After more than two years of successfully avoiding capture, U.S. authorities have announced progress in apprehending some members of a hacking group responsible for a series of high-profile cyberattacks on major tech companies.
Back in August 2022, security experts publicly revealed that a group of hackers had carried out a sophisticated phishing campaign targeting over 130 organizations. This operation resulted in the theft of login credentials from nearly 10,000 employees. The hackers primarily focused on companies using Okta, a widely-used single sign-on platform that enables employees to securely access their work accounts remotely. Due to this focus, the group earned the nickname “0ktapus.”
To date, 0ktapus has been linked to cyberattacks on numerous well-known companies, including Caesars Entertainment, Coinbase, DoorDash, Mailchimp, Riot Games, and Twilio (which was targeted twice). However, their most disruptive attack occurred in September 2023, when they breached MGM Resorts. This cyberattack, carried out in collaboration with the Russian-speaking ransomware group ALPHV, caused significant downtime and reportedly cost MGM Resorts at least $100 million. The hackers demanded a ransom in exchange for returning access to MGM’s files, and the disruption was so severe that MGM’s casinos struggled to provide basic services for several days.
For two years, as authorities worked to track down the hackers, cybersecurity professionals debated how to classify and understand their activities. One major challenge was determining whether the hackers operated as a single group or as part of multiple overlapping organizations.
The hackers employed several common techniques, including social engineering, phishing via email and text messages, and SIM swapping. Some members of the group were reportedly involved in multiple data breaches linked to other hacking organizations, making it even harder to draw clear boundaries between groups.
CrowdStrike, a leading cybersecurity company, referred to this broader network of hackers as “Scattered Spider,” suggesting overlaps between Scattered Spider and the 0ktapus group. Despite these complexities, researchers and law enforcement continue to piece together the relationships and methods behind these attacks.
The group’s high level of activity and success prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to issue a joint advisory in late 2023. This advisory outlined the group’s methods and strategies to help organizations better prepare for and defend against future attacks.
In its advisory, CISA described Scattered Spider as “a cybercriminal group that targets large companies and their contracted IT help desks.” The agency noted that the group often engages in data theft to extort victims and has established connections with various ransomware gangs.
What sets this group apart is the demographic makeup of its members. Most of the hackers are believed to be English-speaking and are reportedly teenagers or young adults in their early 20s. They are sometimes referred to as “advanced persistent teenagers.” Allison Nixon, chief research officer at Unit 221B, explained that the group deliberately recruits minors, taking advantage of lenient legal consequences for underage offenders. “They know that if the police catch a minor, little to nothing will happen,” Nixon told TechCrunch.
Over time, some members of 0ktapus and Scattered Spider have also been linked to a loosely defined cybercriminal network called “the Com.” This broader community of hackers has extended its criminal activities beyond cyberspace. Members have been implicated in real-world crimes, including violent acts such as robberies, burglaries, and a practice called “bricking,” where hired individuals throw bricks at someone’s residence. Another dangerous activity associated with this group is “swatting,” which involves tricking law enforcement into responding to a false report of a violent crime, often with potentially fatal consequences.
After years of tracking these hackers, authorities are finally making progress in identifying and charging members of Scattered Spider.
In July 2023, U.K. police arrested a 17-year-old suspected of involvement in the MGM hack. By November, the U.S. Department of Justice announced indictments against five individuals: Ahmed Hossam Eldin Elbadawy, 23, of College Station, Texas; Noah Michael Urban, 20, of Palm Coast, Florida, who was previously arrested in January; Evans Onyeaka Osiebo, 20, of Dallas, Texas; Joel Martin Evans, 25, of Jacksonville, North Carolina; and Tyler Robert Buchanan, 22, a U.K. citizen who was arrested in Spain in June.