Cybercrime
,
Fraud Management & Cybercrime
Anarchic Western Adolescent Hacking Groups Appear to Defy Easy Categorization

All cyberthreat actors by design are elusive, but none may be more so than the amorphous hacking group known as Scattered Spider. Unstructured and undirected, the threat actor is more a cluster of shifting actors than an organized cybercrime group with leadership and a division of responsibilities.
See Also: Beat the Breach: Outsmart Attackers and Secure the Cloud
“Scattered Spider cannot be considered or analyzed as a single organized ‘group’ with its own hierarchy or organigram. Instead, it can be more accurately described as a decentralized cybercrime collective,” says a new report from cybersecurity firm Group-IB.
The firm said it’s tracked multiple subclusters “connected by shared TTPs, tools and in some cases, common forums or chats – but they act separately.” Of course, that hasn’t stopped Scattered Spider from racking up damages in the hundreds of millions, nor police from identifying and arresting members – who often stiff sentences (see: Breach Roundup: Scattered Spider Hacker Gets 10 Years).
Some of the collective’s greatest hits include a data-exfiltration hit on Riot Games in January 2023, hacks against Caesars Palace and MGM Resorts in 2023, and British high street retailers such as Marks & Spencer in mid-2025 – sometimes working with ransomware-as-a-service groups such as DragonForce. But Group-IB said not all incidents trace back to the same subcluster, even when TTPs appeared to overlap.
“These shared characteristics are not because they belong to the same group – the subclusters we have observed are not much bigger than five individuals – but because of learning from the same resources or online communities,” Group-IB said.
CrowdStrike coined the Scattered Spider moniker in 2022. Other cyberthreat intel firms track it as Roasted 0ktapus, Octo Tempest, Storm-0875 and UNC3944.
The group is known for smishing and vishing, social engineering techniques that use phone calls and text messages to impersonate IT personnel, either directing victims to a credential harvesting site or directing to run commercial remote monitoring and management tools, CrowdStrike said.
To understand Scattered Spider, it helps to know that it emerged from “The Com.” This “predominantly English-speaking cybercriminal ecosystem” excels at voice phishing attacks, said cybersecurity firm Resecurity.
Rather than being a discrete group, “this loosely organized network operates more as a cybercrime youth movement, encompassing a broad and constantly shifting range of actors, mainly teens and twentysomethings,” it said.
A July 2025 report from the FBI categorized the Com itself into groups and subgroups, including Hacker Com, In Real Life or IRL Com, “which includes subgroups that aim to facilitate real world acts of violence, oftentimes resulting from online conflicts,” as well as Extortion or Extort Com, which it said “primarily involves the exploitation of children,” noting that “members extort minors, typically females, through threats of doxing, swatting and IRL violence if member demands are not met” (see: Police Target Violent Online Predators Incubated by the Com).
When the targets are corporate, anarchic adolescent energy sometimes appears to be a dominant factor in how attacks play out, especially when they involve data theft and extortion.
“Com ransomware groups have largely not followed in the footsteps of the older Russian ransomware groups, who build a ‘brand name,’ reputation and demonstrate consistent behavior so victims have confidence that the criminal organization will keep their word and the victims will receive what they are promised in exchange for paying the ransom,” says a February report from threat researcher Allison Nixon at Unit 221B.
A group of attackers in August 2025 announced the launch of “Scattered Lapsus$ Hunters,” among other mashed-up names. The entity claimed to feature participants from Scattered Spider, who provided initial access to victims to ShinyHunters, which pursued data theft and extortion with the backing of data-leak specialists from a group reusing the name Lapsus$. Customers of Salesforce and Snowflake numbered among their targets (see: Madman Theory Spurs Crazy Scattered Lapsus$ Hunters Playbook).
Tactical Overlap
Many researchers have linked all parts of Scattered Lapsus$ Hunters to the Com.
A ShinyHunters member disputed any suggestion it sprang from The Com. “Just because our tactics may overlap or be extremely similar to those who do vishing (e.g. Scattered Spider who is actual associated with ‘The Com’) doesn’t mean we are also directly associated, affiliated or linked to ‘The Com,'” the spokesperson told ISMG.
ShinyHunters also dismissed that FBI’s Com report, saying: “This was all super unnecessary. ‘The Com’ doesn’t even exist as an actual thing, it was given it by security researchers and law enforcement. Now, it is widely believed to be a thing which lead many threat actors to start sometimes joking about it, which further solidified ‘The Com.'”
Perhaps, but also, per the “observer effect,” the very act of observing – or in this case, tracking attacks and assigning codenames to these threat clusters – does appear to have altered participants’ behavior. At times, attackers have embraced the names used to track their activities when they’re extorting victims. Sometimes, they add an ironic flourish, as with the launch of Scattered Lapsus$ Hunters.
For threat researchers and defenders, attempting to make sense of this all appears to remain challenging, especially at the intersection of TTPs, codenames and how participants interact, and view and organize themselves.
Big questions remain. “It can be argued that this cluster Group-IB referred to as Scattered Spider is in reality what is used to be known as ‘The Com.’ It is also possible that what researchers were initially referring to as ‘The Com’ is now being referred to as ‘Scattered Spider,'” Group-IB said.
