With a deep understanding of cloud architecture and its vulnerabilities, Maryanne Baines has spent years on the front lines, analyzing how threat groups exploit the very technologies designed to empower businesses. Today, she offers her perspective on the evolution of one of 2025’s most disruptive cybercriminal collectives, Scattered Spider. Our conversation explores the group’s cunning use of social engineering, its fluid and brand-agnostic operational model, its startling resilience against law enforcement, and what its future ambitions might mean for organizations everywhere.
Scattered Spider has consistently used help desk social engineering to breach major companies like Marks and Spencer and Hawaiian Airlines. How is this tactic evolving in sophistication, and what practical, step-by-step verification processes should IT support teams implement to counter these attacks?
It’s a chillingly simple, yet devastatingly effective, playbook that they’ve doubled down on all year. The evolution isn’t necessarily in some groundbreaking new technology, but in the scale and automation they’re applying. They are using automated spear-phishing tools, some even abusing services like Google Voice, to run massive identity harvesting campaigns with minimal effort. This allows them to hit more targets, faster. For IT teams, the defense has to become more rigorous. First, they need to shrink their toolset; use a small, trusted list of remote access tools and actively monitor, alert, and block anything else. Second, verification must be non-negotiable. Any sensitive request, especially for access, must be verified through a secondary channel, preferably a video call to confirm the person is who they claim to be. Finally, continuous training is essential, not just on spotting phishing emails, but on handling suspicious phone calls and the psychological pressure these actors apply.
The group demonstrated a pattern of targeting specific industries in sequence, moving from retail to insurance and then aviation. What makes this industry-hopping strategy so effective, and what early warning signs should a company look for to know its sector is next on the list?
This industry-hopping strategy works because it allows them to develop a deep, albeit temporary, expertise in a sector’s specific weaknesses. They learn the jargon, the common software, and the typical IT support structures, particularly when there’s a heavy reliance on outsourced IT services, which they love to target. Once they’ve mastered a sector and defenses start to stiffen, they simply pivot to the next high-value target. As for early warnings, it’s about paying attention to the noise. When you see a string of breaches in a related industry—like the attacks on Cartier and North Face preceding the hits on Erie and Philadelphia Insurance—that’s your signal. The FBI’s warning in July about airlines being targeted came after Hawaiian Airlines and WestJet were already breached. Companies need to be part of intelligence-sharing communities and listen for these tremors before the earthquake hits their own sector.
We’ve seen Scattered Spider merge with groups like LAPSUS$ and ShinyHunters into a fluid collective. How does this “brand-agnostic” model benefit them operationally, and what challenges does this present for threat intelligence teams trying to track a single, defined adversary?
This model is a massive advantage for them. By operating under a fluid umbrella like “Scattered LAPSUS$ Hunters,” they create a unified, more intimidating front when it suits them, while maintaining operational flexibility. It’s less a formal merger and more a reflection of a modern criminal ecosystem where members, tools, and tactics are swapped freely. This isn’t a single gang with a rigid hierarchy; it’s a loose collective that rebrands, regroups, and recruits at lightning speed. For threat intelligence, it’s a nightmare. You’re no longer tracking a single entity with predictable patterns. Instead, you’re trying to map a constantly shifting network of individuals who might work together on one attack and operate independently on the next. It makes attribution incredibly difficult and forces us to track behaviors and toolsets rather than a single, named group.
Despite several law enforcement takedowns, the collective seems to regroup within hours. Why are these actions often only surface-level disruptions? Please describe the internal structure or communication methods that give these groups such impressive resilience against arrests.
The arrests are like cutting a single head off a hydra; two more seem to grow in its place. These takedowns are often just surface-level because the group’s structure is so loose and flexible. It’s more like a team of freelancers than a corporation. When a few members get taken down, the overall operation just keeps moving by swapping in new players. Their communication is a key part of this resilience. We saw their public Telegram channels get removed at least a dozen times this past year, yet they consistently rebuilt them, often within a matter of hours. Instead of deterring them, these disruptions seem to fuel their desire for spectacle, making them even more brazen. They don’t have a central point of failure, which makes dismantling the entire network a monumental challenge for law enforcement.
Attackers are known to use compromised accounts to monitor internal communications on platforms like Slack and Teams. Beyond basic training, what technical controls and verification protocols, such as mandatory video calls, can organizations realistically implement to mitigate this specific insider threat?
This is a particularly insidious tactic because they use your own trusted channels against you. Once inside, they can sit silently in Slack or Teams, impersonating an employee to gather information or even facilitate the next stage of their attack. Basic training is a start, but it’s not enough. Organizations must implement strict technical controls. A hard-and-fast rule should be that no sensitive data, especially passwords or credentials, is ever shared on these platforms. Period. On the verification front, a mandatory video call for any unusual or high-stakes request is a powerful and realistic step. It’s a simple action that immediately breaks the attacker’s anonymity. If someone is asking for access or data that feels off, getting them on a video call to verify their identity can shut down an intrusion attempt in its tracks.
There’s speculation the collective may launch its own Ransomware-as-a-Service or Extortion-as-a-Service platform. What specific capabilities would this provide them, and how might it change the threat landscape for businesses that aren’t typically their direct, high-value targets?
Launching their own “as-a-service” platform would be a game-changer, and a terrifying one at that. It would essentially allow them to franchise their brand and tactics. An Extortion-as-a-Service model, for example, would let any threat actor leverage the fear and reputation of the “Scattered LAPSUS$ Hunters” brand in their own attacks, likely for a cut of the profits. This dramatically lowers the barrier to entry for less sophisticated criminals, giving them access to a proven extortion playbook. For businesses, this means the pool of potential attackers just got much, much larger. You would no longer have to be a high-value target directly on Scattered Spider’s radar; any company could be hit by an affiliate using their brand, making the overall threat landscape significantly more dangerous and unpredictable.
What is your forecast for Scattered Spider?
Looking ahead to 2026, I see no signs of them slowing down. Their core methodology is proven and effective, so I expect they’ll continue their focused campaigns, either targeting companies within a specific high-value sector or going after a widely used SaaS application like Salesforce to maximize their impact. They will almost certainly double down on social engineering, but at an even greater scale, fueled by more sophisticated automation. Furthermore, their focus on gaining insider access will intensify, as we saw in the case with Crowdstrike. The most significant development, however, would be the launch of their own branded extortion platform. If they successfully productize their methods, they won’t just be a single threat group anymore; they’ll become the architects of a much broader criminal enterprise.
