Anarchic Western Adolescent Hacking Groups Defy Easy Categorization
A recent report from cybersecurity firm Group-IB has shed light on the complexities of a decentralized hacking group known as Scattered Spider. Unlike traditional organized cybercrime groups, which often feature a clear hierarchy and defined roles, Scattered Spider presents a more fluid and unstructured model. This loosely connected collective exemplifies a new breed of cybercriminality that continues to elude conventional categorization.
According to the report, Scattered Spider is not simply one cohesive group but rather a constellation of evolving subclusters, often characterized by shared tactics, techniques, and procedures (TTPs). These subclusters act independently despite having some common tools and forums for communication. The group’s activities have resulted in financial damages running into the hundreds of millions, prompting law enforcement agencies to initiate arrests against its members, who have received severe penalties for their involvement.
Past incidents attributed to Scattered Spider paint a stark picture of its capabilities. Notable breaches include a data exfiltration attack on gaming giant Riot Games in January 2023, along with high-profile hacks targeting Caesars Palace and MGM Resorts. Additionally, the group’s reach extends to renowned British retailers like Marks & Spencer, indicating a significant operational breadth. Interestingly, not all incidents associated with Scattered Spider can be traced back to the same subcluster, even if overlapping characteristics are noted.
Group-IB emphasizes that the shared behaviors among these actors do not imply a formal or cohesive group. Instead, the resemblance arises from learning experiences within similar online communities. This decentralized structure complicates the task of cybersecurity experts in attributing attacks to specific individuals or segments of the collective, making it a particularly elusive target for law enforcement.
The term "Scattered Spider" was initially adopted by CrowdStrike in 2022, although other cybersecurity intelligence agencies refer to it using varying nomenclatures like Roasted 0ktapus and Octo Tempest. The group’s methods often involve social engineering tactics such as smishing and vishing, which exploit phone calls and text messages to impersonate IT personnel. By directing victims to credential-harvesting sites or enticing them to install commercial remote monitoring tools, the attackers effectively compromise a target’s sensitive information.
Experts have noted that Scattered Spider evolved from what is often referred to in cybersecurity circles as "The Com," a loosely organized cybercriminal ecosystem largely composed of English-speaking individuals. This collective excels in voice phishing attacks, considered a signature approach to deception within the online criminal landscape. Researchers at Resecurity have observed that the Scattered Spider phenomenon appears to operate more akin to a youthful cybercrime movement rather than a structured organization, involving predominantly individuals in their teens and twenties.
A report from July 2025 by the FBI categorized "The Com" into various groups and subgroups, including the Hacker Com, which has ties to real-life violent activities, and Extortion Com, which focuses on exploiting minors through threats of doxing and violence. The anarchic energy of these adolescents seems to substantially shape how they execute their attacks, particularly when targeting corporations for data theft and extortion.
As noted by Allison Nixon, a threat researcher at Unit 221B, the operational principles of "Com" ransomware groups diverge significantly from those of older, more established Russian ransomware organizations. Unlike the latter, which maintain strong brand identities and consistent behavior, the younger actors tend to operate erratically, often lacking the reliability that instills confidence in their victims.
In a strange twist, a group of attackers introduced a new entity named "Scattered Lapsus$ Hunters," claiming to include members from Scattered Spider. This group has formed a partnership with other criminal actors, such as ShinyHunters, to facilitate data theft and extortion. Prominent companies like Salesforce and Snowflake have found themselves among the conquest list of these colluding groups.
Research suggests that strong tactical overlaps exist among various factions within the Scattered Spider collective, all of which are thought to be linked to "The Com." Yet, a spokesperson from ShinyHunters has disputed claims of any formal connection, arguing instead that similarities in tactics do not denote affiliation. This back-and-forth exemplifies the often murky waters of cybercriminal networks, where names and associations can become increasingly convoluted.
However, the act of naming these groups—often for tracking purposes—can lead to changes in their behaviors, as attackers embrace the labels assigned to them. This situation has further complicated the landscape for cybersecurity professionals striving to decode the interplay of tactics, identities, and organizational dynamics.
The questions surrounding Scattered Spider and its alleged ties to "The Com" point to an ongoing challenge in the realm of cybersecurity research. While there are suggestions that what once was known as "The Com" may now be identified as Scattered Spider, the truth remains elusive. As the world of cybercrime continues to morph, one thing is clear: understanding these decentralized networks requires a nuanced and flexible approach, particularly at the rapidly evolving intersection of identity and technology.
