The hacker collective known as Scattered Spider is once again dominating headlines with a wave of high-profile cyberattacks that span multiple industries. According to threat intelligence sources, the group has pursued a sector-by-sector strategy, recently hitting retail organizations like Marks & Spencer, moving on to insurance firms, and now targeting the aviation and transportation sectors. This surge in high-profile attacks has brought renewed attention on who Scattered Spider is and how they operate.
The groups operations rely heavily on detailed PII, including employee names, job titles, dates of birth, SSN fragments, and phone numbers, leveraged for social engineering, SIM swapping, and doxxing threats. In this article, we explore evidence that data brokers are a primary source of the personal information Scattered Spider exploits in their campaigns.
Scattered Spider is not a single tight-knit gang but rather a loose umbrella for threat actors who favor certain techniques, especially social engineering, MFA fatigue bombing, and SIM swapping to gain entry into large organizations.
The group is also tracked under other names like 0ktapus, UNC3944, Octo Tempest, Scatter Swine, Starfraud, and Muddled Libra. These attackers are reputedly young, English-speaking individuals (often teenagers or in their early 20s) who congregate on the same hacker forums, Telegram channels, and Discord servers to plan and execute attacks in real time. Uniting them is a common playbook of tricking human targets: impersonating employees or IT staff, tricking help desks, stealing one-time passwords, and SIM-swapping phone numbers to bypass SMS-based 2FA.
Scattered Spider actors have partnered with major ransomware groups (e.g. Dragon Force, BlackCat/ALPHV, Ransom.House/RansomHub, Qilin) to monetize breaches.
Theyve been linked to a string of prominent incidents, including attacks on MGM Resorts, Marks & Spencer, Co-op, Twilio, Coinbase, DoorDash, Caesars Entertainment, MailChimp, Riot Games, and Reddit, among others. U.S. officials estimate the broader Scattered Spider community may number up to around 1,000 members, loosely organized under an underground scene called The Community (or the Com). This amorphous structure makes it hard to pin down all members, but its clear they share tools, data, and services for fraud and hacking.
Their modus operandi is to gather as much information about a target organization (and its people) as possible, then exploit this data to defeat security. Key to this preparation is the harvesting of personal data and this is where data brokers come into play.
Multiple investigations from 2022 through 2025 suggest that Scattered Spider heavily leverages commercial data broker services as part of their reconnaissance efforts to select targets and craft believable lures.
Early evidence came during the notorious 0ktapus phishing campaign of 2022. In that attack, Scattered Spider (tracked by Okta as Scatter Swine) blasted SMS phishing texts to thousands of employees at over a hundred companies, including Twilio and Cloudflare. Oktas security team analyzed the incident and assessed that the attackers likely harvest[ed] mobile phone numbers from commercially available data aggregation services that link phone numbers to employees at specific organizations. This explains how the smishing messages were so precisely targeted even family members of employees received the fake texts.
Armed with those curated lists of numbers (tied to company names), the attackers also called some victims on the phone, impersonating IT support to further pry into the companies authentication systems.
Threat researchers have described Scattered Spiders reconnaissance as highly detailed and methodical. Investigators infer from the groups detailed impersonation attempts that they are leveraging data brokers, including full personal profiles and professional data commonly found on platforms like ZoomInfo.
According to threat intelligence analyst Zach Edwards of Silent Push, Scattered Spider members will buy complete personal dossiers from data brokers to aid in impersonation. In a Financial Times interview, Edwards explained:
Theyre picking a target maybe a senior developer to be the person [theyre] impersonating, so they may know their maiden name, their home address, they may have already bought a data broker profile on somebody.
In practice, this means if Scattered Spider decides to impersonate John Doe (a software engineer at Company X) in a help-desk call, they might spend a few dollars on an aggregated background report for John Doe. That report could yield his phone numbers, past addresses, relatives, and other biographical details all invaluable for convincingly masquerading as John in an IT support scenario.
Threat researchers at ReliaQuest assess that Scattered Spider is leveraging both social media platforms and data broker services to build detailed employee profiles for targeting. Using platforms like LinkedIn and ZoomInfo, the group digs into the lives of key employees within a target organization, piecing together everything from job titles to contact details, ReliaQuest noted in a June 2025 profile.
ZoomInfo (a business contact aggregator) in particular offers direct phone numbers, corporate emails, org charts, and employment histories a goldmine for attackers seeking to learn whos who in a company. By scraping LinkedIn profiles and combining that with data broker info, Scattered Spider can map out an org chart of high-privilege employees and understand exactly how to reach them.
The end result is that when Scattered Spider is ready to approach a target (whether by email, text, or phone call), they have already compiled details about selected employees from work roles and colleagues names to home addresses, birthdates, and hobbies. Its the payoff of their reconnaissance efforts.
Smishing, impersonation, SIM swaps, and doxxing threats all depend on having personal data, and Scattered Spider puts this data to work throughout their attacks.
Smishing and Vishing
Mandiants threat intelligence team reports that a hallmark of UNC3944 (their name for Scattered Spider) is SMS phishing (smishing) sent to employees to steal valid login credentials. The mass smishing attacks using phone numbers likely sourced from data brokers during the 0ktapus campaign is an example of this. Once they succeed, the attackers often impersonate those employees in phone calls to IT service desks, requesting password resets or MFA re-enrollment.
During these calls, Scatter Spider operatives provide usernames, employee IDs, and other verification details to pass identity checks. This information is likely gathered from data brokers and breach repositories. Analysts have even observed behaviors indicating attackers consult notes during the call, such as asking the help desk to repeat questions or pausing for long stretches before answering.
This tactic has become the groups hallmark. According to CrowdStrike, in almost all observed 2025 incidents, Scattered Spider used voice phishing and routinely accurately respond[ed] to help desk verification questions when impersonating legitimate employees.
When the help desk agent asks the caller to confirm their identity perhaps by providing the employee ID, or last four of their SSN, or date of birth on file the attacker has the correct answers at the ready. Mandiants investigators have confirmed this level of preparation in multiple cases, noting that UNC3944 already possessed the last four digits of Social Security numbers, dates of birth, and manager names and job titles of the employees they were impersonating. The presence of SSN fragments and birth dates strongly suggests data broker sources.
Scattered Spider essentially pre-loads the answers to security questions, allowing them to defeat help-desk protocols and reset passwords or MFA tokens to gain access.
SIM Swapping
Another major technique in Scattered Spiders arsenal is SIM swapping a tactic that lets them hijack a victims phone number to intercept one-time passcodes, MFA prompts, or password reset links. This attack typically requires a range of personal data: the targets phone number, name, and enough identifying information (like address, date of birth, or the last four digits of a Social Security number) to successfully impersonate the victim to a mobile providers customer support or exploit automated verification systems.
Much of this personal information is readily available through data brokers. Threat intelligence has confirmed that SIM swapping is a commonly used initial access method for Scattered Spider and related members of The Com. Once a SIM swap succeeds, the attackers can receive the victims SMS messages, enabling them to bypass SMS-based MFA or reset account passwords. This tactic is often combined with help-desk impersonation for full account takeover.
Doxxing and Physical Threats
Scattered Spider has also shown a willingness to terrorize victims by threatening to expose personal information. Mandiant has observed that UNC3944 has occasionally resorted to fearmongering tactics to gain access to victim credentials, including threats of doxxing personal information, physical harm to victims and their families, and the distribution of compromising material. Such threats only work if the attacker can demonstrate knowledge of actual personal details which they likely obtained from data brokers. Public social media profiles typically dont list your home address or all your relatives names, but data broker databases do. The ability to quote those private details back to the victim is meant to create panic and pressure. In effect, Scattered Spider weaponizes victims own PII against them as leverage.
The extensive research and data collection behind Scattered Spiders social engineering is evident in both what they know about potential victims and the high success rate in their attacks. Their use of LinkedIn and data brokers enables them to answer almost any identity question, bypass security procedures, and even scare victims with what they know.
A Broader Pattern
Theres growing evidence that threat actors are systematically using data brokers for reconnaissance and targeting. Leaked internal chat logs from the Black Basta ransomware group confirm the group used services like ZoomInfo and RocketReach to research potential victims, collecting revenue information and employee data that would later inform phishing lures and social engineering scripts.
While Scattered Spider has not had similar leaks, the groups reconnaissance efforts strongly suggest a parallel playbook to Black Basta, leveraging data broker profiles to select targets and launch social engineering attacks.
Looming Large-Scale Attack: 500 Phishing Domains Discovered
If all of the above describes Scattered Spiders tactics, recent developments suggest their scale of operations is poised to grow even larger. In July 2025, researchers at Check Point revealed they had uncovered over 500 phishing domains either already in use or likely set up by Scattered Spider for future campaigns. These domains which mimic common corporate IT URLs indicate that the group is stockpiling infrastructure to target many organizations across different industries.
According to The Registers reporting, the domains follow Scattered Spiders typical naming conventions, such as -servicedesk.com or -okta.com, intended to look like legitimate login portals for the victim company. Check Point noted that while not all the 500+ sites have been confirmed as malicious, their alignment with Scattered Spiders tactics strongly suggests targeting intent on a broad scale. In other words, Scattered Spider appears to be preparing a mass phishing offensive across multiple sectors.
What does this mean for organizations? First, it underscores that Scattered Spider is highly proactive and methodical. Registering hundreds of lookalike domains in advance hints at planning for coordinated, simultaneous attacks (or a sustained campaign). Second, the diversity of impersonated brands (from aviation and retail to manufacturing and finance) shows the group is opportunistic in choosing targets. As Check Points analysts put it, this cross-sector targeting underscores the groups opportunistic approach, adapting to high-value vulnerabilities rather than focusing on a specific vertical. If a company has money or data and weak defenses, its fair game, regardless of industry. As one member told the Financial Times, Scattered Spider targets anyone it sees fit:
If a company has money and it meets our requirements, it doesnt matter what field its in, well hit it.
Finally, all those phishing sites will only be effective if the attackers can drive the right people to them. Mass-registering domains is one side of the coin; the other is luring employees to click the links or enter their credentials. Scattered Spiders success in doing that historically has relied on personal touches targeted texts, well-informed phone calls, customized messages referencing the users workplace or IT provider. And that targeting, as weve seen, relies on having accurate employee data (names, roles, contact info) ahead of time. Thus, as Scattered Spiders attacks are poised to continue and expand, its clear that the foundational enabler will still be personal data about employees that can be found online.
Now is the time to harden defenses against Scattered Spiders highly informed social engineering campaigns.
Given Scattered Spiders playbook, organizations must adapt their defenses to limit the personal data available to attackers and strengthen the human element of security. Traditional security tools alone (firewalls, endpoint protection, etc.) are not enough when the adversary is literally talking their way into your network.
Here are several strategies to help mitigate the threat:
- Reduce Employee Personal Data Exposure on Data Brokers: The most direct way to blunt Scattered Spiders reconnaissance is to proactively reduce the personal data available to them in the first place. Scattered Spider can so easily answer help-desk security questions because they often have the same info your employees might give to verify identity (full name, date of birth, address, last 4 of SSN, names of relatives, etc.). Much of that can be purchased or scraped online right now. Use Optery to opt-out and suppress employee profiles from sites like Whitepages, BeenVerified, ZoomInfo, and similar aggregators. Removing or limiting data broker records deprives Scattered Spider of easy reconnaissance fuel. Its a preventive measure that few discuss, yet it directly targets the source of their advantage.
- Harden Help-Desk and Identity Verification Processes: Help-desk personnel should use verification methods that attackers cant easily learn from the outside. Avoid relying on easily discoverable personal facts for identity verification, because Scattered Spider often possesses this information already. Instead, use internal data or procedures: for example, require the caller to confirm an employee-specific code or answer a question only an insider would know (something from internal HR records or a current project detail). Another option is real-time callback or video verification e.g. have the help desk call the employee back at their official number on file, or use a video call to verify the persons face or employee ID badge. The goal is to thwart an attacker armed with stolen personal data by adding a verification step thats not purely knowledge-based. Mandiant specifically advises using internal-only knowledge or real-time presence verification to defeat these social engineering calls. Also, train help-desk staff to spot red flags: e.g. if someone is urgently asking to reset MFA late at night, sounding impatient, or providing too much personal info upfront (as if reciting a script of their own details), take a pause and escalate for further verification.
- Implement Phishing-Resistant MFA (and Dont Rely on SMS): Given Scattered Spiders proclivity for SIM swapping and OTP interception, companies should move away from SMS-based two-factor authentication wherever possible. Phishing-resistant authenticators such as FIDO2 security keys or hardware tokens (like YubiKeys) can dramatically reduce the risk of MFA compromise, since these devices are tied to the legitimate user and require a physical touch or biometric verification to complete authentication. Even push-notification MFA (phone apps) is preferable to SMS, especially if combined with number matching or additional context. The key is to remove the low-hanging fruit; if an employees mobile number is all over data brokers or leaks, an attacker might hijack that number. But they cannot as easily steal a physical security key or bypass a PIN-protected authenticator app. Wherever SMS or voice call 2FA is still in use, treat those users as high-risk and encourage an upgrade to more secure methods.
- Tighten Account Recovery Workflows: Beyond just help desks, examine how your organization handles password resets, MFA device enrollments, and account recovery. Scattered Spiders airline attacks involved abusing self-service password reset portals and adding their own devices as MFA authenticators. To counter this, implement safeguards such as: requiring manager approval for any privileged account reset, notifying users via alternate channels when their credentials/MFA are reset, and temporarily locking accounts after a reset until the true user confirms. Remove or restrict any self-service account recovery options that use weak verification (like just a DOB or personal email). It may inconvenience users slightly, but it could stop an intruder from instantly taking over an account using basic personal info.
- Monitor and Alert on Typosquatted Domains: In light of the 500+ phishing domains discovered, organizations (and their security providers) should proactively search for lookalike domains resembling their company and key vendors. Many threat intel services and registrars offer alerts for new domains that mimic brand names. If you see YourCompany-okta.com or YourCompany-helpdesk.net pop up, treat it as an indicator of a looming phishing attack and alert your employees. You can also work to block these domains on your corporate network and inform your staff to be wary. The earlier you catch Scattered Spider setting up infrastructure targeting you, the better you can prepare (and coordinate takedowns). Consider sharing intelligence within your industry as well, since these attacks often pivot sectors rapidly.
- Privileged Access Hygiene and Monitoring: Scattered Spiderlikesto target high-privilege accounts (CFOs, IT admins, etc.) because those yield the most access. Ensure that such accounts in your organization have additional protections: strictly enforced MFA, a policy of no over-the-phone resets at all, limits on accessible systems, and continuous logging of their activities. Implement behavioral analytics to flag if, say, your CFOs account suddenly requests a password reset or starts downloading massive data at 2 AM. It could be the first sign of a compromise. Some companies even use secret questions or code words for VIP users when they call IT, to thwart impostors.
- Security Training Focused on Social Engineering: Regular employee training is a staple recommendation, but here it should be laser-focused on the kinds of tricks Scattered Spider uses. Conduct simulated phishing exercises via SMS and voice calls (vishing) in addition to email tests. Train your staff especially in IT support roles on scenarios like impersonation calls. Make sure they know that attackers might have personal info and that seeing someones name, title, or even SSN isnt proof of identity. Encourage a culture where its okay to say no or verify through another channel. The goal is to condition employees to verify unusual requests (like adding a new MFA device) through a second factor (e.g., Ill call you back on our internal Teams chat to confirm). Since Scattered Spider often communicates in fluent, unaccented English and can be very convincing, employees should be taught that anyone can be a con artist on the phone if given enough info. Practicing these scenarios can make a real incident less likely to succeed.
- Limit Exposure of Employee Info Publicly: Beyond data brokers, consider what your own organization is sharing on the open web. Company websites and press releases that list all executives and their bios, or social media posts that celebrate employees of the month (with full names and photos), can all be leveraged by attackers. While transparency and branding are important, balance that with security perhaps avoid listing direct contact details or full org charts publicly. Encourage employees to be mindful about what they post on LinkedIn or Twitter regarding their role to avoid attracting the wrong attention. The less an attacker can learn about your internal structure and personnel from public sources, the more you force them to rely on harder-to-obtain data and reduce your risk of being targeted.
Scattered Spiders campaigns highlight that technical defenses must be paired with proactive data removal and user awareness. This group operates at the intersection of people and technology: they abuse personal data and human trust to beat the system. Companies should respond in kind by protecting that personal data and fortifying the human element of security. Removing your sensitive details from the open market, improving verification processes, and educating those on the front lines (help desks and users) will take away Scattered Spiders biggest advantages.
Given the warning signs from airlines under attack to 500 phishing domains lying in wait now is the time to act proactively. To defend against this threat, organizations must close the gaps in both tech and personal data exposure that Scattered Spider so deftly exploits.
