< ciso
brief />
Tag Banner

All news with #scattered spider tag

59 articles

Scattered Spider framed as decentralized cybercrime collective

πŸ•·οΈ Group-IB redefines Scattered Spider as a decentralized collective made up of independent clusters rather than a single organized group. The firm's June 7 analysis finds that multiple actors share tactics, tools and communities while operating separately, which explains persistent activity despite arrests. Common targets include tech employees, mobile carrier staff and cryptocurrency users, with social engineering and identity-based attacks central to operations. Group-IB advises defenders to focus on the shared techniques across clusters.
read more β†’

Monday Recap: Proxy Botnets, Browser Ransomware

⚑ Google and partners disrupted the NetNut residential proxy network (aka Popa), which abused smart home devices and preinstalled SDKs to route malicious traffic through an estimated 2 million devices. Other incidents this week include fake PoC repos delivering the ChocoPoC RAT via a dependency, a 19-year-old alleged Scattered Spider suspect extradited to the U.S., and a Brazilian Ousaban banking trojan targeting Spain and Portugal. Check Point flagged AI-generated browser ransomware leveraging the File System Access API, illustrating AI can autonomously devise working attack techniques.
read more β†’

Alleged Scattered Spider member extradited to U.S.

πŸ”Ž A 19-year-old dual US-Estonian citizen, Peter Stokes, was extradited from Finland to the United States to face charges alleging membership in the Scattered Spider hacking collective. He is accused of participating in multiple intrusions and extortion schemes, including a March 2023 breach and a May 2025 attack on a multibillion-dollar retailer that led to over $2 million in losses. Stokes faces charges of fraud, conspiracy, and computer intrusion and has appeared in federal court in Chicago.
read more β†’

Teen Allegedly Linked to Scattered Spider Extradited

πŸ“° The US Justice Department announced the arrest and extradition of 19-year-old dual US-Estonian citizen Peter Stokes from Finland in April, with charges unsealed on June 30. He faces conspiracy, computer intrusion and fraud counts tied to alleged membership in the Scattered Spider hacking group. Authorities say the group conducted over 100 intrusions, netting $100m+ in ransoms and causing millions in damages. Stokes is accused of targeting a luxury jeweller and attempting an $8m extortion that resulted in $2m+ losses for the firm.
read more β†’

Two Scattered Spider members plead guilty in TfL hack

πŸ”’ Two members of the Scattered Spider collective admitted launching a cyberattack against Transport for London that caused extensive disruption and financial losses. Thalha Jubair and Owen Flowers changed their pleas to guilty at Woolwich Crown Court, with sentencing set for July 22. The breach affected in-station systems and online services, forced password resets for 28,000 staff, and exposed millions of personal records. Investigations by the National Crime Agency and City of London Police linked seized devices and messaging evidence to the attack.
read more β†’

Scattered Spider members plead guilty in TfL hack

πŸ›‘οΈ Two members of the Scattered Spider group, Thalha Jubair (20) and Owen Flowers (18), pleaded guilty to breaching Transport for London systems between August 31 and September 3, 2024. The intrusion disrupted Oyster refund services and forced 28,000 staff to reset passwords, contributing to an estimated Β£29 million in losses. Both suspects were arrested in 2025 after investigators recovered incriminating evidence and devices linking them to the attack and other intrusions.
read more β†’

Two Teens Linked to Scattered Spider Plead Guilty

πŸ”’ Two British teenagers have pleaded guilty after hacking Transport for London (TfL) between 31 August and 3 September 2024, the National Crime Agency (NCA) reports. Members of the Scattered Spider collective, Thalha Jubair, 20, and Owen Flowers, 18, caused Β£29m in losses and disruption to TfL systems, including customer refunds and Oyster photocard services. Flowers was arrested early September 2024 with digital evidence linking him to TfL and US healthcare breaches; Jubair faces broader charges alleging dozens of intrusions and extortion schemes. Both admitted guilt at Woolwich Crown Court on 22 June and will be sentenced on 16 July.
read more β†’

Teen Allegedly Linked to Scattered Spider Faces Extradition

πŸ”’ A 19-year-old allegedly tied to Scattered Spider was arrested in Helsinki and is facing U.S. extradition on counts including wire fraud, conspiracy, and computer intrusion. Prosecutors say he participated in multiple social-engineering intrusions from March 2023 through 2025 that used help-desk impersonation to reset MFA and exfiltrate data. Court filings and social-media posts reportedly tied the suspect to luxurious spending and to taunting law enforcement, underscoring how poor operational security and public boasting can accelerate investigations. The case highlights the ongoing threat of phone-based account takeover and the need for stronger, phishing-resistant controls.
read more β†’

US Charges Scattered Spider Hacker Arrested in Finland

πŸ” A 19-year-old dual U.S.-Estonian citizen arrested in Finland faces federal charges in the United States, accused of acting as a prolific member of the Scattered Spider hacking collective under the alias Bouquet. Prosecutors allege he helped extort millions through multiple breaches, including a March 2023 intrusion when he was 16 and a May 2025 attack on a multibillion-dollar luxury retailer that prompted an $8 million ransom demand and over $2 million in remediation costs.
read more β†’

Scattered Spider Co-conspirator Pleads Guilty in US Case

πŸ”’ Tyler Buchanan has pleaded guilty in a Florida court to conspiring with others to hack company computer systems and steal at least $8 million in virtual currency. He faces sentencing later this year. Buchanan is tied to the notorious Scattered Spider group, which has used SMS phishing and colleague impersonation to target employees. Security leaders are urged to reinforce defenses and train staff against social engineering.
read more β†’

Why Routine Password Resets Create Security Risks Explained

πŸ” The article highlights that Forrester estimates each password reset costs roughly $70 and that self-service password reset (SSPR) tools have not eliminated helpdesk involvement. Attackers target resets to bypass MFA, as illustrated by the April 2025 Marks & Spencer incident tied to the Scattered Spider group, which began with a social-engineered reset and escalated to NTDS.dit extraction and ransomware. It recommends identity verification tools such as Specops Secure Service Desk, strong single-use temporary credentials, monitoring of reset activity, and clearer helpdesk procedures to reduce risk.
read more β†’

Scattered Spider Member 'Tylerb' Pleads Guilty in US

πŸ”’ Tyler Robert Buchanan, a 24-year-old British national and senior member of the cybercrime group Scattered Spider, has pleaded guilty to wire fraud conspiracy and aggravated identity theft for his role in 2022 SMS-phishing attacks. He admitted launching tens of thousands of phishing texts that enabled intrusions at companies including Twilio, LastPass, DoorDash and Mailchimp. Prosecutors say the campaign fueled SIM-swap thefts that siphoned at least $8 million in cryptocurrency from U.S. investors. Buchanan faces a statutory maximum of 22 years; sentencing is set for August 21, 2026.
read more β†’

Scattered Spider Leader Pleads Guilty to Crypto Theft

πŸ”’ Tyler Robert Buchanan, a 24-year-old British national believed to lead the Scattered Spider cybercrime collective, has pleaded guilty in U.S. federal court to wire fraud and aggravated identity theft in connection with cryptocurrency thefts. Prosecutors say Buchanan and co-conspirators used large-scale SMS phishing campaigns and SIM swap attacks to steal at least $8 million from companies and individuals between September 2021 and April 2023. Buchanan was arrested in June 2024 in Palma de Mallorca, has been in U.S. custody since April 2025, and faces a statutory maximum of 22 years; sentencing is scheduled for August 21, 2026.
read more β†’

SLH Offers $500–$1,000 Per Call to Recruit Female Vishing

⚠️ Scattered LAPSUS$ Hunters (SLH) is reportedly paying $500–$1,000 upfront per call to recruit women for voice phishing campaigns against IT help desks, Dataminr says. The group provides pre-written scripts and leverages advanced social engineering techniques, including MFA prompt bombing and SIM swapping, to gain access. Actors then deploy tunneling tools, residential proxies and legitimate file-sharing services to move laterally, escalate privileges, and exfiltrate data, with some intrusions resulting in ransomware.
read more β†’

Muddled Libra Rogue VM Playbook and Operational Tactics

πŸ” Unit 42 recovered a rogue VM created by Muddled Libra (aka Scattered Spider, UNC3944) during a September 2025 incident, revealing an operational playbook of reconnaissance, credential theft, lateral movement and data access. The actors abused legitimate tools and stolen certificates, persisted via an SSH tunnel (Chisel), and copied NTDS.dit and SYSTEM hives. Unit 42 recommends strengthening identity controls and adopting Advanced WildFire and Cortex defenses.
read more β†’

Scattered Lapsus Shiny Hunters: Extortion Tactics Exposed

πŸ”’ A prolific English-language extortion gang calling itself Scattered Lapsus Shiny Hunters (SLSH) combines data theft with coordinated harassment β€” swatting, DDoS, and call- and email-flooding β€” to pressure victims into paying. Allison Nixon of Unit 221B and forensic analysis from Mandiant trace recent incidents to early–mid January 2026, when attackers used phone-based phishing to harvest SSO and MFA codes. Nixon warns SLSH is fractious and untrustworthy, and advises organizations that negotiating beyond a firm refusal generally escalates harm and provides attackers information useful for later fraud.
read more β†’

European Space Agency Hit by Multiple Data Breaches

⚠️ The European Space Agency (ESA) has suffered a further significant cybersecurity breach after a December incident, with the Scattered Lapsus$ Hunters group claiming to exfiltrate roughly 500GB of additional data. The stolen material reportedly includes operational procedures, spacecraft and mission documentation, and proprietary contractor data from partners such as SpaceX, Airbus Group, and Thales Alenia Space. ESA has confirmed a criminal investigation is underway amid concerns about systemic security weaknesses.
read more β†’

Jaguar Land Rover Q3 wholesale down 43% after attack

πŸš— Jaguar Land Rover (JLR) says a September 2025 cyberattack forced production shutdowns and resulted in a 43.3% year‑on‑year decline in third‑quarter wholesale volumes. Production only returned to normal by mid‑November and global distribution delays further reduced sales. JLR booked a Β£196 million hit, confirmed data theft, and said the incident was claimed by the Scattered Lapsus$ Hunters. The U.K. government later approved a Β£1.5 billion loan guarantee to help stabilise supply chains while tariffs and the planned discontinuation of legacy Jaguar models also weighed on performance.
read more β†’

Hackers Claim Resecurity Breach; Company Calls It Honeypot

πŸ›‘οΈ Threat actors claiming to be the "Scattered Lapsus$ Hunters" published screenshots saying they accessed Resecurity systems and stole employee data, internal communications, threat reports, and client lists. Resecurity disputes the claim, saying the exposed account was a monitored honeypot populated with synthetic datasets to observe attacker behavior. The firm says it collected telemetry, observed OPSEC failures, and shared intelligence with law enforcement.
read more β†’

Top Ransomware Trends of 2025: Activity and Impact

πŸ” Ransomware activity in 2025 remained high, with 306 groups and 7,902 victims listed on data leak sites, according to Ransomware.live. While coordinated takedowns and anti-cybercrime actions were quieter than in 2024, both emergent collectives (Scattered Spider, Lapsus$, ShinyHunters) and established syndicates continued to generate incidents. The most prolific actors β€” Qilin, Akira and Clop β€” claimed the largest shares of victims, and the United States accounted for nearly half of the reported targets.
read more β†’