Scattered Spider Casino Hackers Evade Arrest in Plain Sight

The feds seem to know all about the hacking group brazenly breaking into corporate networks; so why are enterprise teams left on their own to stop their cybercrimes?

Threat intelligence analysts, incident responders, and federal law enforcement alike all seem to know all about the threat group with an array of monikers — The Com, Scattered Spider, Muddled Libra, UNC3944, Starfraud, and Octo Tempest, among others. So why is the group (which was behind the MGM Resorts and Caesars Entertainment hacks) still successfully attacking US organizations with impunity, with no disruptions to date?
This week, reports confirmed that federal law enforcement is well aware of the identities of the cybercrime group, which is made up of native English speakers, yet has not been able to make any arrests. In fact, sources confirmed to Reuters that law enforcement has known the identities of the
Scattered Spider
hacking collective for more than six months.
Cybersecurity threat hunters like CrowdStrikes president Michael Sentonas struck a decidedly baffled tone, noting that the fact that the ransomware group is still operational and causing havoc is a failure of law enforcement.
The feds did offer some response: On Nov. 16, the FBI and CISA released an
advisory on Scattered Spider
, providing indicators of compromise (IoCs) and additional details to arm enterprise security teams with details to defend their networks.
FBI and CISA recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actor activity and to reduce the risk of compromise by Scattered Spider threat actors, the advisory said. It included a list of recommendations, including application controls, remote access tool auditing, and implementing FIDO/WebAuthn authentication or public key infrastructure (PKI)-based multifactor authentication (MFA).
While helpful, if theres so much information about the groups cybercrimes, it doesnt answer why members of the ransomware group havent simply been arrested, or at the very least, their operation disrupted, some note.
Like most things sitting at the intersection of corporate America and law enforcement, many of the details remain protected in secrecy. However, the effects of the group running rampant through public company networks like
MGM Resorts
are well known.
UNC3944 is one of the most prevalent and aggressive threat actors impacting organizations in the United States today, says Charles Carmakal, Mandiant Consulting CTO at Google Cloud. They are incredibly disruptive.
And the group appears to be committing cybercrimes with impunity all the time, even branching out into threats of physical violence. Microsoft researchers explained in their analysis of the group, which they call
Octo Tempest
, that it uses fear for personal safety to pressure victims into paying.
In rare instances, Octo Tempest resorts to fear-mongering tactics, targeting specific individuals through phone calls and texts, Microsofts Incident Response and Threat Intelligence teams said in their report. These actors use personal information, such as home addresses and family names, along with physical threats to coerce victims into sharing credentials for corporate access.
The sheer volume of details published by analysts about the group is dizzying. Scattered Spider was first flagged back in 2022 when it would leverage the Oktapus phishing kit to steal credentials. The group successfully
dallied in SIM swaps
but seems to have hit its stride in mid-2023, when it became an affiliate of the ransomware-as-a-service provider
BlackCat,
aka Alphv.
Steadily ramping up their skills, the groups members eventually added a clever new social engineering angle: calling into help desks to reset credentials and take over verified accounts as an initial foothold into target environments. Thats the gambit the Scattered Spider crew ultimately used to
compromise MGM Resorts
and hobble Las Vegas Strip operations for more than a week, running up losses in the hundreds of millions of dollars for MGM Resorts alone. The group
simultaneously breached Caesars
and quickly negotiated a $15 million ransom payment.
Mandiants Carmakal says that the group should see more scrutiny in the wake of those two incidents: They have recently gained a lot of attention because of their recent targeting of hospitality and entertainment organizations.
Federal authorities arent sharing any details of the investigation into Scattered Spider, but cybersecurity industry insiders suspect traditional law enforcement entities like the FBI are having a hard time adapting to chasing cybercriminals.
Law enforcement is more accustomed to working groups with more structure and organization, and are struggling with the return of more chaotic and loosely coupled threat actors, Bugcrowd founder Casey Ellis says.
In fact, the FBIs inability to disrupt hacking groups like Scattered Spider could be an issue for some time to come, according to Callie Guenther, senior manager at Critical Start.
The FBIs struggle to contain this group also highlights the broader challenges faced by law enforcement in the digital age, Guenther says. The case of Scattered Spider is indicative of a new era of cyber threats where criminal groups employ aggressive tactics, including threats of physical violence. This escalation in criminal strategies requires an equally robust and innovative response from law enforcement and cybersecurity experts.
For now, it appears its up to individual enterprise teams to stop Scattered Spider from hobbling their networks. In the meantime, the cybersecurity community will continue to collect details on their exploits and wait for arrests.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Scattered Spider Casino Hackers Evade Arrest in Plain Sight