The hacker collective known as Scattered Spider is once again dominating headlines with a wave of high-profile cyberattacks that span multiple industries. According to threat intelligence sources, the group has pursued a sector-by-sector strategy, recently hitting retail organizations like Marks & Spencer, moving on to insurance firms, and now targeting the aviation and transportation sectors. This surge in high-profile attacks has brought renewed attention on who Scattered Spider is and how they operate.
The group’s operations rely heavily on detailed PII, including employee names, job titles, dates of birth, SSN fragments, and phone numbers, leveraged for social engineering, SIM swapping, and doxxing threats. In this article, we explore evidence that data brokers are a primary source of the personal information Scattered Spider exploits in their campaigns.
Who Is Scattered Spider?
Scattered Spider is not a single tight-knit gang but rather a loose umbrella for threat actors who favor certain techniques, especially social engineering, MFA fatigue “bombing,” and SIM swapping to gain entry into large organizations.
The group is also tracked under other names like 0ktapus, UNC3944, Octo Tempest, Scatter Swine, Starfraud, and Muddled Libra. These attackers are reputedly young, English-speaking individuals (often teenagers or in their early 20s) who congregate on the same hacker forums, Telegram channels, and Discord servers to plan and execute attacks in real time. Uniting them is a common playbook of tricking human targets: impersonating employees or IT staff, tricking help desks, stealing one-time passwords, and SIM-swapping phone numbers to bypass SMS-based 2FA.
Scattered Spider actors have partnered with major ransomware groups (e.g. Dragon Force, BlackCat/ALPHV, Ransom.House/RansomHub, Qilin) to monetize breaches.
They’ve been linked to a string of prominent incidents, including attacks on MGM Resorts, Marks & Spencer, Co-op, Twilio, Coinbase, DoorDash, Caesars Entertainment, MailChimp, Riot Games, and Reddit, among others. U.S. officials estimate the broader Scattered Spider community may number up to around 1,000 members, loosely organized under an underground scene called “The Community” (or “the Com”). This amorphous structure makes it hard to pin down all members, but it’s clear they share tools, data, and services for fraud and hacking.
Their modus operandi is to gather as much information about a target organization (and its people) as possible, then exploit this data to defeat security. Key to this preparation is the harvesting of personal data – and this is where data brokers come into play.
Data Brokers Fueling Scattered Spider’s Reconnaissance
Multiple investigations from 2022 through 2025 suggest that Scattered Spider heavily leverages commercial data broker services as part of their reconnaissance efforts to select targets and craft believable lures.
Early evidence came during the notorious “0ktapus” phishing campaign of 2022. In that attack, Scattered Spider (tracked by Okta as Scatter Swine) blasted SMS phishing texts to thousands of employees at over a hundred companies,