Scattered Spider Linked to MGM and Caesars Casino Breaches
MGM Resorts and Caesars Entertainment were hit in closely timed cyberattacks that investigators and security firms tied to the Scattered Spider criminal community, a loose English-speaking group known for social engineering, SIM swapping, phishing, and MFA fatigue. Caesars disclosed that attackers stole customer data and reportedly paid a ransom demand, while MGM suffered a far more disruptive intrusion that knocked hotel and casino operations offline for days and was later estimated to have cost about $100 million. Multiple reports said the intrusions involved help-desk impersonation and other employee-targeting tactics, with Scattered Spider affiliates also linked to ransomware operators including BlackCat/ALPHV.
The fallout expanded beyond the initial breaches as Caesars sent breach notifications to thousands of affected people and both casino companies faced lawsuits and class actions alleging failures to protect personal information. Law enforcement pressure then intensified: investigators in the US, UK, and Spain pursued suspected Scattered Spider members, including a 22-year-old British man arrested in Spain as an alleged leader and a 17-year-old arrested in the UK over the MGM attack, with additional US arrests and prosecutors reportedly moving closer to charges. Security researchers said the Las Vegas casino intrusions put a bullseye on the group, which had evolved from SIM-swapping into ransomware, extortion, and cloud-focused intrusions against major enterprises.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
14 events from the most recent confirmed update back to the earliest known activity.
US reports another teen arrest tied to 2023 Las Vegas casino cyberattack
A September 2025 report said a teen hacker had been arrested in connection with the 2023 Las Vegas casino cyberattack. This indicated the investigation continued well beyond the initial 2024 arrests.
UK police arrest 17-year-old linked to MGM Resorts attack
UK authorities arrested a 17-year-old boy from Walsall in coordination with the FBI on suspicion of blackmail and Computer Misuse Act offenses tied to the 2023 MGM Resorts ransomware attack. He was later released on bail while the broader investigation continued.
Reports identify Spanish arrest as major Scattered Spider crackdown step
On June 17, 2024, media reports detailed the Spain arrest and framed it as part of a broader international crackdown following attacks on MGM Resorts, Caesars Entertainment, and other major companies. The reporting also highlighted the group's evolution from SIM swapping to ransomware and extortion.
Spanish police arrest suspected Scattered Spider leader at Palma Airport
Spanish authorities arrested a 22-year-old British man at Palma Airport on suspicion that he was a leading Scattered Spider figure. Authorities said the arrest occurred on May 31 under an international warrant tied to attacks on dozens of US companies.
Mandiant says casino attacks intensified scrutiny of Scattered Spider
Mandiant CTO Charles Carmakal said the Las Vegas casino intrusions, especially the MGM attack, put a bullseye on Scattered Spider and accelerated law-enforcement attention. He added that some arrests had already occurred and prosecutors were getting closer to charges.
Caesars sends breach notifications to thousands of affected people
Caesars began notifying thousands of individuals that their personal information had been compromised in the breach. The notifications expanded public understanding of the scale of the customer-data exposure.
Victims file lawsuits and class actions against MGM and Caesars
By late September 2023, complaints and class actions had been filed alleging MGM Resorts and Caesars Entertainment failed to protect personal information exposed in the cyberattacks. The legal actions marked a new phase of fallout from the incidents.
Reporting links MGM and Caesars attacks to Scattered Spider
Mid-September 2023 coverage increasingly attributed the MGM Resorts and Caesars incidents to the loosely organized Scattered Spider community, often described as young English-speaking social engineers working with ransomware affiliates such as ALPHV/BlackCat.
Caesars confirms customer data theft and ransom payment
Caesars Entertainment publicly confirmed that attackers stole customer data and that the company paid the extortion demand. The disclosure established Caesars as a confirmed victim in the Las Vegas casino cybercrime spree.
Caesars Entertainment suffers social-engineering breach and data theft
Attackers linked in later reporting to Scattered Spider breached Caesars Entertainment in 2023 by reportedly tricking or socially engineering IT support. Customer data was stolen during the intrusion.
Caesars reportedly pays ransom demand after breach
Multiple September 2023 reports said Caesars paid a ransom demand following the theft of customer data. The payment was widely reported as occurring before Caesars publicly confirmed details of the incident.
MGM Resorts cyberattack disrupts casino and hotel operations
MGM Resorts was hit by a cyberattack in September 2023 that severely disrupted hotel and casino systems for about a week. Later reporting linked the intrusion to actors associated with Scattered Spider and ransomware/extortion activity.
FBI-linked investigation into suspected Scattered Spider actor begins
Spanish authorities later said their investigation into a suspected Scattered Spider leader began in May 2023 after the FBI's Los Angeles office requested information. This marked an early law-enforcement probe tied to the group later linked to the Las Vegas casino intrusions.
Suspected Scattered Spider affiliate Noah Urban arrested in Florida
Reporting in June 2024 referenced a prior January arrest in Florida of suspected Scattered Spider affiliate Noah Urban. The arrest signaled growing US law-enforcement action against people tied to the group.
Sources
14 references tracked. Mallory keeps watching after this page renders.
Teen hacker arrested in connection to Las Vegas casino cyberattack
usatoday.com
Open sourceUK arrests suspected Scattered Spider hacker linked to MGM attack
bleepingcomputer.com
Open sourceSuspected 'Scattered Spider' hacker, 22, reportedly arrested in Spain | The Record from Recorded Future News
therecord.media
Open sourceCasino cyberattacks put a bullseye on Scattered Spider
theregister.com
Open sourceCaesars Ransomware Attack, MGM Hit Linked To DEFCON?
thecyberexpress.com
Open sourceYoung hackers are sticking up Las Vegas casinos for hefty ransoms
qz.com
Open sourceCaesars Entertainment confirms ransom payment, customer data theft
bleepingcomputer.com
Open sourceCaesars Entertainment reportedly paid ransomware demand | Fox Business
foxbusiness.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
US Charges Five Alleged Scattered Spider Members Over SMS Phishing and Crypto Theft
U.S. prosecutors unsealed charges against five men allegedly linked to the **Scattered Spider** cybercrime ecosystem, accusing them of running a large-scale scheme that used SMS phishing, spoofed login pages, social engineering, stolen employee credentials, email hijacking, and SIM swapping to compromise companies and individuals. Court filings say the operation targeted technical employees across the United States between September 2021 and April 2023, enabling the theft of non-public corporate data, personal identifiers, and **millions of dollars in cryptocurrency**. Four suspects were charged in the United States with conspiracy to commit wire fraud, while a separate complaint was filed against a fifth defendant in the United Kingdom. The case adds to mounting law-enforcement scrutiny of Scattered Spider, a loose English-speaking threat actor network also tracked under multiple aliases and associated with the broader **"Com"** ecosystem. Authorities and researchers have linked the group to high-profile intrusions and collaborations with ransomware operations including **BlackCat/ALPHV**, **Qilin**, and **RansomHub**, as well as incidents affecting MGM Resorts, Clorox, Snowflake-linked victims, and later investigations into the hacks at **Marks & Spencer** and **Co-op**. The charges mark a significant escalation in efforts to disrupt a group known for blending phishing, identity takeover, and extortion-focused intrusion tactics.
May 25, 2026
HC3 Warns Healthcare Sector on Scattered Spider Social Engineering Threat
The U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (**HC3**) warned that **Scattered Spider** is actively targeting healthcare and other industries with sophisticated social engineering, including help-desk impersonation, phishing, MFA fatigue, SIM swapping, and AI-assisted lures. The financially motivated group—also tracked as **Octo Tempest**, **UNC3944**, **0ktapus**, and **Muddled Libra**—has built a reputation for using native English-speaking operators to trick employees and IT staff into resetting passwords, enrolling attacker-controlled MFA devices, and granting remote access. Federal guidance says the actors often abuse trusted tools and cloud services after initial access, making intrusions harder to distinguish from legitimate activity. U.S. agencies and private-sector researchers have linked Scattered Spider to data theft, extortion, and collaboration with **ALPHV/BlackCat** ransomware operations, with victims spanning hospitality, gaming, retail, technology, and now heightened concern for healthcare organizations. Microsoft and the FBI/CISA have described the group as unusually dangerous because it combines persuasive phone-based deception with credential theft, reconnaissance, privilege escalation, mailbox manipulation, and deployment of ransomware on Windows, Linux, and **VMware ESXi** environments. Authorities have also tied the group to major incidents including attacks on MGM Resorts and Caesars, while UK investigators later examined whether Scattered Spider was connected to disruptive cyberattacks against retailers.
May 25, 2026
US Charges Alleged Scattered Spider Member Arrested in Finland
U.S. prosecutors have charged 19-year-old dual U.S.-Estonian citizen Peter Stokes, allegedly a member of the **Scattered Spider** cybercrime group who used the alias `Bouquet`, after his arrest in Finland on April 10. According to reports citing court records, Stokes was detained while allegedly attempting to board a flight to Tokyo and now faces wire fraud, conspiracy, and computer intrusion charges in a sealed six-count complaint, with U.S. authorities seeking his extradition to Chicago. Investigators allege he took part in at least four intrusions, including a 2023 breach of an online communications platform and other attacks carried out while he was still a teenager. The complaint links Stokes to Scattered Spider operations that relied on help-desk social engineering, credential resets, MFA fatigue, and SMS phishing to gain access to major corporate environments. One 2025 intrusion described in the filings allegedly targeted a multibillion-dollar luxury retailer, where attackers obtained administrator access, claimed to have stolen **100 GB** of data, and issued an **$8 million** extortion demand, causing more than **$2 million** in losses. The case adds to broader law-enforcement pressure on the financially motivated group, also tracked as **Octo Tempest**, which has been tied to intrusions affecting MGM Resorts, Caesars, Twilio, Reddit, Riot Games, Mailchimp, DoorDash, Harrods, Marks & Spencer, WestJet, and Jaguar Land Rover.
May 4, 2026