Scattered Spider, also tracked as UNC3944, Octo Tempest, and 0ktapus, has been one of the most operationally aggressive English-speaking threat groups since 2022. The 2024 arrests of several alleged members and the disruption of their RaaS partner ALPHV did not break the group. They are still landing major incidents in 2026, with a playbook that combines social engineering, SIM-swap attacks, and extortion partnerships across multiple ransomware brands.
The signature TTP: voice-based help-desk social engineering
The thing Scattered Spider is best at, and the reason their attacks keep landing, is voice-based social engineering against IT help desks. They call in pretending to be an employee, claim a lost device, and convince the help desk to reset the user’s MFA. From there it’s a normal Active Directory escalation. The conversation is cordial, professional, and convincing enough that experienced help desk agents fall for it.
The defense against this is straightforward in concept: out-of-band verification before any MFA reset. The defense is hard in practice because the help desk’s KPI is “time to resolution” and the procedure that catches Scattered Spider also slows down legitimate users. The organisations that have done it well treat MFA reset as an authorisation event, not a service event.
SIM-swap as the second leg
Where the help-desk approach fails, SIM-swap fills the gap. Scattered Spider operators have ongoing relationships with insiders at the major US carriers and with SIM-swap-as-a-service providers operating from Telegram. The operational pattern: identify the target, port the target’s number to a SIM the attacker controls, intercept the SMS-based MFA codes, take over the account.
The mitigation here is removing SMS as an MFA factor anywhere it still exists. SMS is dead as authentication; carriers cannot reliably protect their own port-out flows; the only sustainable solution is to not depend on the phone number at all.
Targeting that hasn’t changed
The group’s targeting in 2026 looks structurally similar to 2023. Hospitality, gaming, and telecom remain disproportionately represented. SaaS companies whose customer-data is valuable for downstream attacks are a steady target. The 2025-2026 incidents we’ve reviewed include several casino properties, a multi-brand restaurant chain, and three different US-listed retailers.
The post-ALPHV arrangement
After ALPHV’s exit, Scattered Spider partnered with whichever ransomware brand had the right combination of payout structure and infrastructure. They’ve been linked to RansomHub deployments, Akira deployments, and at least one custom-tooling operation that didn’t carry a public brand at all. The group is best understood as a stable team of intrusion specialists who attach to whichever ransomware program is paying.
Detection priorities for 2026
Three things to watch. Help-desk audit logs for MFA reset events that don’t have corresponding ticket numbers in your ITSM tool. Identity logs for impossible-travel after MFA reset (the attacker’s location is rarely the user’s location). VPN logs for unusual ASN combinations in newly-authorised devices, especially residential proxy ranges Scattered Spider routinely uses.
The arrests didn’t end them
The 2024 indictments and the 2025 follow-up arrests removed several alleged operators. The group’s TTPs persisted. The English-speaking threat actor pool that supplies Scattered Spider operatives, gaming-adjacent communities, SIM-swap subcultures, COM-tagged Telegram groups, remains active and recruits new participants faster than law enforcement removes them. Expect Scattered Spider, or its successors operating under different names, to remain prominent through 2026 and beyond.