What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Threat-Actor-Profile

0 sources verified·11 min read

By Lyrie Research Division·5/13/2026

Scattered Spider / ShinyHunters: The English-Speaking Cybercrime Syndicate That Won't Die — Full 2026 Profile

TL;DR

Scattered Spider — also tracked as UNC3944, Octo Tempest, Muddled Libra, and now operationally merged with ShinyHunters — is the most consequential native-English-speaking cybercrime collective active today. They use social engineering, SMS phishing, SIM swapping, and MFA fatigue attacks to penetrate enterprises that technical nation-state APTs would find far harder to crack. Between 2022 and 2026, the group (or its overlapping successor coalition) breached MGM Resorts, Caesars Entertainment, Marks & Spencer, Qantas, Google, Coinbase, AT&T, and hundreds more — racking up ransom payments, $13M+ in crypto theft, and data exposure events affecting hundreds of millions of records. Law enforcement has secured guilty pleas and convictions against multiple members, but the enterprise-level tradecraft lives on: as individuals are jailed, the collective adapts, rebrands, and recruits. This profile covers who they are, how they operate, what's changed in 2026, and what defenders must do right now.

Background: Who Is Scattered Spider?

Scattered Spider crystallized around May 2022 as a loose, English-speaking collective of teenagers and young adults — mostly from the United States and United Kingdom — with extraordinary social engineering skills and ambitions to match. Unlike state-sponsored APTs with military-grade infrastructure and patient tradecraft, this group weaponized what nation-states can rarely fake: fluent, native English and an intuitive understanding of corporate culture.

The group operates under a staggering number of aliases across the vendor community:

UNC3944 (Mandiant/Google)
Octo Tempest / Storm-0875 (Microsoft)
Muddled Libra (Palo Alto Unit 42)
Scatter Swine / Star Fraud (colloquial)
Oktapus (Group-IB, from the 2022 Twilio/Okta campaign)

Since late 2024 and accelerating through 2025, the group has increasingly overlapped with or effectively merged with ShinyHunters (also tracked as UNC6040), another prolific English-language data extortion group. Together, they and elements of Lapsus$ have forged what analysts now describe as a federated cybercrime collective, operating at least 16 Telegram coordination channels since August 2025.

The group is broadly affiliated with "The Com" — an underground network of English-speaking hackers with roots in SIM-swapping and cryptocurrency theft communities, itself a subset of a broader loosely-affiliated criminal ecosystem that bleeds into "The Community" (sometimes called "the Hacker Com").

Evolution: From Telco SIM-Swapper to Enterprise Ransomware Operator

Phase 1 — Telecommunications Assault (2022)

Scattered Spider's opening campaign was industrial-scale SMS phishing against telecom and technology companies. Their 2022 Oktapus campaign sent tens of thousands of smishing messages to employees of firms including Twilio, LastPass, DoorDash, and Mailchimp. The messages impersonated IT vendors and BPO contractors, directing victims to credential-harvesting pages that captured usernames, passwords, and — critically — one-time MFA codes.

From those initial footholds, the group pivoted to SIM swapping: transferring victim phone numbers to attacker-controlled devices to intercept SMS-based authentication tokens, drain cryptocurrency wallets, and move laterally through cloud environments.

Tyler Robert Buchanan ("Tylerb"), 24, of Dundee, Scotland — one of the group's most prominent members — ran this campaign directly. FBI investigators tied him to the phishing infrastructure through NameCheap domain registrations traced to his UK IP address. When a rival gang invaded his home and threatened him with a blowtorch, he fled the UK; Spanish authorities arrested him at Palma de Mallorca airport in June 2024 while he was boarding a flight to Italy. Extradited to the US in April 2025, Buchanan pleaded guilty on April 21, 2026 to conspiracy to commit wire fraud and aggravated identity theft — stealing at least $8 million from individual cryptocurrency investors across the United States. He faces sentencing August 21, 2026, with a statutory maximum of 22 years.

Phase 2 — Enterprise Ransomware and Casino Chaos (2023)

By 2023, Scattered Spider had graduated from crypto theft to full enterprise extortion. Their help-desk social engineering reached a terrifying level of polish. Operators would call corporate IT support lines, impersonating employees or contractors and, using information scraped from LinkedIn and data obtained in earlier breaches, convincingly request credential resets and MFA device registrations. Once inside, they deployed the ALPHV/BlackCat ransomware-as-a-service affiliate program to encrypt and extort.

The twin casino attacks of September 2023 made them infamous:

Caesars Entertainment: The group extracted driver's license numbers and Social Security numbers for tens of millions of loyalty members. Caesars paid a $15 million ransom (half their original $30M demand) to suppress disclosure.
MGM Resorts International: MGM refused to pay. The result was a catastrophic 10-day outage costing the company an estimated $100–150 million. Hotel room keys failed. Casino floors went dark. ATMs stopped. The attack began with a 10-minute LinkedIn search and a single vishing call to MGM's IT help desk.

Both attacks triggered Congressional hearings, SEC disclosure questions, and an industry-wide reckoning with how easily a skilled social engineer can collapse an MFA-protected enterprise perimeter.

Phase 3 — Transatlantic Expansion and ShinyHunters Merger (2024–2025)

Through 2024, the group expanded targets geographically and sector-wise. Notable incidents include:

Marks & Spencer (UK): A ransomware attack in 2025 attributed to Scattered Spider caused significant operational disruption to the British retail giant, affecting contactless payments, online orders, and loyalty systems.
Snowflake customer attacks: Members breached dozens of organizations via compromised Snowflake cloud storage credentials, including AT&T (which had ~110 million customer records exposed) and Ticketmaster.
Qantas (July 2025): Australian airline breach exposed data of approximately 5.7 million customers.

Simultaneously, reporting from DataBreaches.net and multiple researchers confirmed an operational merger with ShinyHunters — itself responsible for breaches at Ticketmaster, Santander, AT&T Wireless, PowerSchool, and dozens more. The combined coalition formed at least 16 Telegram coordination channels by August 2025, effectively creating a platform-as-a-service for data extortion with shared intelligence, victim lists, and negotiation expertise.

Their 2025–2026 targeting wave has included Salesforce, Google, Workday, Louis Vuitton, Gucci, Adidas, Jaguar Land Rover, Coinbase, Air France-KLM, Allianz Life, and TransUnion. In May 2026, ShinyHunters claimed to have stolen 275 million records from Instructure's Canvas learning management platform — affecting approximately 9,000 schools and universities including the University of Pennsylvania.

Technical & Strategic Analysis: The TTP Stack

What makes Scattered Spider uniquely dangerous is that their primary weapons are not technical exploits — they are psychological ones. Their kill chain:

Initial Access

1. SMS Phishing (Smishing): Mass-scale phishing messages impersonating corporate IT, BPO vendors, Okta, or authentication providers. Links lead to pixel-perfect clone login pages that capture credentials and real-time MFA tokens.

2. Voice Phishing (Vishing): Operators call IT help desks. Armed with OSINT (LinkedIn, breached employee directories, HIBP-exposed credentials), they answer security questions convincingly and request password resets or new device MFA enrollment.

3. MFA Fatigue Attacks: For push-based MFA, the group floods victims with authentication requests until the target accepts one simply to stop the notifications.

4. SIM Swapping: Using stolen identity documents or social engineering mobile carrier support lines, attackers port victim numbers to attacker-controlled SIMs, intercepting SMS OTPs.

Lateral Movement

Deep reconnaissance in Microsoft Azure, AWS, and Google Workspace — the group maps cloud IAM roles and service accounts with precision
Abuse of legitimate remote access tools (AnyDesk, TeamViewer, ConnectWise ScreenConnect) to maintain persistence while blending into normal IT traffic
CVE-2015-2291: An ancient IQVW64.sys (Intel Ethernet diagnostics driver) vulnerability used via the BYOVD (Bring Your Own Vulnerable Driver) technique to terminate endpoint detection and response (EDR) agents

Impact

Ransomware deployment: ALPHV/BlackCat affiliate and more recently direct extortion
Data theft and double extortion: Exfiltrating sensitive data before or instead of encryption
Cryptocurrency theft: SIM-swap-enabled draining of exchange accounts and wallets

Legal Status: Members Arrested, Collective Persists

| Member | Alias | Status (May 2026) |

|---|---|---|

| Tyler Robert Buchanan, 24 (UK) | Tylerb | Pleaded guilty April 2026; sentenced August 2026 |

| Noah Michael Urban, 21 (US-FL) | Sosa / Elijah | 10 years + $13M restitution (sentenced 2025) |

| Peter Stokes, 19 (Estonian-US) | Bouquet | Arrested Helsinki Airport, April 10, 2026 |

| Unnamed juvenile (UK, Walsall) | Unknown | Arrested July 2024, bailed; device examined |

| Unnamed juvenile (US) | Unknown | Surrendered Clark County Juvenile Detention, Sept 2025 |

| Ahmed Hossam Eldin Elbadawy, 24 (TX) | AD | Charged; facing up to 20 years |

| Evans Onyeaka Osiebo, 21 (TX) | Unknown | Charged; facing up to 20 years |

| Joel Martin Evans, 26 (NC) | joeleoli | Charged; facing up to 20 years |

Geographies of arrest: UK, Spain, Finland, US. The international enforcement coordination represents meaningful progress — but the broader collective (particularly the ShinyHunters-merged operations) continues operating with new recruits.

The case reveals a pattern: individual actors burn bright and young, make operational security mistakes (reused usernames, UK-traced domain registrations, personal device searches linked to breach data), and eventually get swept up. But the tradecraft transfers. The 2022 smishing playbooks are archived. The help-desk vishing scripts are circulating on Telegram. The group functions less like a cell that can be decapitated and more like a distributed franchise.

Indicators of Compromise (IOCs)

⚠️ Many IOCs from Scattered Spider campaigns are rapidly rotated. The below are structural patterns rather than point-in-time indicators.

Phishing Infrastructure Patterns:

Domain registration via NameCheap using privacy protection services; domains registered days before campaign launch
Subdomain patterns mimicking corporate SSO/VPN portals: vpn-[company].com, [company]-okta.com, [company]-helpdesk.com, sso.[company]-corp.net
Certificate issuance via ZeroSSL or Let's Encrypt within 48 hours of domain registration

Network IOCs (historical):

Outbound connections to legitimate remote administration tools (AnyDesk, TeamViewer) initiated from service accounts outside business hours
Azure AD audit logs: MFA device registration from new device + unfamiliar geography within 60 minutes of password reset event
IQVW64.sys hash: SHA256: 5c0f375e04e86e2ae1f1e9e88d8b7c62a8e7d84... (CVE-2015-2291 BYOVD vector — see LOLDRIVERS catalog)

Behavioral IOCs:

Help desk calls invoking urgency ("I'm locked out before a big meeting")
Requests to add a new authenticator app citing "lost/broken phone"
Okta or Azure portal logins from residential VPN or mobile carrier IP immediately following a help desk interaction
Snowflake, S3, or Google Drive mass-export jobs triggered by service account at unusual hours

The Lyrie Take

Scattered Spider is a symptom of a structural failure: enterprises over-invested in technical controls and under-invested in human-layer defenses. A firewall doesn't care if the person on the phone convincingly claims to be an employee. An MFA push notification arrives whether the login is legitimate or adversarial.

The threat this group represents has evolved and federated. The original Scattered Spider members are being prosecuted — but the techniques they pioneered (smishing-to-AiTM, help-desk vishing, MFA fatigue, cloud lateral movement) have become the standard playbook for a generation of English-speaking cybercriminals. The 2025 ShinyHunters merger turned an already sophisticated collective into something closer to a full-spectrum data extortion platform — with victim targeting pipelines, negotiation specialists, and cloud-native exfiltration infrastructure.

The 2026 arrest count (Bouquet apprehended at Helsinki Airport; Buchanan pleading guilty; Urban serving 10 years) suggests law enforcement is making real progress. But enterprises cannot wait for handcuffs. The collective's operational tempo — targeting Instructure's 275M records the same month members are being arraigned — proves the legal pressure has not slowed them.

Lyrie detects Scattered Spider / ShinyHunters-pattern attacks through behavioral analysis of identity-layer events: anomalous MFA registrations, help-desk-correlated credential changes, unusual cloud storage export jobs, and BYOVD driver load events. The human attack surface requires AI-native behavioral baselines, not just signature matching.

Defender Playbook

Immediate Actions

1. Harden the help desk. Require call-back verification to a registered corporate number on file — not the number the caller provides. Never reset MFA or credentials via inbound call alone. Implement out-of-band supervisor approval for all MFA device adds.

2. Replace SMS-based MFA entirely. FIDO2/passkeys are immune to SIM swap and smishing interception. If push-based MFA must remain, enable number matching and require geolocation verification.

3. Monitor Azure AD / Entra for MFA device registrations. Alert immediately on: new authenticator registration from unfamiliar IP, registration within 10 minutes of a password reset, registration from a country not in the employee's normal geolocation.

4. Inventory and restrict remote access tools. AnyDesk, TeamViewer, ScreenConnect should be whitelisted to specific enterprise-enrolled endpoints. Unexpected installs should trigger EDR alert.

5. Block BYOVD driver abuse. Enable Hypervisor-Protected Code Integrity (HVCI) on Windows endpoints. Maintain WDAC policies that deny known-vulnerable driver hashes (reference LOLDRIVERS.io). Specifically block IQVW64.sys (CVE-2015-2291).

6. Enable Conditional Access with device compliance. Azure AD Conditional Access requiring Intune-compliant devices prevents attacker-controlled devices from receiving OAuth tokens even after credential theft.

7. Reduce cloud exfiltration surface. In Snowflake, enforce network policy objects (IP allowlisting). Enable query result caching limits and alert on large COPY INTO or SELECT * operations from service accounts.

8. Train employees with vishing simulations. Tabletop exercises are insufficient — run live red team vishing against help desk staff quarterly. Humans need behavioral conditioning, not just policy awareness.

Detection Queries (Pseudo-SIEM)

# Suspicious MFA device add after password reset
event.type: "UserAuthenticatorAdded"
AND time_since_last_PasswordReset < 15m
AND source.ip_country != user.home_country

# BYOVD — vulnerable Intel driver load
event.category: driver_load
AND file.name: "IQVW64.sys"

# Mass cloud export
event.action: "storage.objects.list" OR "CopyInto"
AND user.type: service_account
AND hour_of_day: [20, 21, 22, 23, 0, 1, 2, 3, 4, 5]
AND rows_exported > 100000

Sources

1. Krebs on Security — "'Scattered Spider' Member 'Tylerb' Pleads Guilty" (April 2026): https://krebsonsecurity.com/2026/04/scattered-spider-member-tylerb-pleads-guilty/

2. Help Net Security — "Scattered Spider hacker pleads guilty to stealing $8 million in cryptocurrency" (April 21, 2026): https://www.helpnetsecurity.com/2026/04/21/british-national-scattered-spider-guilty-sms-phishing/

3. BleepingComputer — "British Scattered Spider hacker pleads guilty to crypto theft charges" (2026): https://www.bleepingcomputer.com/news/security/british-scattered-spider-hacker-pleads-guilty-to-crypto-theft-charges/

4. Wikipedia — Scattered Spider (updated May 2026): https://en.wikipedia.org/wiki/Scattered_Spider

5. Wikipedia — ShinyHunters (updated May 2026): https://en.wikipedia.org/wiki/ShinyHunters

6. DOJ Press Release — Tyler Robert Buchanan guilty plea: https://www.justice.gov/usao-cdca/pr/british-national-pleads-guilty-hacking-companies-and-stealing-least-8-million-virtual

7. DoControl — "Who Is ShinyHunters? Tactics, Top Attacks & Defense": https://www.docontrol.io/blog/shinyhunters

8. Ogun Security — "ShinyHunters: Inside the Cybercrime Syndicate Reshaping Global Data Extortion" (May 2026): https://www.ogunsecurity.com/post/shinyhunters-inside-the-cybercrime-syndicate-reshaping-global-data-extortion

Lyrie.ai Cyber Research Division — Senior Analyst Desk