sabotage), and even if no ransomware, the exposure of internal systems can harm reputation (imagine an attacker mocking the company publicly, as Lapsus$ did, which could happen here too). The CISO needs to champion initiatives to strengthen “human-centric” security controls: enforce least privilege (so that a compromised helpdesk account can’t pivot to domain admin easily), improve employee training (empower employees to say no to suspicious requests, and ensure they know this group’s tactics), and invest in identity governance and monitoring. From a strategic view, Scattered Spider accelerates the need for Zero Trust adoption – assume any user account could be compromised and design access accordingly (e.g., continuous authentication checks, minimal access by default). Another aspect is supply chain: since they often target outsourced support, the CISO must extend security requirements and assessments to key vendors (ensuring vendors also have MFA, training, etc.). On an executive level, the CISO should raise awareness that social engineering attacks can bypass millions of dollars worth of technology – thus, budget and attention must also be given to process improvements and resilience planning (like having manual fallback procedures if IT systems get locked down). Given the broad target range (retail, finance, travel, etc.), every CISO in those sectors should treat this threat as imminent. Also, regulators and boards have become aware of these incidents (e.g., casino regulators in NV asked questions after MGM/Caesars); a CISO should be prepared to explain what measures are in place to prevent a Scattered Spider scenario. In summary, the threat level is very high, the likelihood is moderate-to-high for targeted industries, and consequences can be catastrophic (combining data breach + operational outage). It requires the CISO’s focus to align technical, procedural, and training controls to mitigate this risk.

8. Detection and mitigation recommendations:

  • Enhance MFA and identity verification: Deploy phishing-resistant MFA (hardware security keys or FIDO2 tokens) for all employees, especially for remote access VPNs, email, and critical SaaS apps. Traditional OTP or push MFA is vulnerable to fatigue attacks; solutions like number-matching push (requiring users to type a number from the screen) significantly reduce accidental approvals. Implement velocity checks: if an account triggers multiple MFA prompts (denied) in short succession, lock it or require re-verification, to thwart MFA bombing. Educate users that any unsolicited MFA prompt could be an attack. For high-risk personnel (IT admins, execs), consider requiring two different MFA methods (e.g., a push plus a hardware token). At the helpdesk level, enforce stringent identity verification for password resets or account changes: support staff should use shared secrets or callback procedures rather than relying on caller ID. Also, to combat SIM swaps, employees (especially executives) should set PINs or passphrases with their mobile carriers to prevent unauthenticated SIM changes.
  • Monitor and limit privileged access: Apply the principle of least privilege aggressively. Review which accounts can perform helpdesk functions and ensure those accounts cannot make global changes without oversight. Implement just-in-time admin access (using tools like Microsoft PIM or third-party PAM solutions) so that permanent domain admins are minimized. Monitor admin accounts for any anomalous behavior: e.g., an admin logging in at unusual hours or from new locations should generate alerts (or be blocked pending verification). Use behavioral analytics on privileged accounts – Scattered Spider often creates new accounts or adds themselves to privileged groups; any such changes (especially via helpdesk action) should fire an alert. Limit remote access avenues: ensure RDP is behind VPN or zero-trust gateways and consider disabling RDP for users who don’t need it. If possible, implement conditional access policies (e.g., geo-restrictions, device posture checks) – many of Scattered Spider’s intrusions would have failed if, say, Okta logins were restricted to managed devices or certain countries by default.
  • Improve helpdesk security protocols: Establish robust helpdesk authentication procedures. For example, before processing an IT request, require callers to provide a pre-registered verification code or answer MFA on their phone (paradoxically, using MFA to secure the MFA reset process). Implement a policy that no single helpdesk agent can reset MFA for a high-privilege account without additional approval. Provide helpdesk staff with a “cheat sheet” of suspicious scenarios (e.g., urgent caller claiming to be VIP demanding bypass of policies) – and empower them to escalate rather than comply in such cases. Regularly test your helpdesk with social engineering tests to see if protocols are followed. Additionally, consider out-of-band confirmation for sensitive changes: e.g., if a password is reset, send a notification to the user via alternate channel (SMS/email) so they can quickly flag if it wasn’t them.
  • User training and simulation: Conduct targeted security awareness training highlighting Scattered Spider tactics. Train users to spot SMS phishing (e.g., messages urging them to update VPN/MFA). Emphasize that IT will never call incessantly to push an MFA approval, etc. Encourage a culture where employees can question unusual requests – e.g., verify a caller’s identity via known company directory contacts rather than caller ID. Simulate the attacks: run realistic phishing exercises via SMS and phone (with consent/legal considerations) to identify who might be vulnerable and reinforce training. Specifically train high-risk groups like support staff, IT admins, and customer service reps, as they are prime targets. Some companies have instituted “security pause” policies, where if any employee feels a request is suspicious, they can invoke a pause to verify legitimacy without penalty – promote such practices.
  • Endpoint and network monitoring improvements: Deploy EDR on all endpoints with robust PowerShell logging and credential access monitoring. Scattered Spider often disables security – set up alerts if security services stop or if Windows Defender is turned off unexpectedly on a host (could indicate their script ran). Monitor for tools like Rclone or Mimikatz executing – these should ideally be blocked or at least generate high alerts in an enterprise environment. Use network anomaly detection: e.g., an employee VPN connecting from a country they’ve never been in, followed by large data transfers, should ring alarm bells. Also, watch for multiple concurrent logins to one account from different locations (impossible travel) – the presence of that indicates a session token may have been stolen and used in parallel. If you have telephony logs, consider monitoring for calls to telecom providers or port-out requests for corporate phone numbers (some companies work with carriers to get alerts on SIM swap attempts for their staff).
  • Hardening of systems against LoLbin abuse: Implement policies to restrict the use of certain binaries and scripts. For instance, use AppLocker or Windows Defender Application Control to prevent execution of unknown utilities like PCUnlocker or blocking rclone.exe unless specifically allowed. Disable or constrain PowerShell for regular users – enable Constrained Language Mode and logging to catch suspicious usage. Ensure LSASS protections are enabled (e.g., Windows Credential Guard or least, disabling easy memory dumps) so that if they get in, dumping creds is harder. Enforce strong cloud security measures: enable tamper protections on admin settings (some services allow locking critical settings behind additional auth). In SaaS like Okta or O365, enable MFA for admins at every login and consider IP restrictions.
  • Incident preparedness and drills: Given the fast-moving nature of these attacks, have a detailed incident response plan specifically for a social engineering-driven breach. This plan should include steps to quickly: expire all user sessions (in case of token theft), force MFA re-enrollment if needed (in case an attacker registered their device), and freeze critical infrastructure if suspicious (e.g., temporarily disable cloud admin access until verified). Practice these in tabletop exercises: simulate an attack where an intruder is escalating privileges via the helpdesk – walk through how your team would identify it, cut it off, and what communications are needed. Also plan for the worst: if ransomware is deployed by their partners, are backups available and isolated? (Scattered Spider’s involvement often preludes ransomware, so ransomware readiness remains key.) Establish a relationship with law enforcement so you can quickly involve them – in some cases, investigators might provide indicators or context if they’re tracking the group. Also consider notification plans (customers, regulators) because data theft is likely. Essentially, treat Scattered Spider incidents on par with high-tier ransomware incidents in planning.
  • Third-party/vendor security management: Since Scattered Spider often targets third-party IT providers, extend your security due diligence to them. Ensure your MSPs, call centers, and contractors have strong security controls (MFA, employee screening, etc.). Incorporate clauses in contracts requiring them to adhere to your security policies and report any social engineering attempts. You might limit the access these vendors have: for example, not giving full domain admin to an outsourced IT support – instead, use privilege delegation tools that require approvals. Regularly review and monitor vendor access logs. Some companies have started doing joint exercises with key vendors to practice responses to a scenario like a compromised vendor network that could impact them. Strengthening this supply chain link can close an avenue Scattered Spider exploits.

9. Timeline of major events:

  • May 2022: Early operations – SIM swap and crypto theft. Scattered Spider (though not yet widely named) targets individuals for cryptocurrency accounts. They utilize SIM swapping and phishing to take over victims’ phone numbers and exchange accounts, swiftly draining wallets. These are small-scale but give the group experience and funds. Around this time, chatter about a crew called “The Community (Com)” arises, known for SIM swap rings – this is effectively Scattered Spider’s cradle.
  • July–August 2022: “0ktapus” mega-phishing campaign. The group launches a broad smishing campaign impersonating Okta authentication. Twilio is breached in late July: employees fall for fake Okta login texts, allowing attackers to access Twilio’s internal systems. Using Twilio’s access, they steal OTP codes of Twilio’s customers (including Signal, DoorDash, etc.). Over 130 companies are reportedly targeted via similar SMS (some sources say 169 domains were used for these attacks). Cloudflare is targeted but thwarts it (employees used hardware keys). DoorDash later confirms some data was accessed via a vendor (Twilio). This campaign, disclosed by Group-IB in Aug 2022, is dubbed “0ktapus” and is later linked to Scattered Spider’s actors. It demonstrates their ability to orchestrate large-scale social engineering.
  • Sept 2022: Lapsus$ overlap – Rockstar and Uber hacks. A hacker (possibly an affiliate of Scattered Spider or within The Com) breaches Uber and Rockstar Games. Uber attributes it to Lapsus$; method: compromised a contractor’s VPN via social engineering, then moved laterally and announced themselves on Uber’s internal Slack. Rockstar’s GTA6 development footage is leaked after a hacker gains access, also via social engineering of an employee. This shows the same style: tech companies infiltrated through social means. The arrested hacker for these (a UK teen) had ties to Lapsus$. It’s believed some Scattered Spider members were acquaintances or part of the same circles, indicating overlap of operations/personnel.
  • Feb 2023: Targeting tech and financial firms. Reddit suffers a phishing attack on Feb 5 – an employee’s credentials and 2FA are phished via a targeted email, leading to internal data access. Reddit acknowledges it and notes no customer data breach. This attack, although not explicitly pinned on Scattered Spider, fits their profile and time frame. On Feb 6, Coinbase thwarts an attack: an employee falls for an SMS link, attackers get some access, but could not steal funds thanks to additional controls; Coinbase points to the same actor as Twilio’s breach. These incidents show Scattered Spider (or copycats) expanding to social-engineer various tech/crypto firms.
  • March 2023: Okta support breach. Okta reveals that in late Jan 2023, its Customer Support unit was compromised – hackers accessed support engineers’ laptops, allowing viewing of some client data (essentially, using RDP to control support machines). This echoes Lapsus$’ March 2022 Okta breach but is a separate event. It indicates the group continues to target identity providers and their support supply chain. FBI and others increasingly see UNC3944’s hand in these types of incidents.
  • April 2023: Western Digital and other intrusions. Western Digital discloses on April 3 a network breach causing service outages (MyCloud) and data theft. While WD doesn’t name culprits, media report the hackers claimed to be “ALPHV affiliates” possibly from The Com (there’s speculation a Scattered Spider member was involved). 10 TB of data was stolen, and a ransom was demanded. This event might involve Scattered Spider obtaining initial access and then handing to a ransomware group – the style matches their later confirmed operations. Also in April, the UK’s ICS (Industrial Control system) was targeted by sim-swapping of a telecom (this detail from a UK report suggests some critical infra was probed, though details scarce).
  • September 2023: MGM and Caesars – joint operations with ALPHV. Around Sept 10, MGM Resorts International experiences a major cyberattack. Scattered Spider, posing as an MGM employee, tricked an outsourced IT helpdesk over the phone to obtain credentials. Within 24 hours, they had admin control over MGM’s network. The attack crippled MGM’s casino and hotel operations (systems down for ~10 days, reservation and digital keys offline). The group allegedly partnered with ALPHV (BlackCat) ransomware which was deployed after initial access. Meanwhile, Caesars Entertainment reveals in an SEC filing that on Sept 7 it paid roughly $15 million to hackers after they breached an external IT support vendor and stole a copy of Caesars’ loyalty program database (personal info of tens of millions). The attack is attributed to the same Scattered Spider group working with ALPHV. These incidents highlight Scattered Spider’s capabilities and willingness to collude with ransomware gangs. They become one of the most notorious threats, prompting FBI investigations and urgent industry alerts.
  • Nov 2023: Advisories and arrests. On Nov 16, 2023, CISA, FBI, NCSC (UK), and others issue a joint CSA (AA23-320A) detailing Scattered Spider’s tactics and urging organizations to strengthen MFA, helpdesk verification, etc., in light of recent incidents. This is a rare multi-nation advisory, underscoring the threat’s gravity. Also in mid-Nov, law enforcement scores successes: a 23-year-old UK citizen suspected as a core Scattered Spider member is extradited from Spain to the US to face charges (this likely relates to the MGM/Caesars case). Additionally, a 19-year-old in Las Vegas, US is reportedly arrested in connection (media identified some teen involvement). After these, Google’s Mandiant notes a drop in UNC3944 activity, suggesting the arrests hit their leadership.
  • Early–Mid 2024: Regroup and integration with ShinyHunters. With key members in jail, Scattered Spider’s independent activity declines. However, remaining elements appear to join forces with ShinyHunters (which had ongoing Salesforce campaigns). In May-June 2024, “Sp1d3rHunters” operations (Snowflake leaks, etc.) involve Scattered Spider providing phishing and initial access support to ShinyHunters’ data theft. Scattered Spider’s own brand goes quieter; in incident analyses, CrowdStrike renames them to “Octo Tempest” by mid-2024, tracking their collaboration with ShinyHunters as part of that. Essentially, Scattered Spider becomes more clandestine, possibly focusing on initial access role or smaller intrusions to sell to others, given direct extortion became riskier.
  • August 2025: Scattered Lapsus$ Hunters channel. As detailed earlier, on Aug 8, a new Telegram channel brings together personas from Scattered Spider, ShinyHunters, and leftover Lapsus$ affiliates. They brand themselves collectively, bragging about breaches (including possibly ones not public yet) and even advertise a forthcoming RaaS “ShinySp1d3r”. This bold move is short-lived (channel banned Aug 11), but indicates an attempt by Scattered Spider’s remnants to resurface alongside ShinyHunters and recapture some “Lapsus$” style clout. It also confirms that, at least by personnel, Scattered Spider and Lapsus$ threads have converged. The channel’s quick removal, plus law enforcement infiltration announcements by ShinyHunters thereafter, mark a significant moment – essentially the adversaries acknowledging law enforcement pressure and warning their peers of traps. Some in the community, like threat intel professionals, see this as a sign that Scattered Spider (and co.) are feeling the heat and perhaps on the run.
  • Late 2025: Current status. Post-August 2025, Scattered Spider’s distinct presence is minimal. Reports from Mandiant in late 2025 indicate a decline in the group’s activity after some arrests and doxxing of members. However, the threat is not eliminated – other groups are adopting similar techniques (e.g., a newer group “Storm-0875” which Microsoft noted in 2023 is likely the same cluster, might retool and return under a different name). Essentially, Scattered Spider has largely “fallen” as a brand due to law enforcement, but the individuals and their TTPs persist, blending into Sp1d3rHunters or other crews. The threat they posed – aggressive social engineering coupled with ransomware/extortion – remains a template for others. The latter half of 2025 sees fewer headline incidents attributed to them specifically, likely due to caution after the crackdown. It’s possible they (or successors) are focusing on lower-profile intrusions or selling access quietly to avoid the spotlight.

10. Strategic evaluation: Scattered Spider’s rise and partial fall offer strategic insights into the evolving cyber threat landscape.

Future trends: Social engineering attacks of this caliber are likely to continue and proliferate. Scattered Spider demonstrated that targeting the human element and outsourced services can be more effective than finding zero-days – this strategy is now well-known, and other criminal groups (“OctoTempest”, “Storm” groups, etc.) are adopting it. We expect more blended attacks where social engineering is the initial vector followed by either data theft (like ShinyHunters) or ransomware (like ALPHV).

Another trend is criminal collaboration: Scattered Spider working with ransomware gangs (and with ShinyHunters) is a blueprint for specialization – we foresee more partnerships between initial access brokers and payload operators, making attacks more efficient. On the defensive side, organizations are (belatedly) strengthening MFA and processes, which might push attackers to find new angles – possibly exploiting MFA fatigue with AI-assisted phishing calls (scaling voice phish) or targeting new technologies like MFA prompt intercepts.

They might also turn attention to smaller suppliers if big companies harden (since a small vendor can be a weak link). If Scattered Spider reconstitutes (or their members join others), they could also diversify tactics – e.g., using more malware to maintain persistence, given the push for zero trust might hamper their current methods. Law enforcement pressure: The high-profile nature of their attacks has drawn a strong response (international advisories, arrests). Strategically, this may deter some activity in the short term or drive it deeper underground. However, the gap might be filled by others who learned from their playbook. The concept of The Com – a community of young hackers – suggests even if one group is busted, new offshoots can emerge, as knowledge flows in those circles.

These actors also show a pattern of rebranding: e.g., Lapsus$ to Scattered Spider to whatever comes next (Storm-0875 in Microsoft’s lexicon). Therefore, organizations must defend against the techniques, not just the group name, as the adversary “label” will change. Likelihood of future attacks: It remains high. Any company with valuable data or a large user base is at risk of similar social engineering attacks. In fact, as more companies lock down their tech (patching, EDR, etc.), attackers may increasingly favor the social route, which no patch can fix.

The success of Scattered Spider’s methods (even after some arrests, they inflicted serious harm) will inspire copycats. So while UNC3944 might lie low now, other threat actors (even possibly state-sponsored ones) could adopt similar social techniques for initial compromise – e.g., we’ve seen North Korean APTs do phone-based phishing too. Hence, the probability of facing an attack akin to Scattered Spider’s modus operandi is elevated and persistent.

Strategically, organizations and security leaders need to invest accordingly: not just in technical controls, but in resilience of people and processes (zero trust, user education, incident response readiness). As a “lesson learned” figure, Scattered Spider has already forced many companies to harden their helpdesk procedures and MFA; those who haven’t done so are effectively the low-hanging fruit left – making them prime targets. In conclusion, Scattered Spider’s saga underscores that human-focused attacks are here to stay, and in a future where perimeters are increasingly secure, the front door (people) will be the preferred entry – making the legacy of Scattered Spider highly relevant for years to come.

and now for finnish Malware sp1d3rhunters

1. General overview and history: “sp1d3rhunters” is not a standalone malware family, but rather the collective alias adopted by the threat actors ShinyHunters and Scattered Spider when operating jointly. The name first appeared on underground forums around May 2024, when the handle “Sp1d3rHunters” was used on BreachForums to claim responsibility for a significant breach (the Ticketmaster/Snowflake incident). Essentially, it’s a portmanteau of “Sp1d3r” (the alias of a Scattered Spider member) and “Hunters” (from ShinyHunters), signaling the fusion of the two groups.

There is limited public information about any specific “sp1d3rhunters” malware, because it’s not a distinct malware per se, but an operation or campaign name. However, in practice the Sp1d3rHunters collaboration involved custom tools and techniques that merit analysis. The joint operation was active through 2024 and 2025, executing high-profile data breaches (e.g., Ticketmaster, Google CRM) under that banner. They also briefly attempted to broaden their coalition by incorporating Lapsus$ members in August 2025 via a Telegram channel called “Scattered Lapsus$ Hunters”.

After some members’ arrests and forum compromises in late 2025, the Sp1d3rHunters persona has gone quiet. In summary, “sp1d3rhunters” represents a strategic alliance of two threat actors rather than a specific malware strain – their focus was on credential access, stealthy data exfiltration, and extortion.

2. Tactics, techniques and procedures (TTPs): The TTPs of sp1d3rhunters are essentially a combination of ShinyHunters’ and Scattered Spider’s methods. Key aspects include:

  • Credential theft at scale: Sp1d3rHunters heavily emphasizes obtaining valid credentials to infiltrate target systems. This was done via phishing (email/SMS) as well as leveraging infostealer malware logs. For instance, in the Snowflake breaches, they used login credentials that were stolen by commodity malware from employees who lacked MFA. They also phished users with highly targeted messages (taking advantage of Scattered Spider’s social engineering skill) to capture MFA tokens and passwords.
  • Abuse of legitimate access (Valid Accounts – T1078): Once credentials are in hand, Sp1d3rHunters uses them to access cloud services like data warehouses (Snowflake) or CRMs (Salesforce) directly through official web interfaces or APIs. This approach means no malware needs to be installed – they login as an authorized user (perhaps after bypassing MFA via social engineering), which drastically reduces chances of detection by antivirus or endpoint controls.
  • Stealth and API-based data extraction: They excel at data exfiltration via web services (T1567.002). Using legitimate APIs, they can often extract vast amounts of data without tripping network DLP systems, as the traffic looks like normal application traffic. In one case, Sp1d3rHunters exploited the Snowflake ODBC driver or web console to run queries that dumped entire tables. In the Salesforce attacks, they either leveraged the user’s session to run bulk data export jobs or tricked the user into authorizing a malicious OAuth app which then siphoned data via the Salesforce API. Because these actions mimic regular admin or integration tasks, they can fly under the radar unless specifically monitored.
  • Obfuscation and living-off-the-land: The Sp1d3rHunters operations tend to avoid custom malware, instead living off the land. Even when they used a custom tool (like their Python exfiltration script for Salesforce), it operated through standard channels (Salesforce API) and thus appeared as normal user activity to many defenses. They also “chain” their techniques: for example, use Scattered Spider’s voice phishing to get an OAuth token, then use ShinyHunters’ custom script to quickly download data. Another obfuscation tactic is blending their actions with legitimate ones – e.g., performing data exfil while valid users are also active to hide in the noise, or naming their malicious OAuth app something innocuous to seem like a standard integration.
  • Public extortion and disinformation: An interesting aspect of sp1d3rhunters operations is how they manage their extortion communications. They often go public early – for example, posting about Ticketmaster on a forum as a means of pressure. They also engage in information warfare by countering victim statements (when Ticketmaster said stolen tickets were unusable, Sp1d3rHunters publicly refuted that and provided evidence to the contrary). Tactically, this shows they monitor victim responses and adapt their narrative to maximize leverage. While not a “technical” TTP, it’s part of their playbook to ensure compliance or at least to embarrass the victim if no ransom is paid.
  • Development of new tools (potential ransomware): During August 2025, the collective claimed to be developing a new ransomware called “ShinySp1d3r”, intending to create their own RaaS offering. This indicates an aspiration to broaden tactics to include encryption and broaden revenue. However, as of the latest information, no sample of “ShinySp1d3r” ransomware has surfaced in the wild and the plan might have been disrupted by Telegram shutting their channel and subsequent pressure. Still, the announcement alone shows they were exploring adding encryption/deployment malware to their arsenal, which would have made them an even more multifaceted threat.

3. Known victims and targeted sectors: Since “sp1d3rhunters” refers to the joint operations, the known victims overlap with those of ShinyHunters and Scattered Spider during 2024-2025. Key incidents under the Sp1d3rHunters banner include:

  • Ticketmaster (2024): As detailed, their Snowflake account was compromised, leading to leaked data of over 160,000 ticket barcodes and potentially tens of millions of customer records. This impacted the entertainment/events sector.
  • Allianz Life (2025): A major U.S. insurer’s third-party hosted CRM was accessed in July 2025; the attackers (Sp1d3rHunters) leaked 2.8 million sensitive records from Salesforce, including personal and financial info. Sector: Insurance/financial services.
  • Google (2025): Their Google Ads prospective customer database (Salesforce) was breached in June 2025; ShinyHunters (with Scattered Spider’s help) stole ~2.55 million records. Sector: Tech/Advertising.
  • AT&T (potentially 2023-24): UnderTheBreach noted that Sp1d3rHunters claimed to infiltrate AT&T’s Snowflake instance (which could correlate with an AT&T data leak in 2024). If true, that involved telecommunications sector and massive datasets (AT&T has millions of customers).
  • Neiman Marcus, Advance Auto Parts, Bausch & Lomb, etc.: The UnderTheBreach report (Aug 2024) mentions Sp1d3rHunters operations extended to retail (Advance Auto), luxury retail (Neiman Marcus), and healthcare manufacturing (Bausch & Lomb) via Snowflake exploits. These likely occurred in mid-late 2023 or early 2024. It indicates the campaign’s breadth – multiple industry verticals, all leveraging weaknesses in cloud data stores.

    Essentially, Sp1d3rHunters targeted big organizations with large data troves, regardless of industry: entertainment, telecom, finance, tech, retail. The unifying factor is use of popular cloud platforms (Snowflake, Salesforce) and a large customer base to extort against. We can say the sectors most affected are those dealing with millions of customer records or high-value data. Geographically, most known victims are in the United States (Ticketmaster US, Allianz US, Google, AT&T US, etc.), with a few global (Neiman Marcus – US, Bausch & Lomb – int’l, Qantas – Australia). The impact on victims has been significant: aside from having data stolen, they faced public leaks. For example, Ticketmaster’s stolen data (ticket barcodes) directly could have undermined ticket authenticity (though Ticketmaster asserted safety measures). Google’s breach forced notifications to SMEs that their contact info was taken. Allianz had to notify 1.4M customers and deal with regulatory implications. These illustrate that the fallout is both operational and reputational. Sp1d3rHunters’ victim profile basically mirrors that of ShinyHunters but augmented by Scattered Spider’s initial access: large enterprises not sufficiently hardened on their cloud or third-party access.

4. Modus operandi and tools used: While not a separate malware, the Sp1d3rHunters collaboration introduced some custom tooling and specific modes worth noting:

  • Custom Python exfiltration tool: In response to improved monitoring of standard admin tools, Sp1d3rHunters developed a Python-based data extraction script for Salesforce. This tool used stolen OAuth tokens or session cookies to connect to the Salesforce API endpoints and dump data more efficiently. Google observed that by August 2025, the attackers had switched from using Salesforce Data Loader to using Python scripts, and Google explicitly called out seeing such scripts in action. This implies the tool was written to be lightweight, perhaps multi-threaded, to download objects (like Contacts, Accounts) quickly without the overhead or logs of Data Loader. It’s likely the script used known Python libraries (simple_salesforce or REST calls). The existence of this tool indicates the group’s software development capability to facilitate their operations.
  • Lack of a distinct malware binary: There is no “Sp1d3rHunters RAT” or such. Instead, they rely on legitimate access and scripts, which means traditional malware detection yields nothing by that name. Even so, defenders can consider the “Sp1d3rHunters toolset” as including things like: credential phishing kits, AITM (adversary-in-the-middle) tools for MFA, and custom exfil scripts. In any public malware database, you won’t find “Sp1d3rHunters” labeled samples (except perhaps references in threat reports).
  • Use of combined infrastructure: On forums, they used the handle Sp1d3rHunters to post leaks and communications. This suggests they possibly shared accounts or worked so closely that one representative could speak for both. In terms of C2 or communication, they likely coordinated via encrypted chats (we know they opened a Telegram channel). It’s possible they also leveraged some common C2 for backdoors – for example, if they installed a web shell or something, but there’s no specific evidence published of them deploying backdoors. The operations didn’t necessarily require an ongoing C2 beacon since most actions were interactive through web portals with stolen creds.
  • Data obfuscation and packaging: Before leaking, they often packaged stolen data in archives (for instance, the Ticketmaster barcodes were shared in a file, and Allianz data was leaked presumably as SQL/CSV dumps). They sometimes provided tutorials or conversion tools for their leaked data to increase its value – e.g., instructing how to turn the leaked Ticketmaster barcodes into scannable QR codes. This indicates they take extra steps (beyond just stealing) to demonstrate the “usability” of data. As a tool, they may have written simple code to generate barcodes or process stolen info for leaks.
  • No repetitive use of same infrastructure: Unlike typical malware that might have CNC servers or domains to track, Sp1d3rHunters didn’t have unique persistent infrastructure outside of forums. They popped up on BreachForums (which automatically ties their activity to the forum’s onion address but that’s down) and on Telegram (which got banned). If they had any static infrastructure like exfil servers, it hasn’t been exposed publicly; likely they used cloud services or victim’s own infrastructure for exfil (e.g., uploading to an owned cloud drive or transferring via API direct to attacker’s machine). Possibly they used temporary VPS or storage accounts (Mega, etc.) for storing stolen data, but those would be short-lived.
  • Ransomware tool development: Although theoretical, the mention of developing “ShinySp1d3r” ransomware on their Telegram channel shows they intended to expand their toolkit. If it had materialized, we might have seen a custom ransomware strain (or a rebrand of an existing one) affiliated with them. That would have been a significant new tool in their arsenal, merging the data-theft-first approach with encryption second. However, since the channel was taken down and no further sign of that ransomware appeared, the project likely never launched (or is on hold). It does highlight that they have the capacity and intent to write their own malware if needed, which in itself is notable since prior they mostly used scripts and legit tools.

5. Known IOCs (Indicators of Compromise): Because Sp1d3rHunters is an operation, not a file, IOCs associated with it are those of the combined campaign:

  • BreachForums alias: The username Sp1d3rHunters on BreachForums (v3) is a key IOC (historical). That account was used in mid-2024 to post stolen Ticketmaster data and extortion messages. While that forum is gone, intel gleaned from it (e.g., PGP keys or contact info shared by that user, or the content of their posts) serves as IOCs indicating the actor’s presence. For example, they provided contact methods for negotiation – those handles (maybe a Telegram ID or email) are IOCs that could be monitored.
  • Telegram channels and emails: The t.me/scatteredlapsusp1d3rhunters Telegram channel link is an IOC (August 2025). Although banned, any attempt to create similarly named channels could indicate the group resurfacing. They also listed contact emails like shinygroup@tuta.com, shinycorp@tuta.com on that channel – these are concrete IOCs. Seeing traffic or references to those emails in logs could be a clue of communication with the group.
  • Phishing domains and victim-specific IOCs: When Sp1d3rHunters targeted an organization, any phishing infrastructure used is an IOC. For example, the Ticketmaster attack likely involved an initial vector (possibly a compromised Snowflake partner or credentials from stealer logs), which might not leave obvious IOCs externally. But in the Salesforce attacks, they registered phishing domains tailored to each victim (ReliaQuest noted a set of ticket-themed and Salesforce-themed domains aligned with their campaigns). If known, those domain names are IOCs (e.g., a fake Okta login site mimicking Allianz or Qantas, etc.). These were likely sinkholed or reported; still, organizations can search historic DNS for domains containing their name + “login”, etc. associated with these attacks.
  • Malicious OAuth app names: In the Salesforce incidents, the attackers used either a malicious OAuth app or an alternative exfil method. If they used an OAuth app, the app’s name and ID are IOCs. For example, they may have named it something like “Salesforce Data Loader PRO” to trick users. If companies share details of any unauthorized OAuth apps discovered, those names, client IDs, and the redirect URI domains could be IOCs. Google did mention malicious OAuth usage in general but not the specific name.
  • IP addresses used in breaches: In Google’s case, presumably GTIG observed certain IPs from which the data was exfiltrated. Same for Allianz, Ticketmaster, etc. If those IPs were logged, they could be IOCs. For example, Google said they saw Python scripts instead of Data Loader – likely those scripts connected from an IP not typical for Google employees. If that IP was recorded or reported, it would be a strong IOC. However, such details are often kept internal or shared under NDA within ISACs. We do know general sources like cloud provider IP ranges or TOR might have been used. At the very least, one can treat any login to a corporate SaaS from an IP not associated with legitimate user locations as a potential IOC (especially if coinciding with heavy data access).
  • Leak file hashes and data snippets: When Sp1d3rHunters leaked data (e.g., Allianz Life dataset, Ticketmaster barcodes), the files themselves (hashes of the dump files) become IOCs. Security teams sometimes load these into DLP or SIEM to detect if they appear on their network. Also, sample records from those dumps can be used to identify if your data is included (for victim orgs). For example, the presence of certain fields like “Ticket ID” or “Salesforce Contact Object” in logs leaving your org could hint at data being exfiltrated.
  • Cross-group indicators: Since Sp1d3rHunters is an amalgam, IOCs of ShinyHunters (forum handles, extortion emails) and of Scattered Spider (phishing domains, phone numbers) are indirectly IOCs for Sp1d3rHunters. For instance, any new breach extortion that references both an initial access element and data theft together might indicate Sp1d3rHunters activity. In August 2025, they even spelled out the overlap: “ShinyHunters and Scattered Spider are one and the same”. So, sightings of ShinyHunters extortion demands accompanied by unusual initial access vectors could be a sign of Sp1d3rHunters at work.
    Status of IOCs: Many of the Sp1d3rHunters IOCs (forum accounts, Telegram channels, malicious domains) are now inactive (forums taken down, channels banned, domains likely offline). However, they remain historically useful for threat hunting; any retrospective logs showing interactions with those indicators warrant investigation. Going forward, detection efforts should focus on patterns: unauthorized cloud data access, correlation of social engineering events with data exfiltration, etc., as the group may resurface under new monikers using similar techniques.

6. Links or correlations with these three entities: Sp1d3rHunters is the direct link between ShinyHunters and Scattered Spider – essentially the overlap of those two threat actors. Any discussion of Sp1d3rHunters is inherently about the collaboration of those groups, so in that sense, it doesn’t have separate “links” beyond being the link itself. That said, through Sp1d3rHunters we saw evidence that strongly correlates the activities of ShinyHunters and Scattered Spider: e.g., similar sectors targeted at the same time, use of a shared alias on forums, and explicit confirmation by the actors. Additionally, Sp1d3rHunters was part of a broader joint venture that briefly included LAPSUS$ (as per the “Scattered Lapsus$ Hunters” Telegram combining all three).

This suggests that Sp1d3rHunters operations were not isolated, but rather fluid, involving a collective of multiple cybercriminal groups. In practical terms, if one encountered Sp1d3rHunters in an incident, one was effectively dealing with both ShinyHunters and Scattered Spider at once (and possibly Lapsus$ affiliates). Therefore, all known aliases of those groups tie into Sp1d3rHunters. For example, ShinyHunters going by UNC6040 and Scattered Spider as UNC3944 – Google’s write-up associated UNC6040 with working with Scattered Spider (UNC3944) and dubbing it Sp1d3rHunters. Another link: the group’s Telegram profile called itself “The Com HQ” which directly references the criminal community linking Lapsus$ and Scattered Spider.

Strategically, Sp1d3rHunters acted as a force multiplier by linking these groups – it combined Scattered Spider’s initial access capacity with ShinyHunters’ monetization skills, increasing the threat potency. As such, any correlation analysis shows that breaches in 2024-2025 that involved both sophisticated social engineering and large-scale data theft likely indicate Sp1d3rHunters involvement. In summary, Sp1d3rHunters is less a separate entity and more the collaborative intersection of ShinyHunters and Scattered Spider (and tangentially Lapsus$).

It embodies how these entities reinforce each other; thus, any intel or action against one inherently affects the others.

7. Threat level assessment:

  • For CERT: Sp1d3rHunters represents a worst-case scenario for incident responders, as it combines the penetration skill of Scattered Spider with the data theft and extortion of ShinyHunters. For a CERT, the threat level is extremely high. If an incident is identified as Sp1d3rHunters-driven, it means the organization is dealing with a full compromise (often domain or critical cloud admin compromise) and a likely data breach already in progress or completed. It also suggests multi-faceted impacts: immediate security incident plus an extortion crisis. The presence of Sp1d3rHunters implies stealthy intrusion (requiring deep investigation across endpoints and cloud logs), coordinated extraction of data (needing digital forensics to scope what was taken), and external communications (since the attackers often leak data publicly). The CERT must thus coordinate across technical response, legal/regulatory, and PR – essentially treating it as both an APT breach and a ransomware event rolled into one. The CERT should also prepare for attackers possibly lingering with backdoors (given the collaboration, they might not deploy malware, but they may maintain access via accounts or cloud footholds). In terms of likelihood, any organization already targeted by either ShinyHunters or Scattered Spider individually should consider the chance of a combined operation (Sp1d3rHunters) as high if the conditions allow (lack of MFA, etc.). National CERTs likely view Sp1d3rHunters as a top-tier eCrime threat to monitor, due to its broad impact across sectors. Handling a Sp1d3rHunters incident often requires all-hands-on-deck and potentially international law enforcement involvement (e.g., the Google and Allianz cases involved FBI etc.). So for CERTs, the threat from Sp1d3rHunters is about as severe as a non-nation-state actor gets.

  • For SOC: To a SOC, Sp1d3rHunters is basically the union of two difficult-to-detect attack patterns. The threat level is critical. A SOC would be challenged first to even detect such an attack: the initial compromise might be via phishing (blending in with user activity), and subsequent actions via cloud APIs might not trigger existing SIEM rules if those rules focus on malware or known attack patterns. Many SOCs historically haven’t monitored API usage or unusual data queries in SaaS apps – Sp1d3rHunters attacks exploit that blindspot. Once the SOC does realize something (maybe by an unusual spike in data egress or by seeing a forum post of company data), they’re already behind. Containment is urgent because the attacker might still be in (e.g., at Google they cut off access but some data already taken). The SOC would need to quickly analyze cloud logs, something not all SOCs are fluent in, and differentiate malicious activity from legitimate admin tasks. Additionally, given Sp1d3rHunters covers both endpoints (from initial phish, possibly compromised devices or accounts) and cloud, the SOC has to span both domains in investigation. It’s resource-intensive to chase these threads. And the consequences – large data leaks – mean the SOC is under big pressure to get answers fast (“what data did they take? how? are they out?”). Many SOCs might escalate directly to CERT or external incident responders because of the complexity. In terms of everyday operations, the presence of Sp1d3rHunters means a normal user account or API key could be doing malicious things – SOC analysts must be trained to spot patterns like “mass download by user” or “login from unusual agent (Python script)” which are not typical IOCs. The threat is high in likelihood too for those organizations that both have valuable data and might be targeted by social engineering – basically any large enterprise. If not prepared, a SOC might not catch it until too late. Thus, from a SOC perspective, this threat demands advanced monitoring and an assumption that “we could already be compromised via an identity vector we haven’t considered.”

  • For CISO: Strategically, Sp1d3rHunters is one of the most dangerous threats to an enterprise’s information security. The group’s approach directly aims at a company’s crown jewels (customer data, proprietary data) and often bypasses conventional defenses. The threat level is very high, because even companies with good endpoint security and patch management can fall victim if their users or cloud configs are exploited. The combined nature means it’s not just a data breach but also an extortion attempt – so the CISO must manage technical response and executive-level decisions about ransom, disclosures, etc., simultaneously. The probability of being targeted by Sp1d3rHunters (or a similar collaboration) is significant for large organizations, especially if they store large datasets attractive for extortion. With the proliferation of cloud services, many firms have as-a-service platforms that, if accessed, yield millions of records – Sp1d3rHunters has shown those are prime targets. The CISO should drive investments in identity-centric security, zero trust, cloud security monitoring, and crisis management preparedness. They also need to articulate this risk to other executives: unlike a traditional ransomware that might encrypt files (for which you can plan continuity via backups), a Sp1d3rHunters attack can expose sensitive data, a different type of damage that requires customer/partner trust management. Also, regulators are increasingly attuned; a CISO must ensure the company meets obligations (like GDPR, etc.) in event of such breach, meaning solid data inventories and breach response processes. The impact of a successful Sp1d3rHunters attack can be extreme – multi-million dollar fines or incident costs, stock price hits, loss of clients – as seen by the seriousness with which victims treated these incidents (e.g., paying ransom like Caesars did, which is rare admission for a big company). Therefore, the CISO should rank this threat as a top scenario to protect against. In summary, Sp1d3rHunters-type attacks are high-impact/high-likelihood enough that they should significantly influence enterprise security strategy – focusing on closing the gap between technical security and human/process security, and on being able to detect and respond to sophisticated credential abuse.

8. Detection and mitigation recommendations (enterprise context):
(Given Sp1d3rHunters is an amalgam of ShinyHunters and Scattered Spider, many recommendations overlap with those for each group individually. Emphasis here is on the combination and enterprise-wide practices.)

  • Implement end-to-end Zero Trust controls: Adopt a Zero Trust Architecture where possible – verify every access, every time, for everyone. Practically, this means using continuous risk-based authentication for users accessing sensitive data. If an account starts downloading unusually large data sets or performing admin-like actions it never did before, force an immediate re-authentication with strong MFA or step-up verification. For cloud apps, enable features like session monitoring and anomaly detection – many IDaaS providers offer risk scoring for sessions (use them to block or alert on suspicious ones). Ensure that network segmentation is in place such that even if one set of credentials is compromised, attackers can’t pivot freely to all data. For example, store especially sensitive data in separate environments requiring additional VPN or context to access. Sp1d3rHunters succeeded partly because one set of cloud credentials opened the door to massive data; implementing layered access (need separate token or device certificate for data export functions) could mitigate that.
  • Holistic monitoring and correlation: Use advanced SIEM/XDR solutions that aggregate signals from endpoints, network, and cloud services to detect complex attack patterns. For instance, correlate a user’s VPN login with subsequent behavior in SaaS: if John Doe’s account logs into the VPN from a new country and five minutes later dumps a Salesforce report of 100k contacts, that correlation should trigger an alert (if not automated containment). Leverage cloud-native monitoring: services like AWS GuardDuty, Azure AD Identity Protection, and Salesforce Shield Event Monitoring can provide crucial clues (like impossible travel logins, mass downloads). Feed those into your SOC analytics. Also consider UEBA (User and Entity Behavior Analytics) to baseline normal user and admin behaviors so you can flag deviations (e.g., an employee who never accessed certain data suddenly does so extensively). Given Sp1d3rHunters avoids malware, these anomaly detections are often the only warning. Regularly tune and test these detections by running red-team exercises that simulate data exfil via stolen credentials to see if your tools catch it.
  • Harden cloud and third-party configurations: Review configurations of services like Snowflake, Salesforce, Okta, etc. Ensure MFA is enforced for all users and especially for privileged actions (like accessing data export tools). If possible, use MFA device attestation (some services can ensure the MFA push is coming from a known device, mitigating AiTM attacks). Apply IP allowlisting for admin interfaces – e.g., only allow Salesforce admin logins from your corporate IPs or VPN. This could have stopped external use of stolen admin creds. Audit third-party app integrations – remove any not needed and tightly scope the rest (for instance, a genuine Salesforce integration should have minimal data access it needs, so if an OAuth app tries to get broad scopes that’s suspicious). Limit API tokens: many breaches involve long-lived API keys leaking; adopt short-lived tokens or require periodic re-auth. In Snowflake’s case, consider using network policies to restrict from where queries can be run or use features like Snowflake’s MFA for data retrieval if available. For third-party vendors, contractually and technically enforce security: e.g., if an MSP has remote access, use solutions that require you to approve their sessions (just as you’d treat them as an external user).
  • Rapid detection of large data access: Put in place automated safeguards for data exfiltration. For example, use Data Access Governance tools that can detect when someone is bulk downloading data from SharePoint, Box, etc., and either alert or temporarily block it. Many cloud services allow setting of query limits or download thresholds – if possible, implement those (e.g., a Salesforce admin usually doesn’t need to export all records at once; if someone attempts it, require a higher approval). If you have DLP, tune it to inspect traffic to cloud storage or unusual external destinations – Sp1d3rHunters might exfiltrate data to a personal Google Drive or DropBox, which network DLP (if proxying traffic) could catch if configured. Additionally, maintain honeypot records (fake entries) in your databases – if you see those appear in a leak or being accessed, you know a breach happened. Some organizations tag certain “canary” data and monitor if it’s touched; this can provide early warning of mass access.
  • Strengthen corporate processes against combined attacks: As they often get in via social means and then take data, ensure your processes provide failsafes. Example: if an employee’s account is being used to perform an unusual action (like downloading all customer data), require an out-of-band confirmation from that employee or a supervisor. Solutions like four-eyes approval for data exports can help (two authorized people must approve a data dump). Make sure your password reset and account recovery processes cannot be easily tricked – use multi-step verifications and consider adding monitoring to those processes (e.g., log and review when many account recoveries happen). Conduct periodic insider threat reviews of logs – ironically, Sp1d3rHunters appears as an insider in logs. Having an insider threat program that looks for large data accesses by employees can catch external actors using employee accounts as well.
  • Crisis management and drill for extortion scenarios: Prepare your organization for the event that sensitive data is stolen and leaked. Develop a clear plan on who makes decisions about ransom payments (preferably a decision not to pay, but guided by legal counsel and FBI input), how to communicate with threat actors (some engage via email or chat – this might be handled by incident response teams or negotiators), and how to manage public disclosure. In some Sp1d3rHunters cases, the threat actors made very public posts – be ready with PR statements to respond swiftly and transparently to stakeholders (customers, regulators). Drill this scenario specifically: simulate a combined breach where attackers both have persistent access and have exfiltrated data – practice coordinating technical response (to evict them) with communications and legal response (to address the leak and possibly negotiation). The more rehearsed you are, the faster and more effective the real response will be, potentially reducing ransom pressure.
  • Collaborate on threat intelligence: Because Sp1d3rHunters is a threat actor group (or coalition), up-to-date intelligence on their tools and strategies is vital. Join industry sharing groups (like an ISAC) to exchange intel. For example, if one company sees a new phishing domain or a novel OAuth app used by these attackers, quick sharing can allow others to search their logs or block similar attempts. Work with vendors – many cloud service providers (Microsoft, Salesforce, etc.) actively improved monitoring and guidance after these incidents; ensure you’re engaged with them and implementing recommended mitigations from advisories (e.g., CISA’s advisories included mitigations like offline backups, MFA, application controls – these were broad but essential). Consider threat hunting exercises specifically for Sp1d3rHunters tactics: e.g., search logs for any indication that a malicious app was authorized or that an account performed bulk actions unexpectedly in the past – you might catch a breach-in-progress or earlier compromise that went unnoticed. By keeping your organization informed of the latest indicators and patterns from this group’s activity, you improve chances of early detection or prevention.

9. Synthetic timeline of major events (Sp1d3rHunters focus):

  • May 2024: The alias “Sp1d3rHunters” is first observed on BreachForums. This coincides with a user (believed to be the Scattered Spider actor “Sp1d3r”) adopting a new handle to signal partnership with ShinyHunters. In the same timeframe, a significant breach is announced: the Ticketmaster/Snowflake data compromise. This marks the inception of Sp1d3rHunters as a joint operative entity.
  • July 2024: Ticketmaster breach and extortion. Sp1d3rHunters leaks 170,000 Taylor Swift ticket barcodes and reveals they hold much more (680M user records). The threat actor publicly demands ransom from Ticketmaster on BreachForums, which garners media attention. Ticketmaster denies negotiating and points to technical mitigations (SafeTix). Sp1d3rHunters continues to post on the forum, accusing Ticketmaster of lying about the risk (their posts include a tutorial proving the barcodes can be used). This event firmly establishes Sp1d3rHunters’ reputation for bold extortion and sets precedent for how they will release data if demands aren’t met.
  • Late 2024: Snowflake and stealth breaches. Through later 2024, Sp1d3rHunters quietly hits multiple companies via Snowflake access obtained with infostealer logs or phishing. There is little fanfare for each; some are discovered by victim companies or intel firms months after. For instance, by early 2025, analysts determine that Advance Auto Parts, Neiman Marcus, Bausch & Lomb and likely others suffered data theft by the same actor leveraging infostealer-compromised credentials. Sp1d3rHunters doesn’t publicize each of these on forums (perhaps choosing selective extortion or selling the data privately). This indicates a shift to a more clandestine monetization for certain targets, possibly to avoid too much spotlight after Ticketmaster.
  • June 2025: Salesforce campaign begins. According to Google and threat intel sources, Sp1d3rHunters launches a broad assault on companies’ Salesforce CRM systems. They use vishing and OAuth app exploits to gain footholds. Around this time (June 2025), they accessed Google’s Salesforce data (though Google only fully discloses it in August). They also hit other firms like Qantas (airline) – which in June reports frequent flyer data breach, likely same wave – and Chanel (reports in mid-2025 of a data incident impacting them, suspected to be the Salesforce theft). These breaches aren’t immediately tied together publicly, but internally Google’s GTIG sees the pattern and in late June issues warnings of such activity. Sp1d3rHunters in this phase often quietly extort or simply steal and prepare data for possible leak.
  • July 2025: Allianz Life breach. On July 16, 2025, Sp1d3rHunters exploits a third-party Salesforce access to steal 2.8M customer records from Allianz Life. By early August, they dump these records on their leak channels (Telegram or forums), bragging about it. This is one of the larger single-company data breaches of that wave. The incident is noteworthy because it prompts Allianz to notify regulators and customers quickly, suggesting the attackers perhaps did not even try to ransom or negotiations failed, so they just leaked it. The leak itself – containing names, addresses, tax IDs, etc. – underscores the severe data privacy impact. Pierluigi Paganini’s SecurityAffairs blog covers it on August 13, attributing it to ShinyHunters and partners.
  • August 2025: Google breach publicized; Sp1d3rHunters and Lapsus$ join forces. On Aug 8-10, 2025, multiple things happen: Google confirms its June Salesforce breach and acknowledges ShinyHunters (UNC6040) working with Scattered Spider (UNC3944) – calling the collab “Sp1d3rHunters” in the media. Google shares that 2.55M records were stolen and extortion email for 20 BTC was sent (which Sp1d3rHunters then claimed was a prank). This public acknowledgement by a tech giant cements Sp1d3rHunters as a top-tier threat group in the public eye. At virtually the same time, Sp1d3rHunters escalates by launching the “Scattered Lapsus$ Hunters” Telegram channel on Aug 8. There, they act very brazenly: claiming breaches (like Allianz), taunting law enforcement, and unveiling plans for a “ShinySp1d3r” ransomware RaaS. For a few days, it becomes a hub for fans and fellow hackers (over 7k subscribers quickly). However, by Aug 11, Telegram bans the channel due to its illicit content. On Aug 12, in response to some of their members’ arrests in France, ShinyHunters posts a message (via DataBreaches.net) that BreachForums is a honeypot and that their accounts are compromised. They also confirm that the Sp1d3rHunters persona (and alt “Hollow” etc.) were all them, essentially burning those identities. These events mark the apex and subsequent crack-down on Sp1d3rHunters. After this, the collective essentially disbands its overt presence to avoid further law enforcement action.
  • Late 2025: Aftermath. With BreachForums controlled by FBI and their Telegram shut, Sp1d3rHunters disappears from public view. There are no known major leaks under that name after August. Law enforcement efforts and internal strife (some arrested, others likely laying low) have put a temporary halt to the collaboration. Organizations, meanwhile, are digesting the lessons from these attacks (CISOs sharing knowledge, improving MFA, etc.). It is believed that by late 2025, remaining members have either gone quiet or possibly re-integrated into other groups. Strategic analysts note that the Sp1d3rHunters model may reappear under different branding due to its “success” before arrests.

10. Strategic evaluation (future trends, attack probability): Sp1d3rHunters as a named entity may have been effectively dismantled by law enforcement, but the threat it embodied is far from gone.

Future trends: We will likely see similar multi-actor collaborations in the cybercrime ecosystem. The lure of combining complementary skills (access brokers + data monetizers + maybe ransomware deployers) is strong because it multiplies profits. The attempted inclusion of Lapsus$ hints that youthful, notoriety-seeking hackers may continue to band together in fluid alliances (e.g., we might see “The Com” rebrand under a new collective name). Tactically, attacks against SaaS and cloud platforms for data exfiltration will continue – Sp1d3rHunters demonstrated how vulnerable many companies were in that area. Thus, a trend is more focus from attackers on misconfigurations or stolen credentials for major cloud apps (not just Salesforce or Snowflake, but any large-scale data store: think Workday, ServiceNow, etc.).

Also, given their consideration of launching a ransomware, we anticipate a trend where groups known for data theft (like ShinyHunters) may pivot to or combine with encryption extortion, and vice versa (ransomware gangs doing more data theft). Essentially, the line between “data breach extortion” and “ransomware extortion” will blur – something Sp1d3rHunters already started to blur. On the defensive side, companies – spurred by these events – are improving MFA, monitoring, and third-party security. As those defenses improve, attackers might evolve tactics: possibly more insider recruitment (if phishing gets harder, they might bribe employees, which some reports suggested Lapsus$ tried).

Or they might exploit emerging tech weaknesses (like AI chatbots for social engineering at scale). Another possible development: criminals could increasingly target non-traditional data (like exfiltrating ML training data, code repositories, etc.) if direct PII becomes harder to get. Probability of attack: For an individual organization, a Sp1d3rHunters-style combined attack is still a plausible threat – the specific actors might have changed, but the method (spearphish + cloud data theft) remains one of the most likely serious incident scenarios. Given the wide attention on these incidents, some copycats may try their luck, potentially targeting smaller companies too (since large ones are on high alert).

So while Sp1d3rHunters aimed at big fish, we might see mid-sized firms targeted by similar means in hopes they are softer targets. On a strategic scale, law enforcement success (arrests) can deter or disrupt these groups, but as seen historically (with Lapsus$, etc.), new members often emerge. The “community” nature means the threat adapts: perhaps a bit of quiet now, but likely resurgence later. For security planning, one should assume that attacks combining advanced social engineering and API-based data theft will remain a common high-impact threat.

This means it’s likely that an average CISO will have to deal with at least attempts of such attacks in the coming years. In conclusion, Sp1d3rHunters represents a blueprint of future cybercrime: flexible, collaborative, and cloud-focused. Even if the original moniker fades, the strategy they pioneered will persist, and organizations must incorporate that into their forward-looking security strategies, anticipating that tomorrow’s threat actors may emulate Sp1d3rHunters’ techniques with equal or greater skill.

OSINT Sources

  • https://www.bitdefender.com/en-us/blog/hotforsecurity/hackers-leak-ticketmasters-barcode-data-for-160-000-taylor-swift-eras-tour-tickets-online
  • https://www.scworld.com/brief/ticketmaster-downplays-alleged-shinyhunters-hack-of-taylor-swift-tix
  • https://securityaffairs.com/181017/data-breach/google-confirms-salesforce-crm-breach-faces-extortion-threat.html
  • https://www.bleepingcomputer.com/news/security/google-confirms-data-breach-exposed-potential-google-ads-customers-info/
  • https://www.bleepingcomputer.com/news/security/google-confirms-data-breach-exposed-potential-google-ads-customers-info/ (Expanded article by Lawrence Abrams)
  • https://cloud.google.com/blog/products/chronicle/defending-against-unc3944-aka-scattered-spider
  • https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a (Joint FBI/CISA Advisory on Scattered Spider)
  • https://malwarebytes.com/hacker-news/ticketmaster-hackers-release-stolen-ticket-barcodes-taylor-swift (Malwarebytes article referencing Sp1d3rHunters on BreachForums)
  • https://securityaffairs.com/181093/data-breach/hackers-leak-2-8m-sensitive-records-from-allianz-life-in-salesforce-data-breach.html
  • https://lemonde.fr/en/pixels/article/2022/08/05/who-are-the-shinyhunters-a-hacker-group-an-fbi-wanted-frenchman-is-suspected-of-belonging-to_5992595_13.html
  • https://underthebreach.medium.com/meet-the-top-5-threat-actors-exploiting-infostealers-data-to-breach-companies-681253e11998 (Under the Breach – Alon Gal Medium article)
  • https://thehackernews.com/2025/08/cybercrime-groups-shinyhunters.html (The Hacker News article on ShinyHunters & Scattered Spider alliance)
  • https://falconfeeds.io/blogs/scattered-lapsus-hunters-investigative-timeline (FalconFeeds.io detailed timeline of “Scattered Lapsus$ Hunters” Telegram channel)
  • https://medium.com/@tahirbalarabe2/unmasking-the-scattered-spider-threat-actor-6435c2439ed7 (Medium article “Unmasking Scattered Spider”)
  • https://cybersecuritydive.com/news/scattered-spider-hacker-group-profile/ (Cybersecurity Dive profile on Scattered Spider)
  • https://wired.com/story/scattered-spider-hacking-group-chaos/ (Wired article on Scattered Spider – “Most Imminent Threat”)
  • https://en.wikipedia.org/wiki/GnosticPlayers
  • https://en.wikipedia.org/wiki/ShinyHunters
  • https://whiteblueocean.com/newsroom/shinyhunters-one-of-the-most-recognised-threat-actors-among-the-hacking-community/
  • https://medium.com/under-the-breach (Under the Breach blog for further threat actor profiles)