Young American hackers partnering with Russian crime groups have inflicted over $900 million in damages to major corporations like MGM and Marks & Spencer, driven by an explosive combination of financial greed and desire for online infamy.
Key Takeaways
- Scattered Spider, composed of young hackers from the U.S., UK, and Canada, has caused hundreds of millions in damages to major companies through sophisticated social engineering attacks.
- The group’s September 2023 attack on MGM Resorts cost over $100 million and paralyzed operations across Las Vegas properties, while Marks & Spencer suffered up to $403 million in operating losses.
- Unlike traditional cybercriminals, Scattered Spider is motivated by both financial gain and public recognition, intentionally targeting high-profile companies to generate media coverage.
- These Western hackers have formed dangerous partnerships with Russian ransomware gangs, creating a new threat model that combines social engineering expertise with sophisticated malware tools.
- Companies can protect themselves through least privilege access, separation of duties, and behavioral monitoring of network activities.
The New Face of Cybercrime: Young, Western, and Dangerous
A new breed of cybercriminals is reshaping the ransomware landscape. Scattered Spider, a group of young hackers from the United States, United Kingdom, and Canada, has emerged as one of the most damaging cyber threats facing major corporations today. Unlike previous generations of cybercriminals operating from distant overseas locations, these attackers speak fluent English, understand Western corporate culture, and leverage that knowledge to devastating effect. Their social engineering tactics have proven exceptionally effective at bypassing traditional security measures, allowing them to penetrate even well-defended corporate networks through carefully researched impersonation schemes that trick employees into providing access credentials.
The FBI and multiple private security firms have placed Scattered Spider under intense scrutiny after a series of high-profile attacks that have caused hundreds of millions in damages. The group is part of a larger hacking subculture called “the Community” or “the Com,” which encompasses thousands of English-speaking youth involved in various forms of cybercrime. What makes Scattered Spider particularly dangerous is their partnership with Russian ransomware gangs like BlackCat, which provide the infrastructure and malware tools while the Western hackers supply the network access through their social engineering expertise.
“They’re not exclusively financially motivated — they like the clout, they like the mainstream media attention,” said Charles Carmakal, Chief Technology Officer at Mandiant.
The MGM Attack: Corporate America’s Nightmare
In September 2023, Scattered Spider executed one of the most disruptive ransomware attacks in American corporate history against MGM Resorts International. The attack crippled operations across MGM’s Las Vegas properties, affecting everything from slot machines to hotel room key systems, restaurant point-of-sale terminals, and even elevators. The financial impact was staggering, with MGM reporting losses exceeding $100 million. The attack began with a simple phone call to MGM’s IT help desk, where a hacker posing as a company employee convinced a support technician to reset their credentials, providing the initial access that led to the complete compromise of MGM’s systems.
The chaos on the casino floor was immediate and highly visible, creating exactly the kind of public spectacle that Scattered Spider craves. Slot machines went dark, guests couldn’t access their rooms, and casino operations ground to a halt. MGM refused to pay the $30 million ransom demand, choosing instead to rebuild their systems—a decision that cost them dearly in both immediate operational losses and reputational damage. Meanwhile, Caesars Entertainment faced a similar attack but chose to pay a $15 million ransom to avoid the kind of disruption that MGM experienced, highlighting the impossible choices companies face when targeted.
“Incredibly, when it happened, I was in an MGM property, and it happened while we were having dinner and there just began to be a rumble that something was going on. When I went down into the casino, I could see that slot machines were sitting dark, people were scrambling around. The shutdown was starting to take effect,” said Anthony Curtis, Las Vegas Advisor.
“So all of a sudden now people are goin’, ‘How do I get my money? What’s wrong?’ And the people were sitting there waiting and couldn’t get paid,” said Curtis, describing the chaotic scene on the casino floor.
Marks & Spencer: The Latest High-Profile Target
Following their pattern of targeting multiple companies within the same sector, Scattered Spider moved on to attack British retail giant Marks & Spencer. The impact was equally devastating, with reports indicating up to $403 million in lost operating profits and over $807 million in market capitalization losses. This attack further demonstrates the group’s tactical approach of hitting multiple high-profile targets in quick succession to maximize both financial gains and media coverage before shifting to a new industry sector. Security experts have observed that this pattern of concentrated attacks against specific industries helps the group refine their techniques while building their reputation.
“They tend to hit a bunch of companies in the same sector for a few weeks before they move on,” said Charles Carmakal, highlighting the group’s strategic approach to target selection.
The damage extends far beyond the immediate financial losses. Companies targeted by Scattered Spider face extensive remediation costs, potential data breaches affecting customers, regulatory scrutiny, and long-term reputational damage. The group’s dual motivation of financial gain and public recognition makes them particularly dangerous, as they intentionally select targets where disruption will be highly visible to the public and media. This strategy creates maximum pressure on victims to pay ransoms while simultaneously building the group’s notoriety within hacking communities.
Protecting Against The Next Attack
As Scattered Spider continues its campaign against major corporations, security experts recommend multiple layers of defense against their social engineering tactics. The traditional security perimeter is no longer sufficient when attackers can simply call or message employees directly, convincing them to provide access credentials. Companies must implement strict verification protocols for password resets and access changes, while training employees to recognize social engineering attempts. Multi-factor authentication remains critical, though Scattered Spider has demonstrated techniques to bypass even this protection through persistent manipulation of help desk staff.
“There are standard approaches to addressing such threats, including least privilege access, separation of duties, and monitoring and alerting on suspicious activities. Behavioral monitoring is another key area, and we will likely hear more about its role in future security solutions and controls,” said Randolph Barr, a cybersecurity expert.
Law enforcement has made some progress, with the FBI announcing several arrests including a 19-year-old linked to Scattered Spider. However, most members remain at large and highly active. The dangerous partnership between Russian ransomware gangs and Western hackers represents an evolution in the threat landscape that will continue to challenge corporate America. Until companies strengthen their human security elements alongside technical defenses, Scattered Spider and similar groups will continue their campaign of high-profile attacks, motivated by both profit and the notoriety that comes with bringing major corporations to their knees.
