Scattered Spider: How law enforcement turned the tables

For years, Scattered Spider was one of the most feared names in cybercrime. The group rose to prominence not through cutting-edge malware but by weaponizing the oldest trick in the book: human trust. Their social engineering campaigns rattled some of the biggest brands in the world and left hundreds of millions of dollars in damages. Now, in 2025, the web they spun is unraveling under the pressure of coordinated arrests and international investigations.

A different kind of hacker

Scattered Spider was not your typical ransomware gang. Its members were young, English-speaking, and primarily based in the United States and the United Kingdom. Many were still teenagers when the attacks began. Instead of exploiting software flaws, they focused on people.

Their playbook was simple and devastating:

• Research company staff on LinkedIn and social media
• Call help desks posing as employees
• Convince IT to reset multi-factor authentication
• Take control of high-level accounts
• Deploy ransomware or steal sensitive data

The MGM Resorts attack in 2023 showcased their skill. In a single ten-minute phone call, attackers tricked staff into resetting credentials. The result was a two-week disruption that shut down slot machines, locked hotel rooms, and cost more than 100 million dollars.

A trail of damages

Scattered Spider’s campaigns left a long list of victims:

• MGM Resorts: More than 100 million dollars in losses and massive operational downtime.
• Caesars Entertainment: A reported 15 million dollar ransom payment to keep customer data from being exposed.
• Marks & Spencer, Harrods, and Co-op: Retailers targeted in 2025 attacks that drew the attention of the UK’s National Crime Agency.

Prosecutors estimate the group collectively extorted at least 115 million dollars in ransom payments, not including reputational harm and lost business.

The crackdown begins

Law enforcement built its case step by step.

• In 2024, Noah Urban, a Florida member, was sentenced to 10 years in prison for SIM-swapping schemes worth 13 million dollars.
• That same year, Tyler Buchanan was arrested in Spain with 27 million dollars in Bitcoin traced to his accounts.
• In 2025, UK authorities indicted Thalha Jubair (19) and Owen Flowers (18) for attacks on U.S. and British companies.
• A 17-year-old involved in the MGM and Caesars breaches surrendered in Las Vegas.
• Four more were arrested in the UK for retail cyberattacks.

The National Crime Agency, FBI, Spanish police, and Las Vegas Metro Police all played roles in the takedown, proving that international coordination is essential against globally dispersed hackers.

The Telegram confessions

One of the most surreal elements of Scattered Spider’s unraveling came not in court but on their own communication channels. In September 2025, a group styling itself as “scattered LAPSUS$ hunters 4.0” posted a series of apology messages on Telegram.

In these posts, members issued sweeping mea culpas to government agencies, private companies, and even specific corporations. They promised to disengage from ransomware, delete stolen data, and seek rehabilitation.

Some of the messages bordered on theatrical. One member wrote that they would enter rehab for 60 days. Another went further, declaring the group would “work toward using our skills for the good of this world. Sorry :(.” The mix of dramatic pledges and emoji-laden posts highlighted just how young and unpolished many of these individuals were.
For observers, these confessions were revealing. The same hackers who once brought casinos and retailers to their knees were suddenly posting public apologies that read more like late-night social media rants than statements from seasoned criminals. Whether genuine or not, they underscored the pressure law enforcement had applied and the immaturity at the heart of the group’s operations.

Not the end of the story

Despite the arrests and confessions, experts caution that Scattered Spider’s influence is not gone. The FBI warned that the group or copycats were targeting the airline industry. Investigators have also noted that their social engineering playbook has already been adopted by other actors.

The average age of those arrested is only 19. This raises difficult questions for courts about how to handle technologically advanced juveniles who cause massive financial harm. Some were charged as adults to reflect the scale of their crimes.

Lessons learned

The Scattered Spider saga carries clear lessons for defenders:

• Human risk is central. Social engineering is often more effective than malware.
• Help desk protocols must improve. Verification steps should be hardened to prevent manipulation.
• Multi-factor authentication must evolve. Moving beyond SMS-based systems is critical.
• Global cooperation works. Coordinated arrests show that patient, multi-country investigations can succeed.

A warning and a victory

The story of Scattered Spider is both a cautionary tale and a success story. It proves that even the most disruptive hackers can be caught. At the same time, it shows how easily attackers can exploit trust to bypass the strongest technical defenses.

For Cybersecurity Awareness Month, this case illustrates the power of hacking the hacker. The very social fabric that Scattered Spider exploited became its undoing. Law enforcement turned the tables, using human intelligence, cooperation, and persistence to bring members to justice.

The group may not be fully gone, but its downfall is proof that the hunters can become the hunted.