Scattered Spider has been reclassified as a decentralized cybercrime collective composed of independent clusters rather than a single, organized threat group.
Group-IB analysis, published on June 7, challenges the traditional view of the activity as one coordinated operation, arguing that multiple actors share tactics, tools and communities while operating separately.
The firm said this model helps explain why activity attributed to Scattered Spider has continued despite arrests and disruption efforts targeting some alleged members.
The group, also tracked under names including 0ktapus, Muddled Libra, Octo Tempest and UNC3944 by different security vendors, has been linked to several high-profile incidents since 2022.
Read more on Scattered Spider attacks: Alleged Scattered Spider Member Extradited to US
A Collective Connected by Tactics Rather Than Structure
Group-IB's research argued that Scattered Spider does not operate with a central hierarchy or shared leadership structure. Instead, the firm described it as a set of smaller clusters connected through common techniques, tools and online communities.
The analysis compared the structure to that of the Anonymous hacktivist collective, in which separate groups operate under a shared identity without necessarily coordinating directly.
The report also said that some activity previously attributed to Scattered Spider may have been carried out by unrelated actors.
Group-IB specifically distinguished its 0ktapus tracking from the cluster linked to the Marks & Spencer and Co-op attacks, stating there is no evidence they were operated by the same individuals.
The firm identified several recurring targeting patterns across observed clusters, including:
-
Employees at technology and communications companies used as access points
-
Mobile carrier staff targeted for SIM swapping operations
-
Cryptocurrency users targeted through fraud campaigns
-
Enterprises compromised for extortion and ransomware activity
Social Engineering Remains Central to Operations
Despite differences between clusters, Group-IB found that social engineering remains a common thread across Scattered Spider activity. Attackers frequently impersonate IT, security or human resources teams to persuade employees to provide credentials or access.
The research found that attackers commonly use phishing pages impersonating identity providers, including Okta, Microsoft, Citrix and Google.
Group-IB also observed some clusters combining enterprise compromises with cryptocurrency theft operations. Attackers used stolen credentials, SIM swaps and phishing campaigns to target cryptocurrency users while also compromising organizations to gather intelligence on potential victims.
The report noted that some clusters have also used commercial remote access tools such as AnyDesk and recruited insiders at telecommunications companies to assist with unauthorized access.
Group-IB concluded that Scattered Spider's decentralized nature means arrests targeting individual members are unlikely to eliminate the broader threat.
Instead, organizations should focus on defending against the shared tactics used across clusters, particularly identity-based attacks and social engineering attempts.
