Potent youth cybercrime ring made up of 1,000 people, FBI official says

An aggressive, nebulous ring of young cybercriminals linked to a string of recent high-profile breaches is made up of approximately 1,000 people, a senior FBI official said Friday. 

In remarks Friday at the cybercrime-focused Sleuthcon conference, Bryan Vorndran, assistant director of the FBI’s Cyber Division, described the group best known as Scattered Spider as a “very, very large, expansive, disbursed group of individuals,” many of whom don’t know each other directly. 

Scattered Spider emanates from an online community known as “the Com.” The group is also tracked by cybersecurity firms as “0ktapus” or UNC3944, and Vorndran’s remarks provide the best number yet for the total size of the hacking crew.  

Scattered Spider has breached a who’s-who of big-name companies, including the casino giant MGM Resorts and Clorox. Made up of mostly native English speakers in the United States and the United Kingdom, Scattered Spider is classified as a top three cybersecurity threat, alongside China and Russia’s foreign intelligence agency, Vorndran said. 

Scattered Spider and the broader Com excel in social engineering, including by talking their way into privileged networks by targeting help desks and other key access points. Once inside, they’ve demonstrated immense skill at moving around networks and exfiltrating data and have also shown signs of collaboration with established ransomware groups. 

When members of the Com were linked to an attack last year on MGM Resorts and Caesars Entertainment that hobbled casino and hotel operations in Las Vegas, it cemented the group’s status as one of the most impactful cybercrime groups working today. 

In the days after the MGM attack, researchers told CyberScoop that people in the Com form various smaller groups that sometimes work together or battle each other. Some groups advertise violence as a service — including assaults and throwing bricks through windows — and in some cases have taken to physical threats against victims to pressure them into paying extortion demands, as Microsoft reported in October 2023.

The FBI has taken heat for a seeming lack of progress in arresting Com members, some of whom are believed to be in the United States, but officials say the agency has taken non-public actions and promise more to come. In January, authorities in Florida arrested 19-year-old Noah Urban, Krebs on Security reported, a key figure in the crime ring.

The potent digital and physical threat posed by groups within the Com have some researchers calling for cybercrime to be given the same amount of attention and resources that the cybersecurity industry dedicates to combating state-aligned cyber operations, referred to as “advanced persistent threats” or APTs. 

“In biasing ourselves towards APT versus e-crime, we create a false dichotomy that pushes resources, attention and support to areas that don’t always align with the greatest organizational risks,” Selena Larson, a senior threat intelligence analyst with cybersecurity firm Proofpoint, said in a talk Friday at Sleuthcon, to cheers from the audience. “Your average organization has a greater threat from cybercrime than government-backed actors.”

Correction, May 30, 2024: An earlier version of this article incorrectly stated that Scattered Spider has breached the identity provider Okta. While Scattered Spider has targeted Okta customers to obtain Okta identity credentials, the company says it has not been breached by Scattered Spider.