Why Is the Scattered Spider Collective So Hard to Stop?

Dominic Jainy has spent his career at the intersection of high-level IT infrastructure and the complex security vulnerabilities that threaten modern digital ecosystems. With deep expertise in artificial intelligence and blockchain, he possesses a unique vantage point on how emerging technologies are being weaponized by increasingly sophisticated threat actors. Today, he joins us to discuss the recent findings regarding Scattered Spider, a group that has forced security professionals to rethink the traditional “cyber gang” hierarchy. Our conversation covers the shift from centralized leadership to a decentralized collective model, the specific psychological tactics used to bypass enterprise-level security, and why the arrest of individual members has failed to dismantle the broader threat since the group first surfaced in 2022.

The traditional view of cybercrime often involves a central leader, yet Scattered Spider seems to be breaking that mold. How does reclassifying them as a decentralized collective change our understanding of how they operate?

It shifts our focus from searching for a single “boss” to recognizing a hydra-like network where independent clusters share a common playbook but operate with total autonomy. When we look at the Group-IB analysis published on June 7, it becomes clear that there isn’t one central office or a shared leadership structure directing every move. Instead, these actors are connected by common techniques and online communities, making them more like a movement or a franchise than a traditional company. This model explains why, even when individual members are arrested or disrupted, the overall activity remains largely unfazed because the other clusters simply continue their work. We have to stop looking for a single point of failure in their organization and start addressing the shared culture of their operations.

You’ve noted similarities between this group and the Anonymous hacktivist collective. In what ways do these clusters use a shared identity to mask their individual operations?

The comparison to Anonymous is striking because it highlights how a brand can be adopted by various actors without any direct coordination or central command. Multiple groups might operate under names like 0ktapus, Muddled Libra, or UNC3944, yet they are often separate individuals who happen to be using the same tools or phishing pages for identity providers. For instance, the cluster linked to the Marks & Spencer and Co-op attacks appears to be entirely separate from the 0ktapus tracking, with no evidence the same people were involved. This decentralized identity creates a fog of war for security teams, where unrelated actors can adopt the Scattered Spider persona to strike fear or gain notoriety. It makes attribution incredibly difficult because the “who” is often a moving target of independent actors.

Scattered Spider is known for a wide variety of targets, from cryptocurrency users to major tech enterprises. What specific patterns have you observed in how they gain access to these diverse environments?

Their targeting is incredibly calculated, often starting with the people who have the keys to the kingdom, such as staff at technology and communications companies. We see a heavy reliance on social engineering where attackers impersonate HR or security teams to trick employees into handing over their credentials. In more technical maneuvers, they recruit insiders at telecommunications companies or use commercial remote access tools like AnyDesk to maintain a persistent foothold. For cryptocurrency users, the approach is even more aggressive, combining enterprise-level compromise with fraud campaigns and SIM swaps to drain assets quickly. This multi-pronged strategy means they aren’t just looking for a quick payday; they are gathering deep intelligence on their victims to maximize the impact of their extortion activity.

Social engineering appears to be the primary weapon for these clusters. Why is this human-centric approach still so effective against sophisticated organizations using platforms like Microsoft or Citrix?

It remains effective because it bypasses the strongest firewalls by exploiting the inherent trust and helpfulness of employees. Attackers create highly convincing phishing pages that mimic identity providers like Okta and Citrix, making the transition from a legitimate login to a stolen credential feel seamless and unremarkable. By the time an IT department realizes a breach has occurred, the attacker has often already used a SIM swap to take over a phone or persuaded a user to provide a one-time password through a simple phone call. It’s a psychological game where the goal is to create a sense of urgency or authority that overrides standard security protocols. No matter how much an enterprise spends on sophisticated software, the human element remains the most vulnerable entry point, and these clusters are masters at finding those cracks.

Given that law enforcement has made high-profile arrests of alleged members, why hasn’t this significantly slowed down the group’s overall momentum?

The reality is that the decentralized nature of these clusters acts as a natural defense mechanism against traditional law enforcement strategies. Because there is no central hierarchy to topple, removing one or two key players from a specific cluster doesn’t compromise the tools, tactics, or infrastructure used by the dozens of other clusters. Since 2022, the group has been linked to numerous incidents, and the shared knowledge within their online communities ensures that if one member goes down, another can easily take their place using the same techniques. Organizations have to realize that arrests are a reactive measure and won’t eliminate the broader threat landscape. To truly protect themselves, companies need to focus on hardening their own identity-based defenses rather than waiting for every individual “bad guy” to be caught.

What is your forecast for the future of decentralized collectives like Scattered Spider?

I expect we will see these clusters become even more specialized, moving beyond simple credential theft into more complex, long-term intelligence gathering within compromised enterprises. As they continue to share tactics across online forums, the barrier to entry for new actors will drop, leading to an increase in the volume of attacks. We are likely to see a convergence where high-level ransomware operations and low-level cryptocurrency fraud are executed by the same clusters to diversify their revenue. Ultimately, the “brand” of Scattered Spider will continue to evolve, making it harder for defenders to know exactly who they are fighting at any given moment. Companies that don’t prioritize identity security and social engineering training will find themselves increasingly vulnerable to these fragmented, persistent threats.

Explore more

Ethereum Eyes $1,800 as Buterin Unveils Lean Roadmap

Digital asset markets often react violently to technical shifts, but the recent strategic pivot outlined by Vitalik Buterin has sparked a more calculated sense of optimism across the global decentralized finance ecosystem. The Ethereum network is currently navigating a pivotal transition phase where the complexity of past upgrades is being replaced by a streamlined vision designed to reduce hardware requirements

Can Your Android Device Run a Full Linux Desktop?

The modern smartphone possesses more raw computational power than the professional workstations that once powered global space exploration, yet its potential remains confined within a mobile interface. Android, while built on the robust Linux kernel, serves as a specialized environment that prioritizes touch interaction and energy efficiency over the versatile multitasking capabilities found in a traditional desktop setup. This inherent

Can Windows 11 Cloud Rebuild Replace Your Recovery USB?

The sudden failure of a primary operating system often triggers an immediate scramble for physical media, yet the necessity for a bootable USB drive is increasingly being challenged by sophisticated network-based solutions. For years, the gold standard for system recovery involved manual intervention with external hardware, which frequently contained outdated builds of Windows that required hours of patching after a

Can UiPath’s AI Strategy Bridge Its Massive Growth Gap?

The enterprise automation landscape has reached a critical juncture where the traditional efficiency gains of robotic process automation are no longer sufficient to satisfy investors who demand hyper-growth fueled by generative artificial intelligence. While UiPath built its empire on the promise of delegating repetitive tasks to software bots, the rapid emergence of agentic AI has forced a fundamental redesign of

Phishing Attacks Move Beyond Email to Collaboration Tools

The corporate inbox, once the primary battleground for cybersecurity, has become a fortress protected by sophisticated filtering and authentication protocols that stop most traditional threats. As these barriers have grown stronger, malicious actors have pivoted toward the softer underbelly of internal communications where employees feel most at ease. This tactical migration into platforms like Microsoft Teams and Slack represents a