Scattered Spider
English-speaking cybercrime collective; one of the most prolific ransomware groups of 2023-2025.
Last refreshed: 30 April 2026 · Appears in 1 active topic
How many Scattered Spider members have been charged, and is the group still operating?
Timeline for Scattered Spider
Scattered Spider's Bouquet arrested in Helsinki
Cybersecurity: Threats and Defences- Who are Scattered Spider and what have they hacked?
- Scattered Spider is an English-speaking cybercrime collective active since 2022. Notable attacks include the September 2023 ransomware campaigns against MGM Resorts and Caesars Entertainment (which reportedly paid $15 million). The group uses social engineering and SIM swapping to bypass MFA.Source: Microsoft / Mandiant
- What is UNC3944 or Octo Tempest?
- UNC3944 (Mandiant designation) and Octo Tempest (Microsoft designation) are the same threat cluster as Scattered Spider, an English-speaking cybercrime group known for vishing corporate helpdesks to reset credentials and deploy ransomware.Source: Mandiant / Microsoft
- How does Scattered Spider break into companies?
- The group calls corporate helpdesks impersonating employees to trigger password resets and MFA bypasses, supplements this with SIM swapping, then moves laterally through identity infrastructure before deploying ransomware or stealing data.Source: Microsoft Octo Tempest profile
- Has anyone been arrested for Scattered Spider attacks?
- At least five individuals linked to the group have been charged or arrested as of April 2026. Peter Stokes ('Bouquet'), 19, was arrested in Helsinki on 10 April 2026 and is awaiting extradition to the US.Source: Bleeping Computer
- Is Scattered Spider still active in 2026?
- Yes. Despite multiple arrests, the group continues to operate. It has a fluid, distributed membership communicating via Telegram and Discord; individual arrests have not dismantled the collective.Source: FBI assessment
Background
Scattered Spider is an English-speaking cybercrime collective active since at least 2022, distinguished from nation-state threat actors by its native English fluency and its mastery of social engineering against corporate helpdesks. Members impersonate employees to reset credentials, bypass multi-factor authentication, and obtain SIM swaps, then move laterally through identity infrastructure before deploying ransomware or exfiltrating data. The group is tracked under multiple vendor designations: UNC3944 (Mandiant), Octo Tempest (Microsoft), Roasted 0ktapus (Group-IB), and Storm-0875 (Microsoft MSTIC). Membership is fluid and distributed, with individuals communicating via Telegram and Discord channels. The FBI assessed the collective as one of the most prolific cyber threat actors targeting US companies during 2023-2025.
Scattered Spider's most prominent confirmed attacks include the September 2023 ransomware campaigns against MGM Resorts and Caesars Entertainment, in which Caesars paid a reported $15 million ransom. The collective was also linked to a November 2022 DraftKings credential-stuffing campaign and repeated attempts against Coinbase. Microsoft's October 2023 Octo Tempest profile described the group's techniques in detail, including voice phishing ('vishing') helpdesk staff to trigger password resets.
The 10 April 2026 arrest of alleged member Peter Stokes ('Bouquet') in Helsinki is the most recent individual enforcement action against the group. Stokes, 19, a dual US-Estonian citizen, faces US federal charges of wire fraud, conspiracy, and computer intrusion filed under seal in December 2025; the US is seeking extradition to Chicago. At least five individuals linked to Scattered Spider have now been charged or arrested across the US and UK, but the group as a whole continues to operate. The NCSC and FBI have issued joint guidance on defending against the group's social-engineering techniques.