On the evening of 10 September 2023, MGM Resorts International suffered a cyberattack that shut down casino operations across Las Vegas and multiple US states. Slot machines went dark. Hotel check-in systems failed. Rewards accounts became inaccessible. The disruption lasted for days and cost the company an estimated $100 million.
The compromise began with a single phone call to MGM’s IT help desk.
The caller claimed to be an MGM employee who had lost access to their account. They provided convincing personal details — the target’s name, title, basic work history — all gathered from LinkedIn in a matter of minutes. A help desk agent, following standard account recovery procedures, reset the account and provided temporary credentials.
Those credentials, in the hands of a group called Scattered Spider, were enough.
Who Scattered Spider Is
Scattered Spider (also tracked as UNC3944, Starfraud, and Muddled Libra) is unusual among the threat actors covered in this publication for two reasons. First, its members are believed to be predominantly young, English-speaking Westerners — primarily American and British nationals, some reportedly still in their teens or early twenties at the time of the most significant attacks. Second, its primary attack vector is not technical vulnerability exploitation. It’s human beings.
The group operates in a loosely affiliated, fluent online community sometimes called “The Com” — a loose network of individuals with shared skills, overlapping operations, and a criminal marketplace culture that emerged from gaming community and SIM-swapping circles. The operational security is inconsistent — several members have been arrested, including one 17-year-old in the UK and multiple individuals in the US — but the techniques they developed have been documented thoroughly enough that analysts can track their operational fingerprints.
The Attack Toolkit: Humans First
Scattered Spider’s playbook starts with reconnaissance and social engineering, not vulnerability scanning.
Reconnaissance. Before any technical action, the group maps the target organisation: identifying IT and IT security staff by name, their likely roles, the systems they manage, and the authentication procedures they’re expected to follow. LinkedIn is the primary source. Online directories, company websites, and social media supplement it. The goal is to build a profile convincing enough to impersonate the target in a phone call or chat interaction.
Vishing (voice phishing). Help desk calls are the primary social engineering vector. Callers impersonate employees, contractors, or vendors. They use real names, plausible scenarios, and in sophisticated cases, voice-spoofed caller IDs showing internal numbers. Help desk agents in large organisations receive hundreds of calls per day and are trained to resolve problems, not to conduct interrogations. The combination of volume, social pressure, and realistic caller profiles makes these calls effective even against organisations with security awareness programmes.
MFA fatigue attacks. Once initial credentials are obtained, modern multi-factor authentication is a barrier — unless you make it so annoying that the user approves anything to make it stop. MFA fatigue attacks send repeated authentication push notifications to a target’s phone until, eventually, they approve one by mistake or just to end the interruption. This technique has been documented extensively in Scattered Spider operations and has become sufficiently common that authentication app vendors have added contextual information and number-matching to reduce its effectiveness.
SIM swapping. For targets with SMS-based MFA, SIM swapping — convincing a mobile carrier to transfer a victim’s phone number to an attacker-controlled SIM — bypasses the MFA entirely. Scattered Spider members have demonstrated sophisticated ability to execute SIM swaps, sometimes through corrupt carrier employees and sometimes through their own social engineering of carrier help desks.
Impersonation of IT and security vendors. Once inside, the group has in several cases impersonated IT security vendors — Okta, Crowdstrike — in communications with IT staff to escalate access or install remote access tools under the pretence of incident response.
The MGM and Caesars Attacks
The September 2023 campaigns against MGM Resorts and Caesars Entertainment demonstrated the group’s capability at scale.
Caesars Entertainment was reportedly hit in August 2023, before the MGM attack. Caesars paid a ransom of approximately $15 million — half the $30 million initially demanded — to prevent publication of stolen data. The company disclosed the incident in a regulatory filing in September 2023, timed to coincide with the MGM public disclosure, which drew attention away from Caesars’ response.
MGM Resorts chose not to pay. The consequences were visible: ten days of disruption, systems rebuilt from scratch, public disclosure that damaged reputation and generated regulatory and legal scrutiny. The $100 million estimated cost includes lost revenue, recovery costs, and ongoing security investments. ALPHV/BlackCat affiliates collaborated with Scattered Spider on the MGM attack, providing the ransomware deployment capability that complemented the initial social engineering access.
The contrast between the two responses — Caesars paid and largely avoided public disruption, MGM did not pay and suffered extensive visible consequences — does not represent a simple lesson. Paying ransoms funds further attacks and does not guarantee data will not be published. Not paying accepts operational disruption. Both outcomes impose significant cost. The best outcome available in a Scattered Spider attack is preventing it in the first place.
Why This Group Is Hard to Defend Against
Technical cyber defences are built on the assumption that attackers are exploiting technical vulnerabilities. Deploy patches, harden configurations, deploy detection tools, and you reduce the attack surface.
Social engineering attacks exploit human vulnerabilities. The help desk agent who reset the MGM employee’s account was not doing something wrong — they were following their training and doing their job. The fault was not in the individual but in a system that allowed a single phone call to grant access to a high-privilege account without sufficient verification.
This creates several defensive challenges that are genuinely hard:
Scale and volume. Large organisations have hundreds of employees contacting help desks daily for legitimate reasons. Treating every call as a potential social engineering attempt creates friction that imposes real costs on the organisation. Finding the right balance is genuinely difficult.
The convincing caller problem. When a caller has your real employee’s name, title, manager’s name, employee ID, and home city — all publicly available on LinkedIn — what verification procedure distinguishes them from the real employee? The answer, increasingly, is that knowledge-based verification is insufficient, and organisations need hardware-based identity verification for sensitive account recovery actions.
Insider threat vectors. In several documented Scattered Spider cases, the group recruited or bribed mobile carrier employees to execute SIM swaps. Technical controls cannot fully address the insider threat dimension.
What Organisations Can Do
Defending against social engineering requires layered controls across identity, process, and culture:
Eliminate knowledge-based account recovery. Any process that allows a caller to reset credentials or MFA by correctly answering security questions should be replaced with a process requiring hardware token verification or manager approval for sensitive actions. Help desks should never be able to reset high-privilege accounts — only identity management systems with appropriate approval workflows should be able to do that.
Deploy phishing-resistant MFA. FIDO2/passkeys and hardware security keys are not vulnerable to MFA fatigue attacks or SIM swapping. For high-value accounts — IT admins, finance, senior executives — these should be mandatory. SMS-based MFA provides minimal protection against a group with SIM-swapping capability.
Assume LinkedIn is opposition research. The level of information available about your organisation’s internal structure, staff names, and technical environment from public sources should be audited. Overly detailed LinkedIn profiles for IT and security staff are a reconnaissance asset for attackers.
Run social engineering simulations. Penetration testing typically focuses on technical controls. Red team exercises that include vishing, pretexting, and social engineering give organisations a realistic picture of their human control effectiveness. Most find significant gaps.
Treat help desk as a security control. Help desk staff need specific social engineering resistance training, with realistic scenarios drawn from documented attacks. The training should include clear escalation procedures for suspicious calls and should be reinforced regularly — not delivered once during onboarding.
Scattered Spider is not going away. The techniques work too well, the group is adaptive, and the criminal ecosystem that supports it is resilient. The organisations least likely to become victims are those that have treated their identity and help desk controls with the same rigour they apply to their network perimeter.