Inside Scattered Spider Indictments: What Security Leaders Need to Know

Scattered Spider is back in the news. In September 2025, authorities unsealed an indictment against UK national Thalha Jubair, while a 17-year-old in Nevada turned himself in on related charges. These are only the latest in a string of arrests and indictments tied to Scattered Spider, one of today’s most disruptive cybercriminal crews.

But the real story isn’t just that cybercriminals were charged—it’s what the indictments tell us. Court documents give us a rare inside look at Scattered Spider’s structure, the kinds of victims they target, and the mistakes that helped law enforcement track them down. For defenders, this is actionable intelligence. Let’s dive into what happened and the key takeaways for your organization’s cybersecurity team.

A Loose, Distributed Crew

Scattered Spider isn’t a traditional, hierarchical gang. It’s more like a loose federation of hackers, often teenagers or early-career cybercriminals, recruited from Telegram and Discord communities.

“There is a very distributed structure to this group,” said Matt Durrin, director of training and research for LMG Security. “Physically, lots of different locations. And to me, it almost seems like a gaming community, almost like it is a series of people who are spread across the world.”

The group’s members specialize in different areas—some run phishing infrastructure, others perform SIM swaps or call help desks, and still others handle cryptocurrency wallets and launder ransom payments. This division of labor lets Scattered Spider scale attacks across many industries.

The Victims: From MGM to the U.S. Courts

The indictments and related cases make it clear that no sector is safe. A few high-profile victims stand out:

• MGM Resorts — A Las Vegas teenager, later arrested in Nevada, admitted involvement in the MGM hack. Attackers called the help desk, reset credentials, and used that foothold to infiltrate MGM’s Okta environment. The breach disrupted casinos and hotels for days, and according to MGM’s SEC filings, caused at least $100 million in damages.
• Caesars Entertainment — Paid a reported $15 million ransom after attackers tricked the help desk into resetting credentials.
• Clorox — Suffered major business disruption and paid an estimated $7 million ransom after a help desk social engineering attack.
• S. Courts — In January 2025, Jubair personally phoned judiciary IT support, reset accounts, including a magistrate judge’s, and searched mailboxes for “subpoena” and “scattered spider.”
• American Water Works (likely) — The Jubair indictment describes a critical infrastructure victim breached through a New Jersey help desk in October 2024. While the company is not named, public disclosures by American Water match the description.

What ties these incidents together isn’t a novel zero-day exploit. It’s social engineering, especially help desk manipulation.

The Tactics: Low Tech, High Impact

Scattered Spider’s playbook is remarkably simple, and remarkably effective:

• Help Desk Social Engineering: Pretend to be an employee, call IT, and convince staff to reset credentials.
• MFA Fatigue and Bypass: Send repeated push requests until a user clicks “approve,” or trick them via WhatsApp messages.
• SIM Swaps & Phishing Kits: Target telecom providers to hijack phone numbers, or run phishing domains that funnel credentials to Telegram channels.
• Open-Source Recon: Collect employee details from LinkedIn or breached credential dumps.

“They are not using tactics in a lot of these cases that are highly technologically advanced,” noted Sherri Davidoff, founder of LMG Security. They’re literally just going after the low-hanging fruit in an organization.”

How Law Enforcement Closed In

Jubair’s undoing was his role as the “money guy.” He helped manage ransom wallets and launder payments through servers. Investigators traced ransom BTC from those wallets into gift card purchases, then subpoenaed the merchants. The trail led to gaming accounts funded by those cards, which were accessed on Jubair’s devices, and even a food delivery order sent directly to his apartment complex.

These simple mistakes—using illicit funds to buy everyday goods—gave law enforcement the attribution they needed. Other investigative methods, such as hosting provider records, device forensics, and messaging data, reinforced the case. But the gift card trail was the critical bridge that tied anonymous blockchain activity to a real-world identity.

Lessons for Defenders

So, what should CISOs, IT leaders, and risk managers take away from these cases? Scattered Spider may be sprawling, but their methods are consistent and—most importantly—stoppable.

Key Takeaways

1. Lock down your help desk. Require strong, multi-step verification before resetting accounts, and monitor for suspicious or unusual requests.
2. Prepare for ransom decisions. Develop IR playbooks that model both paying and refusing, so leadership understands the tradeoffs before a crisis.
3. Get proactive on insider risk. Teens and early-career workers are being recruited in open forums like Telegram and Discord—build awareness and detection into your insider risk program. Check out our insider risk checklist for more tips.
4. Pressure-test your MFA. Don’t just roll it out—simulate how attackers might bypass or trick staff into resetting it.
5. Educate your team on voice social engineering. Scattered Spider relied heavily on phone-based tactics. Schedule a social engineering pentest to see if you’re at risk, and regularly train your staff to recognize and resist these attacks.

The Bigger Picture

It’s tempting to view the arrests of Jubair and others as the beginning of the end for Scattered Spider. In reality, these are the foot soldiers—the ones calling help desks, receiving funds, and making mistakes. The larger ecosystem remains active, opportunistic, and dangerous.

The good news? Every indictment is also an intelligence report. By studying how Scattered Spider operates—and how law enforcement caught them—defenders can strengthen their own posture against the next wave of attacks.

Next Steps

Scattered Spider thrives on simple tricks against soft targets—especially help desks. That’s good news for defenders: with the right controls, training, and playbooks, you can blunt their favorite tactics.

At LMG Security, we help organizations train staff against social engineering, run realistic phishing simulations, and build incident response playbooks. Don’t wait until your help desk gets a call from a Scattered Spider operator. Contact us to get started.