Dominic Jainy has spent his career at the intersection of high-level IT infrastructure and the complex security vulnerabilities that threaten modern digital ecosystems. With deep expertise in artificial intelligence and blockchain, he possesses a unique vantage point on how emerging technologies are being weaponized by increasingly sophisticated threat actors. Today, he joins us to discuss the recent findings regarding Scattered Spider, a group that has forced security professionals to rethink the traditional “cyber gang” hierarchy. Our conversation covers the shift from centralized leadership to a decentralized collective model, the specific psychological tactics used to bypass enterprise-level security, and why the arrest of individual members has failed to dismantle the broader threat since the group first surfaced in 2022.
The traditional view of cybercrime often involves a central leader, yet Scattered Spider seems to be breaking that mold. How does reclassifying them as a decentralized collective change our understanding of how they operate?
It shifts our focus from searching for a single “boss” to recognizing a hydra-like network where independent clusters share a common playbook but operate with total autonomy. When we look at the Group-IB analysis published on June 7, it becomes clear that there isn’t one central office or a shared leadership structure directing every move. Instead, these actors are connected by common techniques and online communities, making them more like a movement or a franchise than a traditional company. This model explains why, even when individual members are arrested or disrupted, the overall activity remains largely unfazed because the other clusters simply continue their work. We have to stop looking for a single point of failure in their organization and start addressing the shared culture of their operations.
You’ve noted similarities between this group and the Anonymous hacktivist collective. In what ways do these clusters use a shared identity to mask their individual operations?
The comparison to Anonymous is striking because it highlights how a brand can be adopted by various actors without any direct coordination or central command. Multiple groups might operate under names like 0ktapus, Muddled Libra, or UNC3944, yet they are often separate individuals who happen to be using the same tools or phishing pages for identity providers. For instance, the cluster linked to the Marks & Spencer and Co-op attacks appears to be entirely separate from the 0ktapus tracking, with no evidence the same people were involved. This decentralized identity creates a fog of war for security teams, where unrelated actors can adopt the Scattered Spider persona to strike fear or gain notoriety. It makes attribution incredibly difficult because the “who” is often a moving target of independent actors.
Scattered Spider is known for a wide variety of targets, from cryptocurrency users to major tech enterprises. What specific patterns have you observed in how they gain access to these diverse environments?
Their targeting is incredibly calculated, often starting with the people who have the keys to the kingdom, such as staff at technology and communications companies. We see a heavy reliance on social engineering where attackers impersonate HR or security teams to trick employees into handing over their credentials. In more technical maneuvers, they recruit insiders at telecommunications companies or use commercial remote access tools like AnyDesk to maintain a persistent foothold. For cryptocurrency users, the approach is even more aggressive, combining enterprise-level compromise with fraud campaigns and SIM swaps to drain assets quickly. This multi-pronged strategy means they aren’t just looking for a quick payday; they are gathering deep intelligence on their victims to maximize the impact of their extortion activity.
Social engineering appears to be the primary weapon for these clusters. Why is this human-centric approach still so effective against sophisticated organizations using platforms like Microsoft or Citrix?
It remains effective because it bypasses the strongest firewalls by exploiting the inherent trust and helpfulness of employees. Attackers create highly convincing phishing pages that mimic identity providers like Okta and Citrix, making the transition from a legitimate login to a stolen credential feel seamless and unremarkable. By the time an IT department realizes a breach has occurred, the attacker has often already used a SIM swap to take over a phone or persuaded a user to provide a one-time password through a simple phone call. It’s a psychological game where the goal is to create a sense of urgency or authority that overrides standard security protocols. No matter how much an enterprise spends on sophisticated software, the human element remains the most vulnerable entry point, and these clusters are masters at finding those cracks.
Given that law enforcement has made high-profile arrests of alleged members, why hasn’t this significantly slowed down the group’s overall momentum?
The reality is that the decentralized nature of these clusters acts as a natural defense mechanism against traditional law enforcement strategies. Because there is no central hierarchy to topple, removing one or two key players from a specific cluster doesn’t compromise the tools, tactics, or infrastructure used by the dozens of other clusters. Since 2022, the group has been linked to numerous incidents, and the shared knowledge within their online communities ensures that if one member goes down, another can easily take their place using the same techniques. Organizations have to realize that arrests are a reactive measure and won’t eliminate the broader threat landscape. To truly protect themselves, companies need to focus on hardening their own identity-based defenses rather than waiting for every individual “bad guy” to be caught.
What is your forecast for the future of decentralized collectives like Scattered Spider?
I expect we will see these clusters become even more specialized, moving beyond simple credential theft into more complex, long-term intelligence gathering within compromised enterprises. As they continue to share tactics across online forums, the barrier to entry for new actors will drop, leading to an increase in the volume of attacks. We are likely to see a convergence where high-level ransomware operations and low-level cryptocurrency fraud are executed by the same clusters to diversify their revenue. Ultimately, the “brand” of Scattered Spider will continue to evolve, making it harder for defenders to know exactly who they are fighting at any given moment. Companies that don’t prioritize identity security and social engineering training will find themselves increasingly vulnerable to these fragmented, persistent threats.
