
Scattered Spider
English-speaking cybercrime collective; one of the most prolific ransomware groups of 2023-2025.
Last refreshed: 30 April 2026 · Appears in 1 active topic
How many Scattered Spider members have been charged, and is the group still operating?
Timeline for Scattered Spider
Mentioned in: Leak crews squeeze Tata and Nidec
Cybersecurity: Threats and DefencesMentioned in: Ransomware tempo holds at 95 in May
Cybersecurity: Threats and DefencesScattered Spider's Bouquet arrested in Helsinki
Cybersecurity: Threats and DefencesWho are Scattered Spider and what have they hacked?
What is UNC3944 or Octo Tempest?
How does Scattered Spider break into companies?
Background
Scattered Spider is an English-speaking cybercrime collective active since at least 2022, distinguished from nation-state threat actors by its native English fluency and its mastery of social engineering against corporate helpdesks. Members impersonate employees to reset credentials, bypass multi-factor authentication, and obtain SIM swaps, then move laterally through identity infrastructure before deploying ransomware or exfiltrating data. The group is tracked under multiple vendor designations: UNC3944 (Mandiant), Octo Tempest (Microsoft), Roasted 0ktapus (Group-IB), and Storm-0875 (Microsoft MSTIC). Membership is fluid and distributed, with individuals communicating via Telegram and Discord channels. The FBI assessed the collective as one of the most prolific cyber threat actors targeting US companies during 2023-2025.
Scattered Spider's most prominent confirmed attacks include the September 2023 ransomware campaigns against MGM Resorts and Caesars Entertainment, in which Caesars paid a reported $15 million ransom. The collective was also linked to a November 2022 DraftKings credential-stuffing campaign and repeated attempts against Coinbase. Microsoft's October 2023 Octo Tempest profile described the group's techniques in detail, including voice phishing ('vishing') helpdesk staff to trigger password resets.
The 10 April 2026 arrest of alleged member Peter Stokes ('Bouquet') in Helsinki is the most recent individual enforcement action against the group. Stokes, 19, a dual US-Estonian citizen, faces US federal charges of wire fraud, conspiracy, and computer intrusion filed under seal in December 2025; the US is seeking extradition to Chicago. At least five individuals linked to Scattered Spider have now been charged or arrested across the US and UK, but the group as a whole continues to operate. The NCSC and FBI have issued joint guidance on defending against the group's social-engineering techniques.