{ "id": "7cb4339d-7786-449d-8f9a-0ce563019c33", "created_at": "2026-04-06T00:12:03.267161Z", "updated_at": "2026-04-10T03:31:50.047097Z", "deleted_at": null, "sha1_hash": "16ce443e9166e9268c4c75ac1965a3f4ab84220d", "title": "Scattered Spider snared financial orgs before targeting shops in Britain, America", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45020, "plain_text": "Scattered Spider snared financial orgs before targeting shops in\r\nBritain, America\r\nBy Jessica Lyons\r\nPublished: 2025-05-21 · Archived: 2026-04-05 17:52:17 UTC\r\ninterview Scattered Spider snared financial services organizations in its web before its recent spate of retail attacks\r\nin the UK and US, according to Palo Alto Networks' Unit 42.\r\n\"We saw several instances in the financial services space, and now we're starting to see instances in the retail-oriented, customer-facing space,\" Unit 42 principal threat researcher Kristopher Russo told The Register.\r\nRusso declined to name the victim companies, but noted that all of the organizations that brought in Unit 42's\r\nincident-response team were English-speaking. \r\nEchoing warnings from Mandiant CTO Charles Carmakal, Russo said he expects the loosely knit cybercrime crew\r\nto soon lose interest in retail and move on to the next shiny target.  \r\nThey tend to shift from industry to industry\r\n\"They tend to shift from industry to industry,\" Russo said. \"It's more the amorphous nature of this group, where\r\nthey're bringing people in and losing people all the time, and you have people that have specialties in software\r\nthat's used by a specific industry.\"\r\nThese criminals typically have experience in particular industries, and they use this \"insider knowledge\" about\r\nvarious sectors for evil, he added. \r\n\"Early on, this group was focused on cryptocurrency theft,\" Russo said. \"Business process outsourcers were a\r\nhuge target for a while. We saw them shift to financial services, and now this retail shift seems to be the latest in\r\nthe bouncing around that this group does.\"\r\nMoving on to crypto?\r\nMeanwhile, some unknown miscreants have reportedly targeted large cryptocurrency exchanges, including\r\nBinance and Kraken, using the same type of social-engineering attacks that criminals employed to break into\r\nCoinbase and steal customer data.\r\nKraken declined to comment on the unsuccessful break-in, reported by Bloomberg, and Binance did not respond\r\nto The Register's inquiries. \r\nIn the case of Binance, the crooks called some of the biz's users in Israel and tried to trick them into transferring\r\nfunds into an attacker-controlled wallet, according to the report, which noted: \"The caller had a posh British\r\naccent.\"\r\nhttps://www.theregister.com/2025/05/21/scattered_spider_snared_financial_orgs/\r\nPage 1 of 2\n\nOne of the hallmarks of Scattered Spider's social engineering campaigns is their native-English speakers' skill at\r\nconvincing help desks, company employees — or really anyone on the other end of the phone — to disregard their\r\nown policies and do what the scammers say.\r\nEx-NSA bad-guy hunter listened to Scattered Spider's fake help-desk calls: 'Those guys are good'\r\nCoinbase extorted for $20M. Support staff bribed. Customers scammed. One hell of a SNAFU\r\nCyber fiends battering UK retailers now turn to US stores\r\nMarks \u0026 Spencer admits cybercrooks made off with customer info\r\n\"The key to this is to make sure that your help desk does not violate its internal procedures, and that you test that\r\nso they're not changing a password and an MFA on the same call, and they are not bypassing any of their\r\nauthentication types,\" Russo said.\r\nWhen asked if he's seen any indication of a link between the crypto hacks and Scattered Spider, Russo said he\r\ndoesn't have any evidence. But he also wouldn't be surprised if they turn out to be connected.\r\n\"A year ago, cryptocurrency firms were a prime target for this group, and we were able to do some attributions\r\nback then,\" Russo said. \"It would not surprise me at all to see that they're still active in this space.\"\r\nCoinbase, when asked if they've identified any suspects or attributed the breach to a particular group, emailed The\r\nRegister the following statement:\r\n\"We have notified and are working with the DOJ and other US and international law enforcement agencies and\r\nwelcome law enforcement's pursuit of criminal charges against these bad actors,\" Coinbase Chief Legal Officer\r\nPaul Grewal said. ®\r\nSource: https://www.theregister.com/2025/05/21/scattered_spider_snared_financial_orgs/\r\nhttps://www.theregister.com/2025/05/21/scattered_spider_snared_financial_orgs/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.theregister.com/2025/05/21/scattered_spider_snared_financial_orgs/" ], "report_names": [ "scattered_spider_snared_financial_orgs" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434323, "ts_updated_at": 1775791910, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/16ce443e9166e9268c4c75ac1965a3f4ab84220d.pdf", "text": "https://archive.orkl.eu/16ce443e9166e9268c4c75ac1965a3f4ab84220d.txt", "img": "https://archive.orkl.eu/16ce443e9166e9268c4c75ac1965a3f4ab84220d.jpg" } }