Scattered Spider
A financially motivated cybercrime group (tracked as UNC3944, 0ktapus, Octo Tempest) known for SMS phishing and SIM-swapping. U.S. prosecutors say members stole millions in cryptocurrency from individuals; several have been arrested and pleaded guilty.
Also known as: Scattered Spider, UNC3944, 0ktapus, Octo Tempest, Muddled Libra, Scatter Swine, Starfraud
Overview
Scattered Spider is a loosely organized, financially motivated cybercrime group made up largely of young English-speaking members (linked to the broader online "Com"). It is tracked by security firms as UNC3944, 0ktapus, Scatter Swine, Octo Tempest, Muddled Libra, and Starfraud. It specializes in phone-based social engineering, SMS phishing ("smishing"), help-desk impersonation, MFA-fatigue bombing, and SIM-swapping to bypass multi-factor authentication. [1][2]
Tactics
Members trick employees or telecom staff into surrendering credentials or porting a victim's phone number to a SIM the attackers control, letting them intercept one-time passcodes and password-reset links. They have used this to breach corporate networks and, separately, to drain individuals' crypto accounts and self-custody wallets (e.g. by capturing seed phrases or 2FA codes). The group later expanded into ransomware/extortion against large enterprises. [1][2]
Crypto theft and prosecutions
In a 2022 smishing spree, the group breached firms including Twilio, LastPass, DoorDash, and Mailchimp and used that access against downstream targets; prosecutors say members "mainly sought to steal cryptocurrency." The U.S. charged several alleged members in 2024. Noah Urban ("Kingbob"/"Sosa") was sentenced to 10 years and ~$13M restitution; Tyler Buchanan ("Tylerb"), extradited from Spain, pleaded guilty and admitted stealing at least $8 million in crypto from individuals. Others, including Remington Ogletree ("remi"), were also charged. [1][2]
Bracketed numbers refer to the numbered sources listed below.
People & entities involved
Sources (2)
- Feds Charge Five Men in 'Scattered Spider' Roundup — Krebs on Security
- UNC3944 Leverages SMS Phishing for SIM Swapping, Ransomware, Extortion — Google Cloud / Mandiant
See also
- Angel DrainerOrganizations & groupsA wallet-drainer-as-a-service operation (≈85/15 affiliate/developer split) specialized in EVM chains. Most notably, Angel Drainer malware was used in the December 2023 Ledger Connect Kit supply-chain attack, which drained roughly $500K–$600K from DeFi users in a few hours.
- Monkey DrainerOrganizations & groupsAn early, prolific wallet-drainer-as-a-service crew (active into early 2023) that focused on high-value NFTs and is estimated to have facilitated roughly $13–16.5M in theft before announcing it was 'shutting down' and pointing affiliates to rival drainers.
- Ledger Connect Kit hackProjects
This page was last updated on Jun 8, 2026. View revision history.