🇺🇸🇬🇧 Scattered Spider¶

Threat-actor battle card · maintained from public sources · last updated 2026-06-22 · also known as UNC3944, Octo Tempest, Oktapus, Muddled Libra, Scatter Swine

CategoryData-extortion / social engineering

AttributionNative English-speaking, loosely organised (The Com ecosystem)

First seenLate 2022

StatusActive

Primary targetsTelecom, Entertainment, IT, Insurance, Large enterprises

Overview¶

Scattered Spider (UNC3944 / Octo Tempest) is a data-extortion crew active since late 2022, profiled in CISA advisory AA23-320A (updated July 2025). It specialises in social engineering of IT help desks to breach large enterprises, and has increasingly paired its intrusions with DragonForce ransomware. Tracked qualitatively (no DLS leaderboard).

Tradecraft¶

Help-desk social engineering, MFA push-bombing and SIM-swapping to capture credentials and bypass MFA.
Registers its own MFA tokens and deploys RMM tools for persistence.
Counter-IR: monitors victim Slack / Teams / Exchange for response activity and joins incident bridge calls to track defenders.
Extensive OSINT recon on B2B sites and social media to pick high-value targets.

Notable recent victims¶

Aflac (US insurance) — June 2025 social-engineering intrusion; 22.6M people notified (≥13.9M with PHI)

Assessment¶

The premier social-engineering threat to large enterprises — your help desk and identity-recovery flows are the attack surface, not just your perimeter. Phishing-resistant MFA and hardened help-desk verification are the controls that matter.

Sources¶

🗂️ Attacks & victims¶

All disclosed victims attributed to this actor, newest first.

June 2026

Jun 19 Aflac Scattered Spider Extortion · insurance · US 🟩 Corroborated · 🇺🇸🇬🇧 Native English-speaking, loosely organised (The Com ecosystem) · disclosed 6d ago · June 2025 social-engineering intrusion; 22.6M people notified (≥13.9M with PHI) · Sources: The Record / HIPAA Journal

← All threat actors · Full victim database →