Pierluigi Paganini
May 17, 2025
The financially motivated group UNC3944 (also known as Scattered Spider, 0ktapus) is known for social engineering and extortion. The cybercrime group is suspected of hacking into hundreds of organizations over the past two years, including Twilio, LastPass, DoorDash, and Mailchimp.
Initially targeting telecoms for SIM swaps, they expanded to ransomware and broader sectors by 2023. After 2024 arrests [1, 2, 3], their activity dropped, but ties to other threat actors may aid a comeback. They’ve targeted high-profile brands, possibly to boost notoriety, and often shift focus by sector, such as financial services and food industries.
Google researchers warn that the group Scattered Spider behind UK retailer attacks is now targeting U.S. companies, shifting their focus across the Atlantic.
Shields up US retailers. They’re here. https://t.co/wslafVuEes
— John Hultquist (@JohnHultquist) May 15, 2025
Threat actors linked to Scattered Spider allegedly used DragonForce ransomware to target UK retailers. DragonForce also claimed ties to RansomHub, a RaaS platform once affiliated with UNC3944. While GTIG hasn’t confirmed UNC3944’s involvement, retail ransomware attacks are rising, 11% of 2025 DLS victims are retailers. Threat actors target retailers because they manage the huge trove of PII and financial data.
“It is plausible that threat actors including UNC3944 view retail organizations as attractive targets, given that they typically possess large quantities of personally identifiable information (PII) and financial data.” reads the report published by Google. “Further, these companies may be more likely to pay a ransom demand if a ransomware attack impacts their ability to process financial transactions.”
Mandiant shared details about Scattered Spider’s tactics after DragonForce claimed attacks on UK retailers Co-op, Harrods, and M&S.
Google experts state that UNC3944 targets sectors like Tech, Telecom, Finance, BPO, Gaming, Retail, and Media, focusing on large enterprises in English-speaking countries, plus India and Singapore. They exploit help desks and outsourced IT via social engineering for high-impact attacks.
Google also provided proactive hardening recommendations.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Scattered Spider)
