Scattered Spider

The group's most common name as used in press releases and by journalists is Scattered Spider, though many other names have been attributed to the group. Star Fraud, Octo Tempest, Scatter Swine, and Muddled Libra have all been names used to refer to the group previously. Scattered Spider is a component of a larger global hacking community, known as "The Community" or "The Com", itself having members who have hacked major American technology companies. == History ==

Scattered Spider is believed to have been founded in May 2022, when the group was focused on attacks on telecommunications firms. The group utilized SIM swap scams, multi-factor authentication fatigue attacks, and phishing by SMS and Telegram. to terminate security software, allowing the group to evade detection. The group is believed to have a deep understanding of Microsoft Azure, the ability to conduct reconnaissance in cloud computing platforms powered by Google Workspace and AWS, and utilizes legitimately-developed remote-access tools. In 2025, DataBreaches.net reported that Scattered Spider have merged with ShinyHunters or vice versa. == Casino hacks (2023) ==

Scattered Spider gained access to both Caesars' and MGM's internal systems through the use of social engineering. The group was able to bypass multi-factor authentication technologies by obtaining login credentials and one-time passwords. The group claims that it targeted MGM due to them catching the group attempting to rig slot machines in their favor. Caesars Caesars Entertainment paid a ransom of $15 million to Scattered Spider, half their original demand of $30 million. Scattered Spider, using similar tactics to its attack on MGM, was able to access driver's license numbers and possibly Social Security numbers, for a "significant number" of Caesars' customers. Statements made by Caesars noted that while the company cannot guarantee the deletion of the information attained by Scattered Spider, the casino operator will take all necessary actions to attain such result. The company stated that though it has "dealt" with the cyberattack, many of the computer systems at its resorts remain offline, which include but are not limited to credits for food, beverages, and free credits. The attack further disabled on-site ATMs as well as remote room keys, and prevented MGM from charging patrons for parking. The arrest was coordinated by local and international law enforcement. Aftermath MGM and the US FTC and FBI are at present investigating the cyberattack, and the casino operator temporarily took down its website. In January 2025, MGM agreed to pay a $45 million settlement to the victims of the breach. ==Snowflake hacks==

Two members of the group have been connected with hacks against customers of Snowflake's cloud computing. The hackers accessed and stole customer data, demanding millions of dollars. Nearly a hundred victims were targeted, including AT&T, Ticketmaster, Advance Auto Parts, LendingTree and Neiman Marcus. == Arrests ==

In January 2024, Noah Michael Urban, a member of the group and known as "Sosa", "King Bob", "Elijah", and other aliases, was arrested in Florida for the cumulative theft of about $800,000 in cryptocurrency. Sosa used SIM-swapping techniques in order to compromise victims' email and financial account details. In June 2024, the alleged leader of the group, Tyler Buchanan (aka TylerB), was arrested in Spain when attempting to board a flight to Italy. At the time of his arrest, Spanish police allege that Buchanan possessed Bitcoins worth $27 million. In July 2024, the West Midlands Police with the help of the FBI arrested a 17-year old juvenile in connection with the MGM cyberattacks. The suspect, who lives in Walsall and whose name was not published, was released on bail while law enforcement examined his devices. 19-year-old Remington Ogletree was arrested in November 2024 on charges related to his alleged involvement with the group. On September 17, 2025, a juvenile suspect local to the casino-hacking case surrendered to Clark County Juvenile Detention Center. On April 10, 2026, Peter Stokes, a 19-year-old Estonian-US dual citizen known by the online alias "Bouquet", was apprehended at Helsinki Airport in Finland while attempting to board a flight to Japan. US federal prosecutors requested his extradition to Chicago, charging him with wire fraud, conspiracy, and computer intrusion across at least four Scattered Spider operations. ==See also ==